diff --git a/docs/data-sources/volterra_namespace.md b/docs/data-sources/volterra_namespace.md index 679223faa..73e29be8a 100644 --- a/docs/data-sources/volterra_namespace.md +++ b/docs/data-sources/volterra_namespace.md @@ -11,7 +11,7 @@ Namespace creates logical independent workspace within a tenant. Data Source rea ## Example Usage ```hcl -data volterra_namespace" "example" { +data "volterra_namespace" "example" { name = "example" } ``` diff --git a/docs/resources/volterra_active_alert_policies.md b/docs/resources/volterra_active_alert_policies.md index 46d307a04..224f06f95 100644 --- a/docs/resources/volterra_active_alert_policies.md +++ b/docs/resources/volterra_active_alert_policies.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: active_alert_policies" - description: "The active_alert_policies allows setting of Active Alert Policies for a namespace on Volterra SaaS" ------------------------------------------------------------------------------------------------------------------ + +--- Resource volterra_active_alert_policies ======================================= diff --git a/docs/resources/volterra_active_network_policies.md b/docs/resources/volterra_active_network_policies.md index efc6c452a..6366c7b4f 100644 --- a/docs/resources/volterra_active_network_policies.md +++ b/docs/resources/volterra_active_network_policies.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: active_network_policies" - description: "The active_network_policies allows setting of Active Network Policies for a namespace on Volterra SaaS" ---------------------------------------------------------------------------------------------------------------------- + +--- Resource volterra_active_network_policies ========================================= diff --git a/docs/resources/volterra_active_service_policies.md b/docs/resources/volterra_active_service_policies.md index 3f43fd1ff..010ca94af 100644 --- a/docs/resources/volterra_active_service_policies.md +++ b/docs/resources/volterra_active_service_policies.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: active_service_policies" - description: "The active_service_policies allows setting of Active Service Policies for a namespace on Volterra SaaS" ---------------------------------------------------------------------------------------------------------------------- + +--- Resource volterra_active_service_policies ========================================= diff --git a/docs/resources/volterra_advertise_policy.md b/docs/resources/volterra_advertise_policy.md index 83f585b99..924cfc305 100644 --- a/docs/resources/volterra_advertise_policy.md +++ b/docs/resources/volterra_advertise_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: advertise_policy" -description: "The advertise_policy allows CRUD of Advertise Policy resource on Volterra SaaS" +description: "The advertise_policy allows CRUD of Advertise Policy resource on Volterra SaaS" + --- -# Resource volterra_advertise_policy -The Advertise Policy allows CRUD of Advertise Policy resource on Volterra SaaS +Resource volterra_advertise_policy +================================== -~> **Note:** Please refer to [Advertise Policy API docs](https://docs.cloud.f5.com/docs-v2/api/advertise-policy) to learn more +The Advertise Policy allows CRUD of Advertise Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Advertise Policy API docs](https://docs.cloud.f5.com/docs-v2/api/advertise-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_advertise_policy" "example" { @@ -34,231 +27,55 @@ resource "volterra_advertise_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `address` - (Optional) If inside_vip/outside_vip is not configured in the site object, system use interface ip in the respected networks. (`String`). - - +###### One of the arguments from this list "port, port_ranges" must be set `port` - (Optional) Port to advertise. (`Int`). - `port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - - `protocol` - (Optional) Protocol to advertise. (`String`). - - `public_ip` - (Optional) This field is mutually exclusive with where and address fields.. See [ref](#ref) below for details. - `skip_xff_append` - (Optional) If set, the loadbalancer will not append the remote address to the x-forwarded-for HTTP header. (`Bool`). - - `tls_parameters` - (Optional) Optional. TLS parameters to use. If not specified, will take from Virtual Host configuration.. See [Tls Parameters ](#tls-parameters) below for details. +`where` - (Optional) * site Advertised on site local network in case of customer sites and Public network in case of regional sites. See [Where ](#where) below for details. +### Tls Parameters +Optional. TLS parameters to use. If not specified, will take from Virtual Host configuration.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`where` - (Optional) * site Advertised on site local network in case of customer sites and Public network in case of regional sites. See [Where ](#where) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Tls Parameters - - Optional. TLS parameters to use. If not specified, will take from Virtual Host configuration.. - - - -###### One of the arguments from this list "no_client_certificate, client_certificate_required, client_certificate_optional" must be set +###### One of the arguments from this list "client_certificate_optional, client_certificate_required, no_client_certificate" must be set `client_certificate_optional` - (Optional) the connection will be accepted.. See [Client Certificate Verify Choice Client Certificate Optional ](#client-certificate-verify-choice-client-certificate-optional) below for details. - `client_certificate_required` - (Optional) certificate.. See [Client Certificate Verify Choice Client Certificate Required ](#client-certificate-verify-choice-client-certificate-required) below for details. - `no_client_certificate` - (Optional) it will be ignored (not used for verification). See [Client Certificate Verify Choice No Client Certificate ](#client-certificate-verify-choice-no-client-certificate) below for details. - `common_params` - (Optional) Common TLS parameters used in both upstream and downstream connections. See [Tls Parameters Common Params ](#tls-parameters-common-params) below for details. `crl` - (Optional) Used to ensure that the client presented certificate is not revoked as per the CRL. See [ref](#ref) below for details.(Deprecated) @@ -267,128 +84,89 @@ resource "volterra_advertise_policy" "example" { `xfcc_header_elements` - (Optional) If none are defined, the header will not be added. (`List of Strings`). +### Where +- site Advertised on site local network in case of customer sites and Public network in case of regional sites. -### Where - - * site Advertised on site local network in case of customer sites and Public network in case of regional sites. - - - -###### One of the arguments from this list "virtual_network, site, virtual_site" must be set +###### One of the arguments from this list "site, virtual_network, virtual_site" must be set `site` - (Optional) Direct reference to site object. See [Ref Or Selector Site ](#ref-or-selector-site) below for details. - `virtual_network` - (Optional) Direct reference to virtual network object. See [Ref Or Selector Virtual Network ](#ref-or-selector-virtual-network) below for details. - `virtual_site` - (Optional) Direct reference to virtual site object. See [Ref Or Selector Virtual Site ](#ref-or-selector-virtual-site) below for details. +### Client Certificate Verify Choice Client Certificate Optional +the connection will be accepted.. +### Client Certificate Verify Choice Client Certificate Required -### Client Certificate Verify Choice Client Certificate Optional - - the connection will be accepted.. - - +certificate.. -### Client Certificate Verify Choice Client Certificate Required +### Client Certificate Verify Choice No Client Certificate - certificate.. +it will be ignored (not used for verification). +### Common Params Tls Certificates - -### Client Certificate Verify Choice No Client Certificate - - it will be ignored (not used for verification). - - - -### Common Params Tls Certificates - - Set of TLS certificates. +Set of TLS certificates. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "disable_ocsp_stapling, custom_hash_algorithms, use_system_defaults" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Common Params Validation Params - -### Common Params Validation Params - - and list of Subject Alt Names for verification. +and list of Subject Alt Names for verification. `skip_hostname_verification` - (Optional) is not matched to the connecting hostname (`Bool`). - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set `trusted_ca` - (Optional) Root CA Certificate. See [Trusted Ca Choice Trusted Ca ](#trusted-ca-choice-trusted-ca) below for details. - `trusted_ca_url` - (Optional) Inline Root CA Certificate (`String`). - `use_volterra_trusted_ca_url` - (Optional) Use the F5XC default Root CA URL from the global config for hostname verification. (`Bool`).(Deprecated) `verify_subject_alt_names` - (Optional) the hostname of the peer will be used for matching against SAN/CN of peer's certificate (`String`). +### Internet Vip Choice Disable Internet Vip +Do not enable advertise on external internet vip.. -### Internet Vip Choice Disable Internet Vip - - Do not enable advertise on external internet vip.. - - - -### Internet Vip Choice Enable Internet Vip - - Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### Internet Vip Choice Enable Internet Vip +Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### Ocsp Stapling Choice Custom Hash Algorithms -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - +### Ocsp Stapling Choice Use System Defaults -### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Private Key Blindfold Secret Info Internal - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -396,10 +174,7 @@ resource "volterra_advertise_policy" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -409,63 +184,47 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Ref Or Selector Site - -### Ref Or Selector Site - - Direct reference to site object. - - +Direct reference to site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred site (`String`). `ref` - (Required) A site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Ref Or Selector Virtual Network - -### Ref Or Selector Virtual Network - - Direct reference to virtual network object. +Direct reference to virtual network object. `ref` - (Required) A virtual network direct reference. See [ref](#ref) below for details. +### Ref Or Selector Virtual Site - -### Ref Or Selector Virtual Site - - Direct reference to virtual site object. - - +Direct reference to virtual site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred virtual_site (`String`). `ref` - (Required) A virtual_site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -473,21 +232,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -499,45 +254,33 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Tls Certificates Private Key - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Parameters Common Params - - -### Tls Parameters Common Params - - Common TLS parameters used in both upstream and downstream connections. +Common TLS parameters used in both upstream and downstream connections. `cipher_suites` - (Optional) will be used. (`String`). @@ -551,17 +294,13 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `validation_params` - (Optional) and list of Subject Alt Names for verification. See [Common Params Validation Params ](#common-params-validation-params) below for details. +### Trusted Ca Choice Trusted Ca - -### Trusted Ca Choice Trusted Ca - - Root CA Certificate. +Root CA Certificate. `trusted_ca_list` - (Optional) Reference to Root CA Certificate. See [ref](#ref) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured advertise_policy. - +- `id` - This is the id of the configured advertise_policy. diff --git a/docs/resources/volterra_alert_policy.md b/docs/resources/volterra_alert_policy.md index e7c968921..cf9c22b1d 100644 --- a/docs/resources/volterra_alert_policy.md +++ b/docs/resources/volterra_alert_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: alert_policy" -description: "The alert_policy allows CRUD of Alert Policy resource on Volterra SaaS" +description: "The alert_policy allows CRUD of Alert Policy resource on Volterra SaaS" + --- -# Resource volterra_alert_policy -The Alert Policy allows CRUD of Alert Policy resource on Volterra SaaS +Resource volterra_alert_policy +============================== -~> **Note:** Please refer to [Alert Policy API docs](https://docs.cloud.f5.com/docs-v2/api/alert-policy) to learn more +The Alert Policy allows CRUD of Alert Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Alert Policy API docs](https://docs.cloud.f5.com/docs-v2/api/alert-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_alert_policy" "example" { @@ -34,17 +27,41 @@ resource "volterra_alert_policy" "example" { } routes { - // One of the arguments from this list "send dont_send" must be set + // One of the arguments from this list "dont_send send" must be set send = true - // One of the arguments from this list "group alertname alertname_regex custom any severity" can be set + // One of the arguments from this list "alertname alertname_regex any custom group severity" can be set + + custom { + alertlabel { + // One of the arguments from this list "exact_match regex_match" must be set + + exact_match = "Major" + } + + alertname { + // One of the arguments from this list "exact_match regex_match" must be set + + exact_match = "Major" + } + + group { + // One of the arguments from this list "exact_match regex_match" must be set + + exact_match = "Major" + } - alertname = "alertname" + severity { + // One of the arguments from this list "exact_match regex_match" must be set + + regex_match = "Major|Critical" + } + } notification_parameters { - // One of the arguments from this list "default individual ves_io_group custom" must be set + // One of the arguments from this list "custom default individual ves_io_group" must be set - individual = true + default = true group_interval = "1m" @@ -57,333 +74,150 @@ resource "volterra_alert_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `notification_parameters` - (Optional) Notification parameters to decide how and when the alerts should be sent to the receivers.. See [Notification Parameters ](#notification-parameters) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - `receivers` - (Required) list of Alert Receivers where the alerts will be sent. See [ref](#ref) below for details. - `routes` - (Required) The routes are evaluated in the specified order and terminates on the first match.. See [Routes ](#routes) below for details. +### Notification Parameters +Notification parameters to decide how and when the alerts should be sent to the receivers.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Notification Parameters - - Notification parameters to decide how and when the alerts should be sent to the receivers.. - - - -###### One of the arguments from this list "default, individual, ves_io_group, custom" must be set +###### One of the arguments from this list "custom, default, individual, ves_io_group" must be set `custom` - (Optional) Specify set of labels for grouping the alerts. See [Group By Custom ](#group-by-custom) below for details. - `default` - (Optional) Group the alerts by severity, group name and alert name (`Bool`). - `individual` - (Optional) This option disables grouping of alerts (`Bool`). - `ves_io_group` - (Optional) Group the alerts by severity, group name and alert name (`Bool`). - `group_interval` - (Optional) If not specified, group_interval defaults to "1m" (`String`). `group_wait` - (Optional) If not specified, group_wait defaults to "30s" (`String`). `repeat_interval` - (Optional) If not specified, group_interval defaults to "4h" (`String`). +### Routes +The routes are evaluated in the specified order and terminates on the first match.. -### Routes - - The routes are evaluated in the specified order and terminates on the first match.. - - - -###### One of the arguments from this list "send, dont_send" must be set +###### One of the arguments from this list "dont_send, send" must be set `dont_send` - (Optional) Do not send the alert (`Bool`). - `send` - (Optional) Send the alert (`Bool`). - - - - -###### One of the arguments from this list "alertname_regex, custom, any, severity, group, alertname" can be set +###### One of the arguments from this list "alertname, alertname_regex, any, custom, group, severity" can be set `alertname` - (Optional) Matches the alertname of the alert (`String`). - `alertname_regex` - (Optional) Regular Expression match for the alertname (`String`). - `any` - (Optional) Matches all alerts in the namespace (`Bool`). - `custom` - (Optional) A set of custom equality/regex matchers an alert has to fulfill to match the route.. See [Matcher Custom ](#matcher-custom) below for details. - `group` - (Optional) Matches the group name of the alert. See [Matcher Group ](#matcher-group) below for details. - `severity` - (Optional) Matches the severity level of the alert. See [Matcher Severity ](#matcher-severity) below for details. - `notification_parameters` - (Optional) notification_config defined in the policy.. See [Routes Notification Parameters ](#routes-notification-parameters) below for details. +### Action Dont Send +Do not send the alert. -### Action Dont Send - - Do not send the alert. - - - -### Action Send - - Send the alert. +### Action Send +Send the alert. +### Custom Alertlabel -### Custom Alertlabel - - AlertLabel to configure the alert policy rule. - - +AlertLabel to configure the alert policy rule. ###### One of the arguments from this list "exact_match, regex_match" must be set `exact_match` - (Optional) Equality match value for the label (`String`). - `regex_match` - (Optional) Regular expression match value for the label (`String`). +### Custom Alertname - - -### Custom Alertname - - Alertname Matcher. - - +Alertname Matcher. ###### One of the arguments from this list "exact_match, regex_match" must be set `exact_match` - (Optional) Equality match value for the label (`String`). - `regex_match` - (Optional) Regular expression match value for the label (`String`). +### Custom Group - - -### Custom Group - - Group Matcher. - - +Group Matcher. ###### One of the arguments from this list "exact_match, regex_match" must be set `exact_match` - (Optional) Equality match value for the label (`String`). - `regex_match` - (Optional) Regular expression match value for the label (`String`). +### Custom Severity - - -### Custom Severity - - Severity Matcher. - - +Severity Matcher. ###### One of the arguments from this list "exact_match, regex_match" must be set `exact_match` - (Optional) Equality match value for the label (`String`). - `regex_match` - (Optional) Regular expression match value for the label (`String`). +### Group By Custom - - -### Group By Custom - - Specify set of labels for grouping the alerts. +Specify set of labels for grouping the alerts. `labels` - (Optional) Name of labels to group/aggregate the alerts (`String`). +### Group By Default +Group the alerts by severity, group name and alert name. -### Group By Default - - Group the alerts by severity, group name and alert name. - +### Group By Individual +This option disables grouping of alerts. -### Group By Individual +### Group By Ves Io Group - This option disables grouping of alerts. +Group the alerts by severity, group name and alert name. +### Matcher Any +Matches all alerts in the namespace. -### Group By Ves Io Group +### Matcher Custom - Group the alerts by severity, group name and alert name. - - - -### Matcher Any - - Matches all alerts in the namespace. - - - -### Matcher Custom - - A set of custom equality/regex matchers an alert has to fulfill to match the route.. +A set of custom equality/regex matchers an alert has to fulfill to match the route.. `alertlabel` - (Optional) AlertLabel to configure the alert policy rule. See [Custom Alertlabel ](#custom-alertlabel) below for details. @@ -393,26 +227,19 @@ resource "volterra_alert_policy" "example" { `severity` - (Optional) Severity Matcher. See [Custom Severity ](#custom-severity) below for details. +### Matcher Group - -### Matcher Group - - Matches the group name of the alert. +Matches the group name of the alert. `groups` - (Optional) Name of groups to match the alert (`List of Strings`). +### Matcher Severity - -### Matcher Severity - - Matches the severity level of the alert. +Matches the severity level of the alert. `severities` - (Optional) List of severity levels (`List of Strings`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -422,37 +249,27 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Routes Notification Parameters +notification_config defined in the policy.. -### Routes Notification Parameters - - notification_config defined in the policy.. - - - -###### One of the arguments from this list "default, individual, ves_io_group, custom" must be set +###### One of the arguments from this list "custom, default, individual, ves_io_group" must be set `custom` - (Optional) Specify set of labels for grouping the alerts. See [Group By Custom ](#group-by-custom) below for details. - `default` - (Optional) Group the alerts by severity, group name and alert name (`Bool`). - `individual` - (Optional) This option disables grouping of alerts (`Bool`). - `ves_io_group` - (Optional) Group the alerts by severity, group name and alert name (`Bool`). - `group_interval` - (Optional) If not specified, group_interval defaults to "1m" (`String`). `group_wait` - (Optional) If not specified, group_wait defaults to "30s" (`String`). `repeat_interval` - (Optional) If not specified, group_interval defaults to "4h" (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured alert_policy. - +- `id` - This is the id of the configured alert_policy. diff --git a/docs/resources/volterra_alert_receiver.md b/docs/resources/volterra_alert_receiver.md index 16c6935f8..587360157 100644 --- a/docs/resources/volterra_alert_receiver.md +++ b/docs/resources/volterra_alert_receiver.md @@ -1,33 +1,26 @@ - - - - - - - - - - - - --- + page_title: "Volterra: alert_receiver" -description: "The alert_receiver allows CRUD of Alert Receiver resource on Volterra SaaS" +description: "The alert_receiver allows CRUD of Alert Receiver resource on Volterra SaaS" + --- -# Resource volterra_alert_receiver -The Alert Receiver allows CRUD of Alert Receiver resource on Volterra SaaS +Resource volterra_alert_receiver +================================ + +The Alert Receiver allows CRUD of Alert Receiver resource on Volterra SaaS -~> **Note:** Please refer to [Alert Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/alert-receiver) to learn more +~> **Note:** Please refer to [Alert Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/alert-receiver) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_alert_receiver" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "slack pagerduty opsgenie email sms webhook" must be set + // One of the arguments from this list "email opsgenie pagerduty slack sms webhook" must be set slack { channel = "value" @@ -43,7 +36,7 @@ resource "volterra_alert_receiver" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set blindfold_secret_info { decryption_provider = "value" @@ -58,296 +51,42 @@ resource "volterra_alert_receiver" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "email, opsgenie, pagerduty, slack, sms, webhook" must be set `email` - (Optional) Send alert notifications as Email. See [Receiver Email ](#receiver-email) below for details. - - - - `opsgenie` - (Optional) Send alert notifications to OpsGenie. See [Receiver Opsgenie ](#receiver-opsgenie) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `pagerduty` - (Optional) Send alert notifications to PagerDuty. See [Receiver Pagerduty ](#receiver-pagerduty) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - `slack` - (Optional) Send alert notifications to Slack. See [Receiver Slack ](#receiver-slack) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - `sms` - (Optional) Send alert notifications as SMS. See [Receiver Sms ](#receiver-sms) below for details. - - - - `webhook` - (Optional) Send alert notifications to Webhook. See [Receiver Webhook ](#receiver-webhook) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +### Api Key Blindfold Secret Info Internal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Api Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -355,147 +94,105 @@ resource "volterra_alert_receiver" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Auth Choice Auth Token - -### Auth Choice Auth Token - - Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). +Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). `token` - (Required) F5XC Secret. URL for token, needs to be fetched from this path. See [Auth Token Token ](#auth-token-token) below for details. +### Auth Choice Basic Auth - -### Auth Choice Basic Auth - - Use HTTP Basic Auth for authentication to the HTTP(s) server. +Use HTTP Basic Auth for authentication to the HTTP(s) server. `password` - (Required) HTTP Basic Auth Password. See [Basic Auth Password ](#basic-auth-password) below for details. `user_name` - (Required) HTTP Basic Auth User Name (`String`). +### Auth Choice Client Cert Obj - -### Auth Choice Client Cert Obj - - Use certificate and key files for client cert authentication to the server.. +Use certificate and key files for client cert authentication to the server.. `use_tls_obj` - (Optional) Reference to client certificate object. See [ref](#ref) below for details. +### Auth Choice No Authorization +Do not use authentication to the HTTP(s) server. -### Auth Choice No Authorization - - Do not use authentication to the HTTP(s) server. - - - -### Auth Token Token +### Auth Token Token - F5XC Secret. URL for token, needs to be fetched from this path. +F5XC Secret. URL for token, needs to be fetched from this path. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Token Blindfold Secret Info Internal ](#token-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Basic Auth Password - - -### Basic Auth Password - - HTTP Basic Auth Password. +HTTP Basic Auth Password. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Opsgenie Api Key - - -### Opsgenie Api Key - - API integration key to send alert notifications using REST API to OpsGenie service.. +API integration key to send alert notifications using REST API to OpsGenie service.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Api Key Blindfold Secret Info Internal ](#api-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Pagerduty Routing Key - - -### Pagerduty Routing Key - - PagerDuty integration key (choose Integration Type: Events API v2). +PagerDuty integration key (choose Integration Type: Events API v2). `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Routing Key Blindfold Secret Info Internal ](#routing-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -503,66 +200,51 @@ resource "volterra_alert_receiver" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Receiver Email - -### Receiver Email - - Send alert notifications as Email. +Send alert notifications as Email. `email` - (Optional) Email id of the user (`String`). +### Receiver Opsgenie - -### Receiver Opsgenie - - Send alert notifications to OpsGenie. +Send alert notifications to OpsGenie. `api_key` - (Required) API integration key to send alert notifications using REST API to OpsGenie service.. See [Opsgenie Api Key ](#opsgenie-api-key) below for details. `url` - (Required) URL to send API requests to (`String`). +### Receiver Pagerduty - -### Receiver Pagerduty - - Send alert notifications to PagerDuty. +Send alert notifications to PagerDuty. `routing_key` - (Required) PagerDuty integration key (choose Integration Type: Events API v2). See [Pagerduty Routing Key ](#pagerduty-routing-key) below for details. `url` - (Required) URL to send API requests to (`String`). +### Receiver Slack - -### Receiver Slack - - Send alert notifications to Slack. +Send alert notifications to Slack. `channel` - (Required) Channel or user to send notifications to (`String`). `url` - (Required) API Key is embedded in the webhook URL.. See [Slack Url ](#slack-url) below for details. +### Receiver Sms +Send alert notifications as SMS. -### Receiver Sms +`contact_number` - (Optional) Contact number of the user in ITU E.164 format [+][country code][subscriber number including area code](`String`). - Send alert notifications as SMS. +### Receiver Webhook -`contact_number` - (Optional) Contact number of the user in ITU E.164 format [+][country code][subscriber number including area code] (`String`). - - - -### Receiver Webhook - - Send alert notifications to Webhook. +Send alert notifications to Webhook. `http_config` - (Required) Configuration for HTTP endpoint. See [Webhook Http Config ](#webhook-http-config) below for details. `url` - (Required) Incoming webhook url to send alert notifications.. See [Webhook Url ](#webhook-url) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -572,11 +254,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Routing Key Blindfold Secret Info Internal - -### Routing Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -584,11 +264,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -596,21 +274,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -622,101 +296,71 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Server Validation Choice Use Server Verification - -### Server Validation Choice Use Server Verification - - Perform server verification using the provided trusted CA list. +Perform server verification using the provided trusted CA list. `ca_cert_obj` - (Optional) Trusted CA List for verification of Server's certificate. See [Use Server Verification Ca Cert Obj ](#use-server-verification-ca-cert-obj) below for details. +### Server Validation Choice Volterra Trusted Ca +Perform server verification using F5XC default trusted CA list. -### Server Validation Choice Volterra Trusted Ca - - Perform server verification using F5XC default trusted CA list. - - +### Slack Url -### Slack Url - - API Key is embedded in the webhook URL.. +API Key is embedded in the webhook URL.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Url Blindfold Secret Info Internal ](#url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Sni Choice Disable Sni +Do not use SNI.. +### Tls Choice No Tls -### Sni Choice Disable Sni - - Do not use SNI.. - - - -### Tls Choice No Tls - - x-displayName: "Disable". +x-displayName: "Disable". +### Tls Choice Use Tls - -### Tls Choice Use Tls - - x-displayName: "Enable". +x-displayName: "Enable". `max_version` - (Optional) Maximum TLS protocol version. (`String`). `min_version` - (Optional) Minimum TLS protocol version. (`String`). - - ###### One of the arguments from this list "use_server_verification, volterra_trusted_ca" must be set `use_server_verification` - (Optional) Perform server verification using the provided trusted CA list. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. - `volterra_trusted_ca` - (Optional) Perform server verification using F5XC default trusted CA list (`Bool`). - - - -###### One of the arguments from this list "sni, disable_sni" must be set +###### One of the arguments from this list "disable_sni, sni" must be set `disable_sni` - (Optional) Do not use SNI. (`Bool`). - `sni` - (Optional) SNI value to be used. (`String`). +### Token Blindfold Secret Info Internal - - -### Token Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -724,11 +368,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Url Blindfold Secret Info Internal - -### Url Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -736,79 +378,55 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Use Server Verification Ca Cert Obj - -### Use Server Verification Ca Cert Obj - - Trusted CA List for verification of Server's certificate. +Trusted CA List for verification of Server's certificate. `trusted_ca` - (Optional) Reference to client certificate object. See [ref](#ref) below for details. +### Webhook Http Config +Configuration for HTTP endpoint. -### Webhook Http Config - - Configuration for HTTP endpoint. - - - -###### One of the arguments from this list "no_authorization, basic_auth, auth_token, client_cert_obj" must be set +###### One of the arguments from this list "auth_token, basic_auth, client_cert_obj, no_authorization" must be set `auth_token` - (Optional) Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). See [Auth Choice Auth Token ](#auth-choice-auth-token) below for details. - `basic_auth` - (Optional) Use HTTP Basic Auth for authentication to the HTTP(s) server. See [Auth Choice Basic Auth ](#auth-choice-basic-auth) below for details. - `client_cert_obj` - (Optional) Use certificate and key files for client cert authentication to the server.. See [Auth Choice Client Cert Obj ](#auth-choice-client-cert-obj) below for details. - `no_authorization` - (Optional) Do not use authentication to the HTTP(s) server (`Bool`). - `enable_http2` - (Optional) Configure to use HTTP2 protocol. (`Bool`). `follow_redirects` - (Optional) Configure whether HTTP requests follow HTTP 3xx redirects. (`Bool`). - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_tls` - (Optional) x-displayName: "Enable". See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Webhook Url - - -### Webhook Url - - Incoming webhook url to send alert notifications.. +Incoming webhook url to send alert notifications.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Url Blindfold Secret Info Internal ](#url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured alert_receiver. - +- `id` - This is the id of the configured alert_receiver. diff --git a/docs/resources/volterra_allowed_tenant.md b/docs/resources/volterra_allowed_tenant.md index 774c401e3..4730455a0 100644 --- a/docs/resources/volterra_allowed_tenant.md +++ b/docs/resources/volterra_allowed_tenant.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: allowed_tenant" - description: "The allowed_tenant allows CRUD of Allowed Tenant resource on Volterra SaaS" ------------------------------------------------------------------------------------------ + +--- Resource volterra_allowed_tenant ================================ diff --git a/docs/resources/volterra_api_credential.md b/docs/resources/volterra_api_credential.md index c48473a4e..9404128f4 100644 --- a/docs/resources/volterra_api_credential.md +++ b/docs/resources/volterra_api_credential.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_api_credential" - description: "The volterra_api_credential allows creation of api_credential object on Volterra SaaS" ----------------------------------------------------------------------------------------------------- + +--- Resource volterra_api_credential ================================ diff --git a/docs/resources/volterra_api_definition.md b/docs/resources/volterra_api_definition.md index 347a1ca5f..f9b482955 100644 --- a/docs/resources/volterra_api_definition.md +++ b/docs/resources/volterra_api_definition.md @@ -1,125 +1,90 @@ - - - - - - - - - - - - --- + page_title: "Volterra: api_definition" -description: "The api_definition allows CRUD of Api Definition resource on Volterra SaaS" +description: "The api_definition allows CRUD of Api Definition resource on Volterra SaaS" + --- -# Resource volterra_api_definition -The Api Definition allows CRUD of Api Definition resource on Volterra SaaS +Resource volterra_api_definition +================================ + +The Api Definition allows CRUD of Api Definition resource on Volterra SaaS -~> **Note:** Please refer to [Api Definition API docs](https://docs.cloud.f5.com/docs-v2/api/views-api-definition) to learn more +~> **Note:** Please refer to [Api Definition API docs](https://docs.cloud.f5.com/docs-v2/api/views-api-definition) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_api_definition" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "strict_schema_origin mixed_schema_origin" must be set + // One of the arguments from this list "mixed_schema_origin strict_schema_origin" must be set strict_schema_origin = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `api_inventory_exclusion_list` - (Optional) List of API Endpoints excluded from the API Inventory.. See [Api Inventory Exclusion List ](#api-inventory-exclusion-list) below for details. - - - - `api_inventory_inclusion_list` - (Optional) Typically, discovered API endpoints are added to the API Inventory using this list.. See [Api Inventory Inclusion List ](#api-inventory-inclusion-list) below for details. - - - - `non_api_endpoints` - (Optional) List of Non-API Endpoints.. See [Non Api Endpoints ](#non-api-endpoints) below for details. - - - - +###### One of the arguments from this list "mixed_schema_origin, strict_schema_origin" must be set `mixed_schema_origin` - (Optional) The schema can be updated from all associated LBs (`Bool`). - `strict_schema_origin` - (Optional) The origin of the schema update is stored and validated per API endpoint (`Bool`). - - - `swagger_specs` - (Optional) Notice file versions. If OpenAPI file is updated, need to select a new version here to redefine the API. (`List of String`). +### Api Inventory Exclusion List - -### Api Inventory Exclusion List - - List of API Endpoints excluded from the API Inventory.. +List of API Endpoints excluded from the API Inventory.. `method` - (Required) Method to match the input request API method against. (`String`). `path` - (Required) The path should comply with RFC 3986 and may have parameters according to OpenAPI specification (`String`). +### Api Inventory Inclusion List - -### Api Inventory Inclusion List - - Typically, discovered API endpoints are added to the API Inventory using this list.. +Typically, discovered API endpoints are added to the API Inventory using this list.. `method` - (Required) Method to match the input request API method against. (`String`). `path` - (Required) The path should comply with RFC 3986 and may have parameters according to OpenAPI specification (`String`). +### Non Api Endpoints - -### Non Api Endpoints - - List of Non-API Endpoints.. +List of Non-API Endpoints.. `method` - (Required) Method to match the input request API method against. (`String`). `path` - (Required) The path should comply with RFC 3986 and may have parameters according to OpenAPI specification (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured api_definition. - +- `id` - This is the id of the configured api_definition. diff --git a/docs/resources/volterra_apm.md b/docs/resources/volterra_apm.md index 3598ace3b..35ddc3113 100644 --- a/docs/resources/volterra_apm.md +++ b/docs/resources/volterra_apm.md @@ -1,44 +1,84 @@ +--- +page_title: "Volterra: apm" +description: "The apm allows CRUD of Apm resource on Volterra SaaS" +--- +Resource volterra_apm +===================== +The Apm allows CRUD of Apm resource on Volterra SaaS +~> **Note:** Please refer to [Apm API docs](https://docs.cloud.f5.com/docs-v2/api/bigip-apm) to learn more +Example Usage +------------- +```hcl +resource "volterra_apm" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "https_management" must be set + https_management { + // One of the arguments from this list "advertise_on_internet advertise_on_internet_default_vip advertise_on_sli_vip advertise_on_slo_internet_vip advertise_on_slo_sli advertise_on_slo_vip disable_local do_not_advertise_on_internet" must be set + advertise_on_slo_internet_vip { + // One of the arguments from this list "no_mtls use_mtls" must be set + no_mtls = true ---- -page_title: "Volterra: apm" -description: "The apm allows CRUD of Apm resource on Volterra SaaS" ---- -# Resource volterra_apm + tls_certificates { + certificate_url = "value" -The Apm allows CRUD of Apm resource on Volterra SaaS + description = "Certificate used in production environment" -~> **Note:** Please refer to [Apm API docs]( https://docs.cloud.f5.com/docs-v2/api/bigip-apm) to learn more + // One of the arguments from this list "custom_hash_algorithms disable_ocsp_stapling use_system_defaults" can be set -## Example Usage + use_system_defaults {} + private_key { + blindfold_secret_info_internal { + decryption_provider = "value" -```hcl -resource "volterra_apm" "example" { - name = "acmecorp-web" - namespace = "staging" + location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - // One of the arguments from this list "https_management" must be set + store_provider = "value" + } - https_management { - // One of the arguments from this list "do_not_advertise_on_internet advertise_on_internet_default_vip advertise_on_internet advertise_on_slo_internet_vip advertise_on_sli_vip advertise_on_slo_vip advertise_on_slo_sli disable_local" must be set + secret_encoding_type = "secret_encoding_type" + + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set + + blindfold_secret_info { + decryption_provider = "value" + + location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" + + store_provider = "value" + } + } + } - disable_local = true + tls_config { + // One of the arguments from this list "custom_security default_security low_security medium_security" must be set + + default_security = true + } + } domain_suffix = "foo.com" - // One of the arguments from this list "advertise_on_public_default_vip advertise_on_public do_not_advertise" can be set + // One of the arguments from this list "advertise_on_public advertise_on_public_default_vip do_not_advertise" can be set - do_not_advertise = true + advertise_on_public { + public_ip { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } // One of the arguments from this list "default_https_port https_port" must be set @@ -60,7 +100,7 @@ resource "volterra_apm" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "clear_secret_info wingman_secret_info blindfold_secret_info vault_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set clear_secret_info { provider = "box-provider" @@ -80,7 +120,7 @@ resource "volterra_apm" "example" { } endpoint_service { - // One of the arguments from this list "disable_advertise_on_slo_ip advertise_on_slo_ip advertise_on_slo_ip_external" must be set + // One of the arguments from this list "advertise_on_slo_ip advertise_on_slo_ip_external disable_advertise_on_slo_ip" must be set disable_advertise_on_slo_ip = true @@ -88,11 +128,13 @@ resource "volterra_apm" "example" { automatic_vip = true - // One of the arguments from this list "default_tcp_ports http_port https_port custom_tcp_ports no_tcp_ports" must be set + // One of the arguments from this list "custom_tcp_ports default_tcp_ports http_port https_port no_tcp_ports" must be set - default_tcp_ports = true + custom_tcp_ports { + ports = ["100-200"] + } - // One of the arguments from this list "no_udp_ports custom_udp_ports" must be set + // One of the arguments from this list "custom_udp_ports no_udp_ports" must be set no_udp_ports = true } @@ -100,9 +142,13 @@ resource "volterra_apm" "example" { nodes { aws_az_name = "us-west-2a" - // One of the arguments from this list "reserved_mgmt_subnet mgmt_subnet" must be set + // One of the arguments from this list "mgmt_subnet reserved_mgmt_subnet" must be set - reserved_mgmt_subnet = true + mgmt_subnet { + // One of the arguments from this list "existing_subnet_id subnet_param" must be set + + existing_subnet_id = "subnet-12345678901234567" + } node_name = "node1" // One of the arguments from this list "automatic_prefix tunnel_prefix" must be set @@ -129,1662 +175,776 @@ resource "volterra_apm" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "https_management" must be set `https_management` - (Optional) Enable HTTPS based management. See [Http Management Choice Https Management ](#http-management-choice-https-management) below for details. - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "aws_site_type_choice, baremetal_site_type_choice" must be set +`aws_site_type_choice` - (Optional) Virtual F5 BIG-IP APM service to be deployed on AWS Transit Gateway Site. See [Site Type Choice Aws Site Type Choice ](#site-type-choice-aws-site-type-choice) below for details. +`baremetal_site_type_choice` - (Optional) Virtual F5 BIG-IP APM service to be deployed on App Stack Bare Metal Site. See [Site Type Choice Baremetal Site Type Choice ](#site-type-choice-baremetal-site-type-choice) below for details. - +### Admin Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Advertise Choice Advertise On Internet +Advertise this loadbalancer on public network. +`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Advertise Choice Advertise On Internet Default Vip +Enable management access on internet with default VIP. - +### Advertise Choice Advertise On Sli Vip +Enable on Site local inside network, default VIP will be used. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Sli Vip Tls Certificates ](#advertise-on-sli-vip-tls-certificates) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Sli Vip Tls Config ](#advertise-on-sli-vip-tls-config) below for details. +### Advertise Choice Advertise On Slo Internet Vip +Enable On Site Local Outside Internet VIP. +###### One of the arguments from this list "no_mtls, use_mtls" must be set - +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Internet Vip Tls Certificates ](#advertise-on-slo-internet-vip-tls-certificates) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Internet Vip Tls Config ](#advertise-on-slo-internet-vip-tls-config) below for details. - +### Advertise Choice Advertise On Slo Sli +Enable on Site local inside and outside network, default VIP will be used. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Sli Tls Certificates ](#advertise-on-slo-sli-tls-certificates) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Sli Tls Config ](#advertise-on-slo-sli-tls-config) below for details. - +### Advertise Choice Advertise On Slo Vip +Enable on Site local outside network, default VIP will be used. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Vip Tls Certificates ](#advertise-on-slo-vip-tls-certificates) below for details. - +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Vip Tls Config ](#advertise-on-slo-vip-tls-config) below for details. +### Advertise Choice Disable Local +Disable on Site local network. +### Advertise Choice Do Not Advertise On Internet +Do not enable access to management from internet. - +### Advertise On Sli Vip Tls Certificates +for example, domain.com and *.domain.com - but use different signature algorithms. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). - +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Sli Vip Tls Config - +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Internet Vip Tls Certificates +for example, domain.com and *.domain.com - but use different signature algorithms. - +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - +### Advertise On Slo Internet Vip Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Sli Tls Certificates +for example, domain.com and *.domain.com - but use different signature algorithms. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Slo Sli Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Vip Tls Certificates - +for example, domain.com and *.domain.com - but use different signature algorithms. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Slo Vip Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set - +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - +### Ami Choice BestPlusPayG200Mbps +F5 Best Plus with all modules in 200Mbps flavor. +### Ami Choice Best Plus Payg 1gbps +F5 Best Plus with all modules in 1Gbps flavor. +### Apm Aws Site Admin Password +Secret admin password for BIG-IP. - +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Apm Aws Site Aws Tgw Site +Reference to AWS transit gateway site. +`aws_tgw_site` - (Required) Reference to AWS transit gateway site. See [ref](#ref) below for details. - +### Apm Aws Site Endpoint Service +External service type is Endpoint service. +###### One of the arguments from this list "advertise_on_slo_ip, advertise_on_slo_ip_external, disable_advertise_on_slo_ip" must be set +`advertise_on_slo_ip` - (Optional) Advertise this loadbalancer on Site Local Outside network address (`Bool`). +`advertise_on_slo_ip_external` - (Optional) Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP (`Bool`). +`disable_advertise_on_slo_ip` - (Optional) Do not Advertise this loadbalancer on Site Local Outside network address (`Bool`). +###### One of the arguments from this list "automatic_vip, configured_vip" must be set +`automatic_vip` - (Optional) System will automatically select a VIP (`Bool`). +`configured_vip` - (Optional) Enter IP address for the default VIP (`String`). +###### One of the arguments from this list "custom_tcp_ports, default_tcp_ports, http_port, https_port, no_tcp_ports" must be set +`custom_tcp_ports` - (Optional) Select custom TCP Ports. See [Tcp Port Choice Custom Tcp Ports ](#tcp-port-choice-custom-tcp-ports) below for details. +`default_tcp_ports` - (Optional) Select default TCP Ports, 80 and 443 (`Bool`). +`http_port` - (Optional) Select HTTP Port 80 (`Bool`). +`https_port` - (Optional) Select HTTPS Port 443 (`Bool`). +`no_tcp_ports` - (Optional) Do not select TCP Ports (`Bool`). +###### One of the arguments from this list "custom_udp_ports, no_udp_ports" must be set - +`custom_udp_ports` - (Optional) select custom udp ports. See [Udp Port Choice Custom Udp Ports ](#udp-port-choice-custom-udp-ports) below for details. +`no_udp_ports` - (Optional) do not select udp ports (`Bool`). +### Apm Aws Site Nodes +Specify how and where the service nodes are spawned. +`aws_az_name` - (Required) The AWS Availability Zone must be consistent with the AWS Region chosen. Please select an AZ in the same Region as your TGW Site (`String`). +###### One of the arguments from this list "mgmt_subnet, reserved_mgmt_subnet" must be set +`mgmt_subnet` - (Optional) Select Existing Subnet or Create New. See [Mgmt Subnet Choice Mgmt Subnet ](#mgmt-subnet-choice-mgmt-subnet) below for details. +`reserved_mgmt_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). +`node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). +###### One of the arguments from this list "automatic_prefix, tunnel_prefix" must be set +`automatic_prefix` - (Optional) System will automatically select tunnel prefix (`Bool`). +`tunnel_prefix` - (Optional) Enter IP prefix for the tunnel, it has to be /30 (`String`). +### Aws Site Type Choice Apm Aws Site +Virtual F5 BIG-IP service to be deployed on AWS. +`admin_password` - (Required) Secret admin password for BIG-IP. See [Apm Aws Site Admin Password ](#apm-aws-site-admin-password) below for details. +`admin_username` - (Required) Admin Username for BIG-IP (`String`). +`aws_tgw_site` - (Required) Reference to AWS transit gateway site. See [Apm Aws Site Aws Tgw Site ](#apm-aws-site-aws-tgw-site) below for details. +`endpoint_service` - (Optional) External service type is Endpoint service. See [Apm Aws Site Endpoint Service ](#apm-aws-site-endpoint-service) below for details. - +`nodes` - (Required) Specify how and where the service nodes are spawned. See [Apm Aws Site Nodes ](#apm-aws-site-nodes) below for details. +`ssh_key` - (Required) Public SSH key for accessing the BIG-IP nodes. (`String`). +`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). +### Baremetal Site Type Choice F5 Bare Metal Site +Virtual BIG-IP specification for App Stack Bare Metal Site. +`admin_password` - (Required) Secret admin password for BIG-IP. See [F5 Bare Metal Site Admin Password ](#f5-bare-metal-site-admin-password) below for details. +`admin_username` - (Required) Admin Username for BIG-IP (`String`). +`bare_metal_site` - (Required) Reference to bare metal site on which BIG-IP should be deployed. See [ref](#ref) below for details. +`bigiq_instance` - (Required) Details of BIG-IQ Instance used for activating licenses.. See [F5 Bare Metal Site Bigiq Instance ](#f5-bare-metal-site-bigiq-instance) below for details. +`nodes` - (Required) Specify how and where the service nodes are spawned. See [F5 Bare Metal Site Nodes ](#f5-bare-metal-site-nodes) below for details. - +`public_download_url` - (Required) Public URL where BIG-IP VE image (qcow2) is hosted (`String`). +`ssh_key` - (Required) Public SSH key for accessing the BIG-IP nodes. (`String`). +### Bigiq Instance Password +Password of the user used to access BIG-IQ to activate the license. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Choice Custom Security +Custom selection of TLS versions and cipher suites. +`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). +`max_version` - (Optional) Maximum TLS protocol version. (`String`). +`min_version` - (Optional) Minimum TLS protocol version. (`String`). - +### Choice Default Security +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. +### Choice Low Security +TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. +### Choice Medium Security +TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. +### Choice Subnet Param +Parameters for creating new subnet. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). +### Crl Choice No Crl +Client certificate revocation status is not verified. +### External Vip Choice Advertise On Slo Ip +Advertise this loadbalancer on Site Local Outside network address. +### External Vip Choice Advertise On Slo Ip External +Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP. +### External Vip Choice Disable Advertise On Slo Ip +Do not Advertise this loadbalancer on Site Local Outside network address. - +### F5 Bare Metal Site Admin Password +Secret admin password for BIG-IP. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### F5 Bare Metal Site Bigiq Instance - +Details of BIG-IQ Instance used for activating licenses.. +`license_pool_name` - (Required) Name of Utility Pool on BIG-IQ (`String`). +`license_server_ip` - (Required) IP Address from the TCP Load Balancer which is configured to communicate with License Server (`String`). +`password` - (Required) Password of the user used to access BIG-IQ to activate the license. See [Bigiq Instance Password ](#bigiq-instance-password) below for details. +`sku_name` - (Required) License offering name aka SKU name (`String`). +`username` - (Required) User Name used to access BIG-IQ to activate the license (`String`). +### F5 Bare Metal Site Nodes +Specify how and where the service nodes are spawned. +`bm_node_memory_size` - (Required) x-required (`String`). +`bm_virtual_cpu_count` - (Required) x-required (`String`). +`external_interface` - (Optional). See [Nodes External Interface ](#nodes-external-interface) below for details. +`internal_interface` - (Optional). See [Nodes Internal Interface ](#nodes-internal-interface) below for details. +`node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). +### Http Management Choice Https Management +Enable HTTPS based management. +###### One of the arguments from this list "advertise_on_internet, advertise_on_internet_default_vip, advertise_on_sli_vip, advertise_on_slo_internet_vip, advertise_on_slo_sli, advertise_on_slo_vip, disable_local, do_not_advertise_on_internet" must be set - +`advertise_on_internet` - (Optional) Advertise this loadbalancer on public network. See [Advertise Choice Advertise On Internet ](#advertise-choice-advertise-on-internet) below for details. +`advertise_on_internet_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`). +`advertise_on_sli_vip` - (Optional) Enable on Site local inside network, default VIP will be used. See [Advertise Choice Advertise On Sli Vip ](#advertise-choice-advertise-on-sli-vip) below for details. +`advertise_on_slo_internet_vip` - (Optional) Enable On Site Local Outside Internet VIP. See [Advertise Choice Advertise On Slo Internet Vip ](#advertise-choice-advertise-on-slo-internet-vip) below for details. +`advertise_on_slo_sli` - (Optional) Enable on Site local inside and outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Sli ](#advertise-choice-advertise-on-slo-sli) below for details. +`advertise_on_slo_vip` - (Optional) Enable on Site local outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Vip ](#advertise-choice-advertise-on-slo-vip) below for details. +`disable_local` - (Optional) Disable on Site local network (`Bool`).(Deprecated) +`do_not_advertise_on_internet` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) +`domain_suffix` - (Required) Domain suffix will be used along with node name to form URL to access node management (`String`). +###### One of the arguments from this list "advertise_on_public, advertise_on_public_default_vip, do_not_advertise" can be set +`advertise_on_public` - (Optional) Advertise this loadbalancer on public network. See [Internet Choice Advertise On Public ](#internet-choice-advertise-on-public) below for details.(Deprecated) +`advertise_on_public_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`).(Deprecated) +`do_not_advertise` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) +###### One of the arguments from this list "default_https_port, https_port" must be set +`default_https_port` - (Optional) Select default HTTPS 443 (`Bool`). +`https_port` - (Optional) Enter TCP port number (`Int`). +### Inside Vip Choice Automatic Vip +System will automatically select a VIP. - +### Internet Choice Advertise On Public +Advertise this loadbalancer on public network. +`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Internet Choice Advertise On Public Default Vip - +Enable management access on internet with default VIP. +### Internet Choice Do Not Advertise +Do not enable access to management from internet. +### License Type Market Place Image +Select the BIG-IP pay as you go image to be used for this service. +###### One of the arguments from this list "BestPlusPayG200Mbps, best_plus_payg_1gbps" must be set +`BestPlusPayG200Mbps` - (Optional) F5 Best Plus with all modules in 200Mbps flavor (`Bool`). - +`best_plus_payg_1gbps` - (Optional) F5 Best Plus with all modules in 1Gbps flavor (`Bool`). +### Mgmt Subnet Choice Mgmt Subnet +Select Existing Subnet or Create New. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Mgmt Subnet Choice Reserved Mgmt Subnet +Autogenerate and reserve a subnet from the Primary CIDR. +### Mtls Choice No Mtls - +x-displayName: "Disable". +### Mtls Choice Use Mtls +x-displayName: "Enable". +`client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). +###### One of the arguments from this list "crl, no_crl" can be set +`crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. - +`no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. +`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). +###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set +`xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). +`xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. +### Nodes External Interface +. -`aws_site_type_choice` - (Optional) Virtual F5 BIG-IP APM service to be deployed on AWS Transit Gateway Site. See [Site Type Choice Aws Site Type Choice ](#site-type-choice-aws-site-type-choice) below for details. - +`interface` - (Required) L2 Interface on Site to be connected as interface on BIG-IP. See [ref](#ref) below for details. +`network_gateway` - (Optional) (`String`). - +`network_self_ip` - (Required) Self IP CIDR (`String`). +### Nodes Internal Interface - +. +`interface` - (Required) L2 Interface on Site to be connected as interface on BIG-IP. See [ref](#ref) below for details. - +`network_gateway` - (Optional) (`String`). +`network_self_ip` - (Required) Self IP CIDR (`String`). +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Port Choice Default Https Port +Select default HTTPS 443. +### Private Key Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - +### Ref +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - +Clear Secret is used for the secrets that are not encrypted. +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - +Vault Secret is used for the secrets managed by Hashicorp Vault. +`key` - (Optional) If not provided entire secret will be returned. (`String`). +`location` - (Required) Path to secret in Vault. (`String`). +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). +`version` - (Optional) If not provided latest version will be returned. (`Int`). - +### Secret Info Oneof Wingman Secret Info +Secret is given as bootstrap secret in F5XC Security Sidecar. +`name` - (Required) Name of the secret. (`String`). +### Site Type Choice Aws Site Type Choice +Virtual F5 BIG-IP APM service to be deployed on AWS Transit Gateway Site. +`apm_aws_site` - (Required) Virtual F5 BIG-IP service to be deployed on AWS. See [Aws Site Type Choice Apm Aws Site ](#aws-site-type-choice-apm-aws-site) below for details. +###### One of the arguments from this list "market_place_image" must be set - +`market_place_image` - (Optional) Select the BIG-IP pay as you go image to be used for this service. See [License Type Market Place Image ](#license-type-market-place-image) below for details. +### Site Type Choice Baremetal Site Type Choice +Virtual F5 BIG-IP APM service to be deployed on App Stack Bare Metal Site. +`f5_bare_metal_site` - (Required) Virtual BIG-IP specification for App Stack Bare Metal Site. See [Baremetal Site Type Choice F5 Bare Metal Site ](#baremetal-site-type-choice-f5-bare-metal-site) below for details. +### Tcp Port Choice Custom Tcp Ports - +Select custom TCP Ports. +`ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). +### Tcp Port Choice Default Tcp Ports +Select default TCP Ports, 80 and 443. - +### Tcp Port Choice Http Port +Select HTTP Port 80. +### Tcp Port Choice Https Port +Select HTTPS Port 443. - +### Tcp Port Choice No Tcp Ports +Do not select TCP Ports. +### Tls Certificates Private Key +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tunnel Prefix Choice Automatic Prefix +System will automatically select tunnel prefix. +### Udp Port Choice Custom Udp Ports +select custom udp ports. - +`ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). +### Udp Port Choice No Udp Ports +do not select udp ports. +### Xfcc Header Xfcc Disabled - +No X-Forwarded-Client-Cert header will be added. +### Xfcc Header Xfcc Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`baremetal_site_type_choice` - (Optional) Virtual F5 BIG-IP APM service to be deployed on App Stack Bare Metal Site. See [Site Type Choice Baremetal Site Type Choice ](#site-type-choice-baremetal-site-type-choice) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Advertise Choice Advertise On Internet - - Advertise this loadbalancer on public network. - -`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. - - - -### Advertise Choice Advertise On Internet Default Vip - - Enable management access on internet with default VIP. - - - -### Advertise Choice Advertise On Sli Vip - - Enable on Site local inside network, default VIP will be used. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Sli Vip Tls Certificates ](#advertise-on-sli-vip-tls-certificates) below for details. - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Sli Vip Tls Config ](#advertise-on-sli-vip-tls-config) below for details. - - - -### Advertise Choice Advertise On Slo Internet Vip - - Enable On Site Local Outside Internet VIP. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Internet Vip Tls Certificates ](#advertise-on-slo-internet-vip-tls-certificates) below for details. - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Internet Vip Tls Config ](#advertise-on-slo-internet-vip-tls-config) below for details. - - - -### Advertise Choice Advertise On Slo Sli - - Enable on Site local inside and outside network, default VIP will be used. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Sli Tls Certificates ](#advertise-on-slo-sli-tls-certificates) below for details. - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Sli Tls Config ](#advertise-on-slo-sli-tls-config) below for details. - - - -### Advertise Choice Advertise On Slo Vip - - Enable on Site local outside network, default VIP will be used. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Vip Tls Certificates ](#advertise-on-slo-vip-tls-certificates) below for details. - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Vip Tls Config ](#advertise-on-slo-vip-tls-config) below for details. - - - -### Advertise Choice Disable Local - - Disable on Site local network. - - - -### Advertise Choice Do Not Advertise On Internet - - Do not enable access to management from internet. - - - -### Advertise On Sli Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Advertise On Sli Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "custom_security, default_security, medium_security, low_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Advertise On Slo Internet Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Advertise On Slo Internet Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "default_security, medium_security, low_security, custom_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Advertise On Slo Sli Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Advertise On Slo Sli Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "default_security, medium_security, low_security, custom_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Advertise On Slo Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Advertise On Slo Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "low_security, custom_security, default_security, medium_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Ami Choice BestPlusPayG200Mbps - - F5 Best Plus with all modules in 200Mbps flavor. - - - -### Ami Choice Best Plus Payg 1gbps - - F5 Best Plus with all modules in 1Gbps flavor. - - - -### Apm Aws Site Admin Password - - Secret admin password for BIG-IP. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Apm Aws Site Aws Tgw Site - - Reference to AWS transit gateway site. - -`aws_tgw_site` - (Required) Reference to AWS transit gateway site. See [ref](#ref) below for details. - - - -### Apm Aws Site Endpoint Service - - External service type is Endpoint service. - - - -###### One of the arguments from this list "advertise_on_slo_ip_external, disable_advertise_on_slo_ip, advertise_on_slo_ip" must be set - -`advertise_on_slo_ip` - (Optional) Advertise this loadbalancer on Site Local Outside network address (`Bool`). - - -`advertise_on_slo_ip_external` - (Optional) Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP (`Bool`). - - -`disable_advertise_on_slo_ip` - (Optional) Do not Advertise this loadbalancer on Site Local Outside network address (`Bool`). - - - - -###### One of the arguments from this list "configured_vip, automatic_vip" must be set - -`automatic_vip` - (Optional) System will automatically select a VIP (`Bool`). - - -`configured_vip` - (Optional) Enter IP address for the default VIP (`String`). - - - - -###### One of the arguments from this list "default_tcp_ports, http_port, https_port, custom_tcp_ports, no_tcp_ports" must be set - -`custom_tcp_ports` - (Optional) Select custom TCP Ports. See [Tcp Port Choice Custom Tcp Ports ](#tcp-port-choice-custom-tcp-ports) below for details. - - -`default_tcp_ports` - (Optional) Select default TCP Ports, 80 and 443 (`Bool`). - - -`http_port` - (Optional) Select HTTP Port 80 (`Bool`). - - -`https_port` - (Optional) Select HTTPS Port 443 (`Bool`). - - -`no_tcp_ports` - (Optional) Do not select TCP Ports (`Bool`). - - - - -###### One of the arguments from this list "no_udp_ports, custom_udp_ports" must be set - -`custom_udp_ports` - (Optional) select custom udp ports. See [Udp Port Choice Custom Udp Ports ](#udp-port-choice-custom-udp-ports) below for details. - - -`no_udp_ports` - (Optional) do not select udp ports (`Bool`). - - - - -### Apm Aws Site Nodes - - Specify how and where the service nodes are spawned. - -`aws_az_name` - (Required) The AWS Availability Zone must be consistent with the AWS Region chosen. Please select an AZ in the same Region as your TGW Site (`String`). - - - -###### One of the arguments from this list "reserved_mgmt_subnet, mgmt_subnet" must be set - -`mgmt_subnet` - (Optional) Select Existing Subnet or Create New. See [Mgmt Subnet Choice Mgmt Subnet ](#mgmt-subnet-choice-mgmt-subnet) below for details. - - -`reserved_mgmt_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - - -`node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). - - - -###### One of the arguments from this list "automatic_prefix, tunnel_prefix" must be set - -`automatic_prefix` - (Optional) System will automatically select tunnel prefix (`Bool`). - - -`tunnel_prefix` - (Optional) Enter IP prefix for the tunnel, it has to be /30 (`String`). - - - - -### Aws Site Type Choice Apm Aws Site - - Virtual F5 BIG-IP service to be deployed on AWS. - -`admin_password` - (Required) Secret admin password for BIG-IP. See [Apm Aws Site Admin Password ](#apm-aws-site-admin-password) below for details. - -`admin_username` - (Required) Admin Username for BIG-IP (`String`). - -`aws_tgw_site` - (Required) Reference to AWS transit gateway site. See [Apm Aws Site Aws Tgw Site ](#apm-aws-site-aws-tgw-site) below for details. - -`endpoint_service` - (Optional) External service type is Endpoint service. See [Apm Aws Site Endpoint Service ](#apm-aws-site-endpoint-service) below for details. - -`nodes` - (Required) Specify how and where the service nodes are spawned. See [Apm Aws Site Nodes ](#apm-aws-site-nodes) below for details. - -`ssh_key` - (Required) Public SSH key for accessing the BIG-IP nodes. (`String`). - -`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). - - - -### Baremetal Site Type Choice F5 Bare Metal Site - - Virtual BIG-IP specification for App Stack Bare Metal Site. - -`admin_password` - (Required) Secret admin password for BIG-IP. See [F5 Bare Metal Site Admin Password ](#f5-bare-metal-site-admin-password) below for details. - -`admin_username` - (Required) Admin Username for BIG-IP (`String`). - -`bare_metal_site` - (Required) Reference to bare metal site on which BIG-IP should be deployed. See [ref](#ref) below for details. - -`bigiq_instance` - (Required) Details of BIG-IQ Instance used for activating licenses.. See [F5 Bare Metal Site Bigiq Instance ](#f5-bare-metal-site-bigiq-instance) below for details. - -`nodes` - (Required) Specify how and where the service nodes are spawned. See [F5 Bare Metal Site Nodes ](#f5-bare-metal-site-nodes) below for details. - -`public_download_url` - (Required) Public URL where BIG-IP VE image (qcow2) is hosted (`String`). - -`ssh_key` - (Required) Public SSH key for accessing the BIG-IP nodes. (`String`). - - - -### Bigiq Instance Password - - Password of the user used to access BIG-IQ to activate the license. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Choice Custom Security - - Custom selection of TLS versions and cipher suites. - -`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - -`max_version` - (Optional) Maximum TLS protocol version. (`String`). - -`min_version` - (Optional) Minimum TLS protocol version. (`String`). - - - -### Choice Default Security - - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - - - -### Choice Low Security - - TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. - - - -### Choice Medium Security - - TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. - - - -### Choice Subnet Param - - Parameters for creating new subnet. - -`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). - -`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). - - - -### Crl Choice No Crl - - Client certificate revocation status is not verified. - - - -### External Vip Choice Advertise On Slo Ip - - Advertise this loadbalancer on Site Local Outside network address. - - - -### External Vip Choice Advertise On Slo Ip External - - Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP. - - - -### External Vip Choice Disable Advertise On Slo Ip - - Do not Advertise this loadbalancer on Site Local Outside network address. - - - -### F5 Bare Metal Site Admin Password - - Secret admin password for BIG-IP. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### F5 Bare Metal Site Bigiq Instance - - Details of BIG-IQ Instance used for activating licenses.. - -`license_pool_name` - (Required) Name of Utility Pool on BIG-IQ (`String`). - -`license_server_ip` - (Required) IP Address from the TCP Load Balancer which is configured to communicate with License Server (`String`). - -`password` - (Required) Password of the user used to access BIG-IQ to activate the license. See [Bigiq Instance Password ](#bigiq-instance-password) below for details. - -`sku_name` - (Required) License offering name aka SKU name (`String`). - -`username` - (Required) User Name used to access BIG-IQ to activate the license (`String`). - - - -### F5 Bare Metal Site Nodes - - Specify how and where the service nodes are spawned. - -`bm_node_memory_size` - (Required) x-required (`String`). - -`bm_virtual_cpu_count` - (Required) x-required (`String`). - -`external_interface` - (Optional). See [Nodes External Interface ](#nodes-external-interface) below for details. - -`internal_interface` - (Optional). See [Nodes Internal Interface ](#nodes-internal-interface) below for details. - -`node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). - - - -### Http Management Choice Https Management - - Enable HTTPS based management. - - - -###### One of the arguments from this list "advertise_on_slo_internet_vip, advertise_on_sli_vip, advertise_on_slo_vip, advertise_on_slo_sli, disable_local, do_not_advertise_on_internet, advertise_on_internet_default_vip, advertise_on_internet" must be set - -`advertise_on_internet` - (Optional) Advertise this loadbalancer on public network. See [Advertise Choice Advertise On Internet ](#advertise-choice-advertise-on-internet) below for details. - - -`advertise_on_internet_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`). - - -`advertise_on_sli_vip` - (Optional) Enable on Site local inside network, default VIP will be used. See [Advertise Choice Advertise On Sli Vip ](#advertise-choice-advertise-on-sli-vip) below for details. - - -`advertise_on_slo_internet_vip` - (Optional) Enable On Site Local Outside Internet VIP. See [Advertise Choice Advertise On Slo Internet Vip ](#advertise-choice-advertise-on-slo-internet-vip) below for details. - - -`advertise_on_slo_sli` - (Optional) Enable on Site local inside and outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Sli ](#advertise-choice-advertise-on-slo-sli) below for details. - - -`advertise_on_slo_vip` - (Optional) Enable on Site local outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Vip ](#advertise-choice-advertise-on-slo-vip) below for details. - - -`disable_local` - (Optional) Disable on Site local network (`Bool`).(Deprecated) - - -`do_not_advertise_on_internet` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) - - -`domain_suffix` - (Required) Domain suffix will be used along with node name to form URL to access node management (`String`). - - - - -###### One of the arguments from this list "do_not_advertise, advertise_on_public_default_vip, advertise_on_public" can be set - -`advertise_on_public` - (Optional) Advertise this loadbalancer on public network. See [Internet Choice Advertise On Public ](#internet-choice-advertise-on-public) below for details.(Deprecated) - - -`advertise_on_public_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`).(Deprecated) - - -`do_not_advertise` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) - - - - -###### One of the arguments from this list "default_https_port, https_port" must be set - -`default_https_port` - (Optional) Select default HTTPS 443 (`Bool`). - - -`https_port` - (Optional) Enter TCP port number (`Int`). - - - - -### Inside Vip Choice Automatic Vip - - System will automatically select a VIP. - - - -### Internet Choice Advertise On Public - - Advertise this loadbalancer on public network. - -`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. - - - -### Internet Choice Advertise On Public Default Vip - - Enable management access on internet with default VIP. - - - -### Internet Choice Do Not Advertise - - Do not enable access to management from internet. - - - -### License Type Market Place Image - - Select the BIG-IP pay as you go image to be used for this service. - - - -###### One of the arguments from this list "best_plus_payg_1gbps, BestPlusPayG200Mbps" must be set - -`BestPlusPayG200Mbps` - (Optional) F5 Best Plus with all modules in 200Mbps flavor (`Bool`). - - -`best_plus_payg_1gbps` - (Optional) F5 Best Plus with all modules in 1Gbps flavor (`Bool`). - - - - -### Mgmt Subnet Choice Mgmt Subnet - - Select Existing Subnet or Create New. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Mgmt Subnet Choice Reserved Mgmt Subnet - - Autogenerate and reserve a subnet from the Primary CIDR. - - - -### Mtls Choice No Mtls - - x-displayName: "Disable". - - - -### Mtls Choice Use Mtls - - x-displayName: "Enable". - -`client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). - - - - -###### One of the arguments from this list "no_crl, crl" can be set - -`crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. - - -`no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). - - - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set - -`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. - - -`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). - - - - - -###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set - -`xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). - - -`xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. - - - - -### Nodes External Interface - -. - -`interface` - (Required) L2 Interface on Site to be connected as interface on BIG-IP. See [ref](#ref) below for details. - -`network_gateway` - (Optional) (`String`). - -`network_self_ip` - (Required) Self IP CIDR (`String`). - - - -### Nodes Internal Interface - -. - -`interface` - (Required) L2 Interface on Site to be connected as interface on BIG-IP. See [ref](#ref) below for details. - -`network_gateway` - (Optional) (`String`). - -`network_self_ip` - (Required) Self IP CIDR (`String`). - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. - -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). - - - -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Port Choice Default Https Port - - Select default HTTPS 443. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. - -`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - -`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). - - - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. - -`key` - (Optional) If not provided entire secret will be returned. (`String`). - -`location` - (Required) Path to secret in Vault. (`String`). - -`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - -`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). - -`version` - (Optional) If not provided latest version will be returned. (`Int`). - - - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. - -`name` - (Required) Name of the secret. (`String`). - - - -### Site Type Choice Aws Site Type Choice - - Virtual F5 BIG-IP APM service to be deployed on AWS Transit Gateway Site. - -`apm_aws_site` - (Required) Virtual F5 BIG-IP service to be deployed on AWS. See [Aws Site Type Choice Apm Aws Site ](#aws-site-type-choice-apm-aws-site) below for details. - - - -###### One of the arguments from this list "market_place_image" must be set - -`market_place_image` - (Optional) Select the BIG-IP pay as you go image to be used for this service. See [License Type Market Place Image ](#license-type-market-place-image) below for details. - - - - -### Site Type Choice Baremetal Site Type Choice - - Virtual F5 BIG-IP APM service to be deployed on App Stack Bare Metal Site. - -`f5_bare_metal_site` - (Required) Virtual BIG-IP specification for App Stack Bare Metal Site. See [Baremetal Site Type Choice F5 Bare Metal Site ](#baremetal-site-type-choice-f5-bare-metal-site) below for details. - - - -### Tcp Port Choice Custom Tcp Ports - - Select custom TCP Ports. - -`ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). - - - -### Tcp Port Choice Default Tcp Ports - - Select default TCP Ports, 80 and 443. - - - -### Tcp Port Choice Http Port - - Select HTTP Port 80. - - - -### Tcp Port Choice Https Port - - Select HTTPS Port 443. - - - -### Tcp Port Choice No Tcp Ports - - Do not select TCP Ports. - - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Tunnel Prefix Choice Automatic Prefix - - System will automatically select tunnel prefix. - - - -### Udp Port Choice Custom Udp Ports - - select custom udp ports. - -`ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). - - - -### Udp Port Choice No Udp Ports - - do not select udp ports. - - - -### Xfcc Header Xfcc Disabled - - No X-Forwarded-Client-Cert header will be added. - - - -### Xfcc Header Xfcc Options - - X-Forwarded-Client-Cert header will be added with the configured fields. +X-Forwarded-Client-Cert header will be added with the configured fields. `xfcc_header_elements` - (Required) X-Forwarded-Client-Cert header elements to be added to requests (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured apm. - +- `id` - This is the id of the configured apm. diff --git a/docs/resources/volterra_app_api_group.md b/docs/resources/volterra_app_api_group.md index 654209a76..e9d81bb14 100644 --- a/docs/resources/volterra_app_api_group.md +++ b/docs/resources/volterra_app_api_group.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: app_api_group" -description: "The app_api_group allows CRUD of App Api Group resource on Volterra SaaS" +description: "The app_api_group allows CRUD of App Api Group resource on Volterra SaaS" + --- -# Resource volterra_app_api_group -The App Api Group allows CRUD of App Api Group resource on Volterra SaaS +Resource volterra_app_api_group +=============================== + +The App Api Group allows CRUD of App Api Group resource on Volterra SaaS -~> **Note:** Please refer to [App Api Group API docs](https://docs.cloud.f5.com/docs-v2/api/views-app-api-group) to learn more +~> **Note:** Please refer to [App Api Group API docs](https://docs.cloud.f5.com/docs-v2/api/views-app-api-group) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_app_api_group" "example" { @@ -33,89 +26,47 @@ resource "volterra_app_api_group" "example" { path_regex = "/api/config/.*/path[123]/$" } - // One of the arguments from this list "generic http_loadbalancer api_definition" must be set + // One of the arguments from this list "api_definition generic http_loadbalancer" must be set generic = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `api_group_builder` - (Optional) API Group builder defines how to create API group from a list of endpoints. See [Api Group Builder ](#api-group-builder) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - `elements` - (Required) List of API group elements with methods and path regex for matching requests.. See [Elements ](#elements) below for details. - - - - +###### One of the arguments from this list "api_definition, generic, http_loadbalancer" must be set `api_definition` - (Optional) Set scope to an API Definition object to define the API endpoints list for API groups management. See [Scope Choice Api Definition ](#scope-choice-api-definition) below for details.(Deprecated) - - - - `generic` - (Optional) The generic API Group is simply a list of API endpoints (`Bool`).(Deprecated) - `http_loadbalancer` - (Optional) Set scope to an HTTP Loadbalancer object to define the API endpoints list for API groups management. See [Scope Choice Http Loadbalancer ](#scope-choice-http-loadbalancer) below for details. - - - - +### Api Group Builder - -### Api Group Builder - - API Group builder defines how to create API group from a list of endpoints. +API Group builder defines how to create API group from a list of endpoints. `excluded_operations` - (Optional) The paths appear here with parameters as defined in OpenAPI spec file.. See [Api Group Builder Excluded Operations ](#api-group-builder-excluded-operations) below for details. @@ -127,49 +78,39 @@ resource "volterra_app_api_group" "example" { `path_filter` - (Optional) The match is considered to succeed if the input request API path matches the specified path regex. (`String`). +### Elements - -### Elements - - List of API group elements with methods and path regex for matching requests.. +List of API group elements with methods and path regex for matching requests.. `methods` - (Required) The match is considered to succeed if the input request API method is a member of the list. (`List of Strings`). `path_regex` - (Required) The match is considered to succeed if the input request API path matches the specified path regex. (`String`). +### Api Group Builder Excluded Operations - -### Api Group Builder Excluded Operations - - The paths appear here with parameters as defined in OpenAPI spec file.. +The paths appear here with parameters as defined in OpenAPI spec file.. `method` - (Required) Method to match the input request API method against. (`String`). `path` - (Required) The path should comply with RFC 3986 and may have parameters according to OpenAPI specification (`String`). +### Api Group Builder Included Operations - -### Api Group Builder Included Operations - - The paths appear here with parameters as defined in OpenAPI spec file.. +The paths appear here with parameters as defined in OpenAPI spec file.. `method` - (Required) Method to match the input request API method against. (`String`). `path` - (Required) The path should comply with RFC 3986 and may have parameters according to OpenAPI specification (`String`). +### Api Group Builder Label Filter - -### Api Group Builder Label Filter - - In the current context a label is a property of an OpenAPI operation or path.. +In the current context a label is a property of an OpenAPI operation or path.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Api Group Builder Metadata - -### Api Group Builder Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -177,10 +118,7 @@ resource "volterra_app_api_group" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -190,25 +128,19 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Scope Choice Api Definition - -### Scope Choice Api Definition - - Set scope to an API Definition object to define the API endpoints list for API groups management. +Set scope to an API Definition object to define the API endpoints list for API groups management. `api_definition` - (Required) Reference to an API Definition object which defines a superset of API Endpoints for the API Group. See [ref](#ref) below for details. +### Scope Choice Http Loadbalancer - -### Scope Choice Http Loadbalancer - - Set scope to an HTTP Loadbalancer object to define the API endpoints list for API groups management. +Set scope to an HTTP Loadbalancer object to define the API endpoints list for API groups management. `http_loadbalancer` - (Required) Reference to an HTTP Loadbalancer object which defines a superset of API Endpoints for the API Group. See [ref](#ref) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured app_api_group. - +- `id` - This is the id of the configured app_api_group. diff --git a/docs/resources/volterra_app_firewall.md b/docs/resources/volterra_app_firewall.md index a6b0a66e9..9e39f4ae8 100644 --- a/docs/resources/volterra_app_firewall.md +++ b/docs/resources/volterra_app_firewall.md @@ -1,338 +1,192 @@ +--- +page_title: "Volterra: app_firewall" +description: "The app_firewall allows CRUD of App Firewall resource on Volterra SaaS" +--- +Resource volterra_app_firewall +============================== +The App Firewall allows CRUD of App Firewall resource on Volterra SaaS +~> **Note:** Please refer to [App Firewall API docs](https://docs.cloud.f5.com/docs-v2/api/app-firewall) to learn more +Example Usage +------------- +```hcl +resource "volterra_app_firewall" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set + allow_all_response_codes = true + // One of the arguments from this list "custom_anonymization default_anonymization disable_anonymization" must be set + default_anonymization = true ---- -page_title: "Volterra: app_firewall" -description: "The app_firewall allows CRUD of App Firewall resource on Volterra SaaS" ---- -# Resource volterra_app_firewall + // One of the arguments from this list "blocking_page use_default_blocking_page" must be set -The App Firewall allows CRUD of App Firewall resource on Volterra SaaS + use_default_blocking_page = true -~> **Note:** Please refer to [App Firewall API docs](https://docs.cloud.f5.com/docs-v2/api/app-firewall) to learn more + // One of the arguments from this list "bot_protection_setting default_bot_setting" must be set -## Example Usage + default_bot_setting = true -```hcl -resource "volterra_app_firewall" "example" { - name = "acmecorp-web" - namespace = "staging" + // One of the arguments from this list "ai_risk_based_blocking default_detection_settings detection_settings" must be set - // One of the arguments from this list "allowed_response_codes allow_all_response_codes" must be set + detection_settings { + // One of the arguments from this list "disable_suppression enable_suppression" must be set - allow_all_response_codes = true + enable_suppression = true - // One of the arguments from this list "custom_anonymization disable_anonymization default_anonymization" must be set + signature_selection_setting { + // One of the arguments from this list "attack_type_settings default_attack_type_settings" must be set - disable_anonymization = true + default_attack_type_settings = true - // One of the arguments from this list "use_default_blocking_page blocking_page" must be set + // One of the arguments from this list "high_medium_accuracy_signatures high_medium_low_accuracy_signatures only_high_accuracy_signatures" must be set - use_default_blocking_page = true + high_medium_low_accuracy_signatures = true + } - // One of the arguments from this list "default_bot_setting bot_protection_setting" must be set + // One of the arguments from this list "disable_staging stage_new_and_updated_signatures stage_new_signatures" can be set - default_bot_setting = true + stage_new_and_updated_signatures { + staging_period = "7" + } + + // One of the arguments from this list "disable_threat_campaigns enable_threat_campaigns" must be set - // One of the arguments from this list "default_detection_settings detection_settings" must be set + enable_threat_campaigns = true - default_detection_settings = true + // One of the arguments from this list "default_violation_settings violation_settings" must be set + + default_violation_settings = true + } // One of the arguments from this list "blocking monitoring use_loadbalancer_setting" must be set - blocking = true + monitoring = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "allow_all_response_codes, allowed_response_codes" must be set `allow_all_response_codes` - (Optional) All HTTP response status codes are allowed (`Bool`). - `allowed_response_codes` - (Optional) Define list of HTTP response status codes that are allowed. See [Allowed Response Codes Choice Allowed Response Codes ](#allowed-response-codes-choice-allowed-response-codes) below for details. - - - - - - +###### One of the arguments from this list "custom_anonymization, default_anonymization, disable_anonymization" must be set `custom_anonymization` - (Optional) Define HTTP headers, query parameters, or cookies whose values should be masked. See [Anonymization Setting Custom Anonymization ](#anonymization-setting-custom-anonymization) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - `default_anonymization` - (Optional) Values of query parameters "card", "pass", "pwd" and "password" will be masked. (`Bool`). - `disable_anonymization` - (Optional) Disable masking of sensitive parameters in logs (`Bool`). - - - +###### One of the arguments from this list "blocking_page, use_default_blocking_page" must be set `blocking_page` - (Optional) The system returns a response page with HTML code that you define. See [Blocking Page Choice Blocking Page ](#blocking-page-choice-blocking-page) below for details. - - - - - `use_default_blocking_page` - (Optional) The system returns the system-supplied response page in HTML. No further configuration is needed. (`Bool`). - - - +###### One of the arguments from this list "bot_protection_setting, default_bot_setting" must be set `bot_protection_setting` - (Optional) Define custom Bot Protection settings. See [Bot Protection Choice Bot Protection Setting ](#bot-protection-choice-bot-protection-setting) below for details. - - - - - - `default_bot_setting` - (Optional) Malicious bots will be blocked, Suspicious and Good bots will be reported. (`Bool`). +###### One of the arguments from this list "ai_risk_based_blocking, default_detection_settings, detection_settings" must be set - - +`ai_risk_based_blocking` - (Optional) assess transaction risk, and only high-risk transactions will be blocked.. See [Detection Setting Choice Ai Risk Based Blocking ](#detection-setting-choice-ai-risk-based-blocking) below for details.(Deprecated) `default_detection_settings` - (Optional) All Attack Types, high and medium accuracy signatures, automatic Attack Signatures tuning, Threat Campaigns and all Violations will be enabled. (`Bool`). - `detection_settings` - (Optional) Define Custom Security Policy settings. See [Detection Setting Choice Detection Settings ](#detection-setting-choice-detection-settings) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "blocking, monitoring, use_loadbalancer_setting" must be set `blocking` - (Optional) Log and block threats (`Bool`). - `monitoring` - (Optional) Log threats (`Bool`). - `use_loadbalancer_setting` - (Optional) Use the mode as specified in the load balancer (`Bool`).(Deprecated) +### Allowed Response Codes Choice Allowed Response Codes - - -### Allowed Response Codes Choice Allowed Response Codes - - Define list of HTTP response status codes that are allowed. +Define list of HTTP response status codes that are allowed. `response_code` - (Required) List of HTTP response status codes that are allowed (`Int`). +### Anonymization Choice Cookie - -### Anonymization Choice Cookie - - x-displayName: "Cookie". +x-displayName: "Cookie". `cookie_name` - (Required) Masks the cookie value. The setting does not mask the cookie name. (`String`). +### Anonymization Choice Http Header - -### Anonymization Choice Http Header - - x-displayName: "HTTP Header". +x-displayName: "HTTP Header". `header_name` - (Required) Masks the HTTP header value. The setting does not mask the HTTP header name. (`String`). +### Anonymization Choice Query Parameter - -### Anonymization Choice Query Parameter - - x-displayName: "Query Parameter". +x-displayName: "Query Parameter". `query_param_name` - (Required) Masks the query parameter value. The setting does not mask the query parameter name. (`String`). +### Anonymization Setting Custom Anonymization - -### Anonymization Setting Custom Anonymization - - Define HTTP headers, query parameters, or cookies whose values should be masked. +Define HTTP headers, query parameters, or cookies whose values should be masked. `anonymization_config` - (Required) List of HTTP headers, cookies and query parameters whose values will be masked. See [Custom Anonymization Anonymization Config ](#custom-anonymization-anonymization-config) below for details. +### Attack Type Setting Attack Type Settings - -### Attack Type Setting Attack Type Settings - - Define Attack Types to be disabled for detection. +Define Attack Types to be disabled for detection. `disabled_attack_types` - (Required) List of Attack Types that will be ignored and not trigger a detection (`List of Strings`). +### Attack Type Setting Default Attack Type Settings +All Attack Types are enabled for detection. -### Attack Type Setting Default Attack Type Settings - - All Attack Types are enabled for detection. +### Blocking Page Choice Blocking Page - - -### Blocking Page Choice Blocking Page - - The system returns a response page with HTML code that you define. +The system returns a response page with HTML code that you define. `blocking_page` - (Optional) which would be about 3070 bytes in plain text. (`String`). `response_code` - (Optional) HTTP status code to be sent for blocked requests (`String`). +### Bot Protection Choice Bot Protection Setting - -### Bot Protection Choice Bot Protection Setting - - Define custom Bot Protection settings. +Define custom Bot Protection settings. `good_bot_action` - (Optional) A client that exhibits known search engine behaviors and signatures (`String`). @@ -340,187 +194,133 @@ resource "volterra_app_firewall" "example" { `suspicious_bot_action` - (Optional) A client that exhibits non-malicious tools such as site crawlers, monitors, spiders, web downloaders and bots behaviors, signatures such as search bots and social media agents (`String`). +### Custom Anonymization Anonymization Config +List of HTTP headers, cookies and query parameters whose values will be masked. -### Custom Anonymization Anonymization Config - - List of HTTP headers, cookies and query parameters whose values will be masked. - - - -###### One of the arguments from this list "http_header, query_parameter, cookie" must be set +###### One of the arguments from this list "cookie, http_header, query_parameter" must be set `cookie` - (Optional) x-displayName: "Cookie". See [Anonymization Choice Cookie ](#anonymization-choice-cookie) below for details. - `http_header` - (Optional) x-displayName: "HTTP Header". See [Anonymization Choice Http Header ](#anonymization-choice-http-header) below for details. - `query_parameter` - (Optional) x-displayName: "Query Parameter". See [Anonymization Choice Query Parameter ](#anonymization-choice-query-parameter) below for details. +### Detection Setting Choice Ai Risk Based Blocking +assess transaction risk, and only high-risk transactions will be blocked.. +`high_risk_action` - (Required) High-risk HTTP transactions are associated with attack attempts or requests that violate the application firewall policy. (`String`). -### Detection Setting Choice Detection Settings +`low_risk_action` - (Required) Low-risk HTTP transactions are associated with findings that do not present an actual threat to the protected application. (`String`). - Define Custom Security Policy settings. +`medium_risk_action` - (Required) Medium-risk HTTP transactions are associated with suspicious requests. (`String`). +### Detection Setting Choice Detection Settings +Define Custom Security Policy settings. -###### One of the arguments from this list "enable_suppression, disable_suppression" must be set +###### One of the arguments from this list "disable_suppression, enable_suppression" must be set `disable_suppression` - (Optional) x-displayName: "Disable" (`Bool`). - `enable_suppression` - (Optional) x-displayName: "Enable" (`Bool`). - `signature_selection_setting` - (Optional) Attack Signatures are patterns that identify attacks on a web application and its components. See [Detection Settings Signature Selection Setting ](#detection-settings-signature-selection-setting) below for details. - - - -###### One of the arguments from this list "disable_staging, stage_new_signatures, stage_new_and_updated_signatures" can be set +###### One of the arguments from this list "disable_staging, stage_new_and_updated_signatures, stage_new_signatures" can be set `disable_staging` - (Optional) Enforce new and updated attack signatures (`Bool`). - `stage_new_and_updated_signatures` - (Optional) would not enforce it i.e signature would be in monitoring mode for staging period (instead of blocking mode). See [Signatures Staging Settings Stage New And Updated Signatures ](#signatures-staging-settings-stage-new-and-updated-signatures) below for details. - `stage_new_signatures` - (Optional) Stage new attack signatures only. Updated signatures will be enforced. See [Signatures Staging Settings Stage New Signatures ](#signatures-staging-settings-stage-new-signatures) below for details. - - - -###### One of the arguments from this list "enable_threat_campaigns, disable_threat_campaigns" must be set +###### One of the arguments from this list "disable_threat_campaigns, enable_threat_campaigns" must be set `disable_threat_campaigns` - (Optional) x-displayName: "Disable" (`Bool`). - `enable_threat_campaigns` - (Optional) x-displayName: "Enable" (`Bool`). - - - ###### One of the arguments from this list "default_violation_settings, violation_settings" must be set `default_violation_settings` - (Optional) All violations are enabled for detection (`Bool`). - `violation_settings` - (Optional) Define violations to be disabled for detection. See [Violation Detection Setting Violation Settings ](#violation-detection-setting-violation-settings) below for details. +### Detection Settings Signature Selection Setting +Attack Signatures are patterns that identify attacks on a web application and its components. - -### Detection Settings Signature Selection Setting - - Attack Signatures are patterns that identify attacks on a web application and its components. - - - -###### One of the arguments from this list "default_attack_type_settings, attack_type_settings" must be set +###### One of the arguments from this list "attack_type_settings, default_attack_type_settings" must be set `attack_type_settings` - (Optional) Define Attack Types to be disabled for detection. See [Attack Type Setting Attack Type Settings ](#attack-type-setting-attack-type-settings) below for details. - `default_attack_type_settings` - (Optional) All Attack Types are enabled for detection (`Bool`). - - - -###### One of the arguments from this list "only_high_accuracy_signatures, high_medium_accuracy_signatures, high_medium_low_accuracy_signatures" must be set +###### One of the arguments from this list "high_medium_accuracy_signatures, high_medium_low_accuracy_signatures, only_high_accuracy_signatures" must be set `high_medium_accuracy_signatures` - (Optional) Enables high and medium accuracy signatures (`Bool`). - `high_medium_low_accuracy_signatures` - (Optional) Enables high, medium and low accuracy signatures (`Bool`). - `only_high_accuracy_signatures` - (Optional) Enables only high accuracy signatures (`Bool`). +### False Positive Suppression Disable Suppression +x-displayName: "Disable". +### False Positive Suppression Enable Suppression -### False Positive Suppression Disable Suppression - - x-displayName: "Disable". - - - -### False Positive Suppression Enable Suppression - - x-displayName: "Enable". - - - -### Signature Selection By Accuracy High Medium Accuracy Signatures - - Enables high and medium accuracy signatures. - - - -### Signature Selection By Accuracy High Medium Low Accuracy Signatures - - Enables high, medium and low accuracy signatures. - +x-displayName: "Enable". +### Signature Selection By Accuracy High Medium Accuracy Signatures -### Signature Selection By Accuracy Only High Accuracy Signatures +Enables high and medium accuracy signatures. - Enables only high accuracy signatures. +### Signature Selection By Accuracy High Medium Low Accuracy Signatures +Enables high, medium and low accuracy signatures. +### Signature Selection By Accuracy Only High Accuracy Signatures -### Signatures Staging Settings Disable Staging +Enables only high accuracy signatures. - Enforce new and updated attack signatures. +### Signatures Staging Settings Disable Staging +Enforce new and updated attack signatures. +### Signatures Staging Settings Stage New And Updated Signatures -### Signatures Staging Settings Stage New And Updated Signatures - - would not enforce it i.e signature would be in monitoring mode for staging period (instead of blocking mode). +would not enforce it i.e signature would be in monitoring mode for staging period (instead of blocking mode). `staging_period` - (Required) 20 days. (`Int`). +### Signatures Staging Settings Stage New Signatures - -### Signatures Staging Settings Stage New Signatures - - Stage new attack signatures only. Updated signatures will be enforced. +Stage new attack signatures only. Updated signatures will be enforced. `staging_period` - (Required) 20 days. (`Int`). +### Threat Campaign Choice Disable Threat Campaigns +x-displayName: "Disable". -### Threat Campaign Choice Disable Threat Campaigns - - x-displayName: "Disable". - - - -### Threat Campaign Choice Enable Threat Campaigns +### Threat Campaign Choice Enable Threat Campaigns - x-displayName: "Enable". +x-displayName: "Enable". +### Violation Detection Setting Default Violation Settings +All violations are enabled for detection. -### Violation Detection Setting Default Violation Settings +### Violation Detection Setting Violation Settings - All violations are enabled for detection. - - - -### Violation Detection Setting Violation Settings - - Define violations to be disabled for detection. +Define violations to be disabled for detection. `disabled_violation_types` - (Required) List of violations to be excluded (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured app_firewall. - +- `id` - This is the id of the configured app_firewall. diff --git a/docs/resources/volterra_app_setting.md b/docs/resources/volterra_app_setting.md index 33b2dad7c..440636fd4 100644 --- a/docs/resources/volterra_app_setting.md +++ b/docs/resources/volterra_app_setting.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: app_setting" -description: "The app_setting allows CRUD of App Setting resource on Volterra SaaS" +description: "The app_setting allows CRUD of App Setting resource on Volterra SaaS" + --- -# Resource volterra_app_setting -The App Setting allows CRUD of App Setting resource on Volterra SaaS +Resource volterra_app_setting +============================= -~> **Note:** Please refer to [App Setting API docs](https://docs.cloud.f5.com/docs-v2/api/app-setting) to learn more +The App Setting allows CRUD of App Setting resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [App Setting API docs](https://docs.cloud.f5.com/docs-v2/api/app-setting) to learn more + +Example Usage +------------- ```hcl resource "volterra_app_setting" "example" { @@ -35,7 +28,7 @@ resource "volterra_app_setting" "example" { } business_logic_markup_setting { - // One of the arguments from this list "enable disable" can be set + // One of the arguments from this list "disable enable" can be set enable = true } @@ -56,11 +49,11 @@ resource "volterra_app_setting" "example" { // One of the arguments from this list "disable_detection enable_detection" must be set enable_detection { - // One of the arguments from this list "exclude_bola_detection bola_detection_manual bola_detection_automatic" can be set + // One of the arguments from this list "bola_detection_automatic bola_detection_manual exclude_bola_detection" can be set exclude_bola_detection = true - // One of the arguments from this list "include_bot_defense_activity exclude_bot_defense_activity" must be set + // One of the arguments from this list "exclude_bot_defense_activity include_bot_defense_activity" must be set include_bot_defense_activity = true @@ -68,31 +61,31 @@ resource "volterra_app_setting" "example" { cooling_off_period = "cooling_off_period" - // One of the arguments from this list "include_failed_login_activity exclude_failed_login_activity" must be set + // One of the arguments from this list "exclude_failed_login_activity include_failed_login_activity" must be set include_failed_login_activity { login_failures_threshold = "10" } - // One of the arguments from this list "include_forbidden_activity exclude_forbidden_activity" must be set + // One of the arguments from this list "exclude_forbidden_activity include_forbidden_activity" must be set include_forbidden_activity { forbidden_requests_threshold = "10" } - // One of the arguments from this list "include_ip_reputation exclude_ip_reputation" must be set + // One of the arguments from this list "exclude_ip_reputation include_ip_reputation" must be set - include_ip_reputation = true + exclude_ip_reputation = true - // One of the arguments from this list "exclude_non_existent_url_activity include_non_existent_url_activity_custom include_non_existent_url_activity_automatic" can be set + // One of the arguments from this list "exclude_non_existent_url_activity include_non_existent_url_activity_automatic include_non_existent_url_activity_custom" can be set exclude_non_existent_url_activity = true - // One of the arguments from this list "include_rate_limit exclude_rate_limit" must be set + // One of the arguments from this list "exclude_rate_limit include_rate_limit" must be set - exclude_rate_limit = true + include_rate_limit = true - // One of the arguments from this list "include_waf_activity exclude_waf_activity" must be set + // One of the arguments from this list "exclude_waf_activity include_waf_activity" must be set include_waf_activity = true } @@ -102,255 +95,34 @@ resource "volterra_app_setting" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`anomaly_types` - (Optional) List of Anomaly algorithms that need to be enabled (`List of Strings`).(Deprecated) - +`anomaly_types` - (Optional) List of Anomaly algorithms that need to be enabled (`List of Strings`).(Deprecated) `app_type_refs` - (Optional) List of references to app_type for which monitoring needs to enabled. See [ref](#ref) below for details.(Deprecated) - `app_type_settings` - (Required) List of settings to enable for each AppType, given instance of AppType Exist in this Namespace. See [App Type Settings ](#app-type-settings) below for details. +### App Type Settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### App Type Settings - - List of settings to enable for each AppType, given instance of AppType Exist in this Namespace. +List of settings to enable for each AppType, given instance of AppType Exist in this Namespace. `app_type_ref` - (Required) Associating an AppType reference, will enable analysis on this instance's generated data. See [ref](#ref) below for details. @@ -360,329 +132,211 @@ resource "volterra_app_setting" "example" { `user_behavior_analysis_setting` - (Optional) The risk score of the user decays over time, if no further suspicious activity is noted. See [App Type Settings User Behavior Analysis Setting ](#app-type-settings-user-behavior-analysis-setting) below for details. +### App Type Settings Business Logic Markup Setting +Setting specifying how API Discovery will be performed.. -### App Type Settings Business Logic Markup Setting - - Setting specifying how API Discovery will be performed.. - - - - -###### One of the arguments from this list "enable, disable" can be set +###### One of the arguments from this list "disable, enable" can be set `disable` - (Optional) API Endpoints are not discovered in this namespace (`Bool`). - `enable` - (Optional) API Endpoints are discovered in this namespace (`Bool`). +### App Type Settings Timeseries Analyses Setting - - -### App Type Settings Timeseries Analyses Setting - - The clients are flagged if anomalies are observed. +The clients are flagged if anomalies are observed. `metric_selectors` - (Optional) be included in the detection logic. See [Timeseries Analyses Setting Metric Selectors ](#timeseries-analyses-setting-metric-selectors) below for details. +### App Type Settings User Behavior Analysis Setting +The risk score of the user decays over time, if no further suspicious activity is noted. -### App Type Settings User Behavior Analysis Setting - - The risk score of the user decays over time, if no further suspicious activity is noted. - - - -###### One of the arguments from this list "enable_learning, disable_learning" must be set +###### One of the arguments from this list "disable_learning, enable_learning" must be set `disable_learning` - (Optional) Disable learning user behavior patterns from this namespace (`Bool`). - `enable_learning` - (Optional) Enable learning user behavior patterns from this namespace (`Bool`). - - - -###### One of the arguments from this list "enable_detection, disable_detection" must be set +###### One of the arguments from this list "disable_detection, enable_detection" must be set `disable_detection` - (Optional) Disable malicious user detection (`Bool`). - `enable_detection` - (Optional) Enable AI based malicious user detection. See [Malicious User Detection Enable Detection ](#malicious-user-detection-enable-detection) below for details. +### Bola Activity Choice Bola Detection Automatic +Detect Enumeration attack automatically.. +### Bola Activity Choice Bola Detection Manual -### Bola Activity Choice Bola Detection Automatic - - Detect Enumeration attack automatically.. - - - -### Bola Activity Choice Bola Detection Manual - - Detect Enumeration attack using user defined threshold.. - - +Detect Enumeration attack using user defined threshold.. ###### One of the arguments from this list "threshold_level_1, threshold_level_2, threshold_level_3, threshold_level_4, threshold_level_5, threshold_level_6" must be set `threshold_level_1` - (Optional) Detected in range: 10 - 150 (`Bool`). - `threshold_level_2` - (Optional) Detected in range: 25 - 400 (`Bool`). - `threshold_level_3` - (Optional) Detected in range: 50 - 800 (`Bool`). - `threshold_level_4` - (Optional) Detected in range: 100 - 1500 (`Bool`). - `threshold_level_5` - (Optional) Detected in range: 200 - 3000 (`Bool`). - `threshold_level_6` - (Optional) Detected in range: 500 - 8000 (`Bool`). +### Bola Activity Choice Exclude Bola Detection +Disable Enumeration attack detection. +### Bot Defense Activity Choice Exclude Bot Defense Activity -### Bola Activity Choice Exclude Bola Detection - - Disable Enumeration attack detection. - - - -### Bot Defense Activity Choice Exclude Bot Defense Activity - - Exclude Bot Defense activity in malicious user detection. - - +Exclude Bot Defense activity in malicious user detection. -### Bot Defense Activity Choice Include Bot Defense Activity +### Bot Defense Activity Choice Include Bot Defense Activity - Include Bot Defense activity in malicious user detection. +Include Bot Defense activity in malicious user detection. +### Failed Login Activity Choice Exclude Failed Login Activity +Exclude persistent login failures activity (401 response code) in malicious user detection. -### Failed Login Activity Choice Exclude Failed Login Activity +### Failed Login Activity Choice Include Failed Login Activity - Exclude persistent login failures activity (401 response code) in malicious user detection. - - - -### Failed Login Activity Choice Include Failed Login Activity - - Include persistent login failures activity (401 response code) in malicious user detection. +Include persistent login failures activity (401 response code) in malicious user detection. `login_failures_threshold` - (Required) The number of failed logins beyond which the system will flag this user as malicious (`Int`). +### Forbidden Activity Choice Exclude Forbidden Activity +Exclude forbidden activity by policy in malicious user detection. -### Forbidden Activity Choice Exclude Forbidden Activity - - Exclude forbidden activity by policy in malicious user detection. - +### Forbidden Activity Choice Include Forbidden Activity - -### Forbidden Activity Choice Include Forbidden Activity - - Include forbidden activity by policy in malicious user detection. +Include forbidden activity by policy in malicious user detection. `forbidden_requests_threshold` - (Required) The number of forbidden requests beyond which the system will flag this user as malicious (`Int`). +### Ip Reputation Choice Exclude Ip Reputation +Exclude IP Reputation in malicious user detection. -### Ip Reputation Choice Exclude Ip Reputation - - Exclude IP Reputation in malicious user detection. - - - -### Ip Reputation Choice Include Ip Reputation - - Include IP Reputation in malicious user detection. - - - -### Learn From Namespace Disable - - API Endpoints are not discovered in this namespace. - - - -### Learn From Namespace Disable Learning - - Disable learning user behavior patterns from this namespace. +### Ip Reputation Choice Include Ip Reputation +Include IP Reputation in malicious user detection. +### Learn From Namespace Disable -### Learn From Namespace Enable +API Endpoints are not discovered in this namespace. - API Endpoints are discovered in this namespace. +### Learn From Namespace Disable Learning +Disable learning user behavior patterns from this namespace. +### Learn From Namespace Enable -### Learn From Namespace Enable Learning +API Endpoints are discovered in this namespace. - Enable learning user behavior patterns from this namespace. +### Learn From Namespace Enable Learning +Enable learning user behavior patterns from this namespace. +### Malicious User Detection Disable Detection -### Malicious User Detection Disable Detection +Disable malicious user detection. - Disable malicious user detection. +### Malicious User Detection Enable Detection +Enable AI based malicious user detection. - -### Malicious User Detection Enable Detection - - Enable AI based malicious user detection. - - - - -###### One of the arguments from this list "bola_detection_automatic, exclude_bola_detection, bola_detection_manual" can be set +###### One of the arguments from this list "bola_detection_automatic, bola_detection_manual, exclude_bola_detection" can be set `bola_detection_automatic` - (Optional) Detect Enumeration attack automatically. (`Bool`).(Deprecated) - `bola_detection_manual` - (Optional) Detect Enumeration attack using user defined threshold.. See [Bola Activity Choice Bola Detection Manual ](#bola-activity-choice-bola-detection-manual) below for details.(Deprecated) - `exclude_bola_detection` - (Optional) Disable Enumeration attack detection (`Bool`).(Deprecated) - - - -###### One of the arguments from this list "include_bot_defense_activity, exclude_bot_defense_activity" must be set +###### One of the arguments from this list "exclude_bot_defense_activity, include_bot_defense_activity" must be set `exclude_bot_defense_activity` - (Optional) Exclude Bot Defense activity in malicious user detection (`Bool`). - `include_bot_defense_activity` - (Optional) Include Bot Defense activity in malicious user detection (`Bool`). - - - ###### One of the arguments from this list "cooling_off_period" must be set `cooling_off_period` - (Optional) a high to medium or medium to low or low to none. (`Int`). - - - -###### One of the arguments from this list "include_failed_login_activity, exclude_failed_login_activity" must be set +###### One of the arguments from this list "exclude_failed_login_activity, include_failed_login_activity" must be set `exclude_failed_login_activity` - (Optional) Exclude persistent login failures activity (401 response code) in malicious user detection (`Bool`). - `include_failed_login_activity` - (Optional) Include persistent login failures activity (401 response code) in malicious user detection. See [Failed Login Activity Choice Include Failed Login Activity ](#failed-login-activity-choice-include-failed-login-activity) below for details. - - - -###### One of the arguments from this list "include_forbidden_activity, exclude_forbidden_activity" must be set +###### One of the arguments from this list "exclude_forbidden_activity, include_forbidden_activity" must be set `exclude_forbidden_activity` - (Optional) Exclude forbidden activity by policy in malicious user detection (`Bool`). - `include_forbidden_activity` - (Optional) Include forbidden activity by policy in malicious user detection. See [Forbidden Activity Choice Include Forbidden Activity ](#forbidden-activity-choice-include-forbidden-activity) below for details. - - - -###### One of the arguments from this list "include_ip_reputation, exclude_ip_reputation" must be set +###### One of the arguments from this list "exclude_ip_reputation, include_ip_reputation" must be set `exclude_ip_reputation` - (Optional) Exclude IP Reputation in malicious user detection (`Bool`). - `include_ip_reputation` - (Optional) Include IP Reputation in malicious user detection (`Bool`). - - - - -###### One of the arguments from this list "exclude_non_existent_url_activity, include_non_existent_url_activity_custom, include_non_existent_url_activity_automatic" can be set +###### One of the arguments from this list "exclude_non_existent_url_activity, include_non_existent_url_activity_automatic, include_non_existent_url_activity_custom" can be set `exclude_non_existent_url_activity` - (Optional) Exclude Non-Existent URL activity in malicious user detection (`Bool`).(Deprecated) - `include_non_existent_url_activity_automatic` - (Optional) Include Non-Existent URL Activity using automatic threshold in malicious user detection. See [Non Existent Url Activity Choice Include Non Existent Url Activity Automatic ](#non-existent-url-activity-choice-include-non-existent-url-activity-automatic) below for details.(Deprecated) - `include_non_existent_url_activity_custom` - (Optional) Include Non-Existent URL Activity using custom threshold in malicious user detection. See [Non Existent Url Activity Choice Include Non Existent Url Activity Custom ](#non-existent-url-activity-choice-include-non-existent-url-activity-custom) below for details.(Deprecated) - - - -###### One of the arguments from this list "include_rate_limit, exclude_rate_limit" must be set +###### One of the arguments from this list "exclude_rate_limit, include_rate_limit" must be set `exclude_rate_limit` - (Optional) Exclude Rate Limiting in malicious user detection (`Bool`). - `include_rate_limit` - (Optional) Include Rate Limiting in malicious user detection (`Bool`). - - - ###### One of the arguments from this list "exclude_waf_activity, include_waf_activity" must be set `exclude_waf_activity` - (Optional) Exclude WAF activity in malicious user detection (`Bool`). - `include_waf_activity` - (Optional) Include WAF activity in malicious user detection (`Bool`). +### Non Existent Url Activity Choice Exclude Non Existent Url Activity +Exclude Non-Existent URL activity in malicious user detection. +### Non Existent Url Activity Choice Include Non Existent Url Activity Automatic -### Non Existent Url Activity Choice Exclude Non Existent Url Activity - - Exclude Non-Existent URL activity in malicious user detection. - - +Include Non-Existent URL Activity using automatic threshold in malicious user detection. -### Non Existent Url Activity Choice Include Non Existent Url Activity Automatic - - Include Non-Existent URL Activity using automatic threshold in malicious user detection. - - - -###### One of the arguments from this list "medium, high, low" must be set +###### One of the arguments from this list "high, low, medium" must be set `high` - (Optional) Use auto-calculated threshold decreased by margin for more sensitive detection (`Bool`). - `low` - (Optional) Use auto-calculated threshold with margin for less sensitive detection (`Bool`). - `medium` - (Optional) Use auto-calculated threshold learnt from statistics per given application (`Bool`). +### Non Existent Url Activity Choice Include Non Existent Url Activity Custom - - -### Non Existent Url Activity Choice Include Non Existent Url Activity Custom - - Include Non-Existent URL Activity using custom threshold in malicious user detection. +Include Non-Existent URL Activity using custom threshold in malicious user detection. `nonexistent_requests_threshold` - (Required) The percentage of non-existent requests beyond which the system will flag this user as malicious (`Int`). +### Rate Limit Choice Exclude Rate Limit +Exclude Rate Limiting in malicious user detection. -### Rate Limit Choice Exclude Rate Limit - - Exclude Rate Limiting in malicious user detection. - +### Rate Limit Choice Include Rate Limit +Include Rate Limiting in malicious user detection. -### Rate Limit Choice Include Rate Limit - - Include Rate Limiting in malicious user detection. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -692,85 +346,59 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Sensitivity High +Use auto-calculated threshold decreased by margin for more sensitive detection. -### Sensitivity High - - Use auto-calculated threshold decreased by margin for more sensitive detection. - - - -### Sensitivity Low - - Use auto-calculated threshold with margin for less sensitive detection. - +### Sensitivity Low +Use auto-calculated threshold with margin for less sensitive detection. -### Sensitivity Medium +### Sensitivity Medium - Use auto-calculated threshold learnt from statistics per given application. +Use auto-calculated threshold learnt from statistics per given application. +### Threshold Levels Threshold Level 1 +Detected in range: 10 - 150. -### Threshold Levels Threshold Level 1 +### Threshold Levels Threshold Level 2 - Detected in range: 10 - 150. +Detected in range: 25 - 400. +### Threshold Levels Threshold Level 3 +Detected in range: 50 - 800. -### Threshold Levels Threshold Level 2 +### Threshold Levels Threshold Level 4 - Detected in range: 25 - 400. +Detected in range: 100 - 1500. +### Threshold Levels Threshold Level 5 +Detected in range: 200 - 3000. -### Threshold Levels Threshold Level 3 +### Threshold Levels Threshold Level 6 - Detected in range: 50 - 800. +Detected in range: 500 - 8000. +### Timeseries Analyses Setting Metric Selectors - -### Threshold Levels Threshold Level 4 - - Detected in range: 100 - 1500. - - - -### Threshold Levels Threshold Level 5 - - Detected in range: 200 - 3000. - - - -### Threshold Levels Threshold Level 6 - - Detected in range: 500 - 8000. - - - -### Timeseries Analyses Setting Metric Selectors - - be included in the detection logic. +be included in the detection logic. `metric` - (Optional) Choose one or more metrics to be included in the detection logic (`List of Strings`). `metrics_source` - (Optional) Choose the source for the metrics to be included in the detection logic (`String`). +### Waf Activity Choice Exclude Waf Activity +Exclude WAF activity in malicious user detection. -### Waf Activity Choice Exclude Waf Activity - - Exclude WAF activity in malicious user detection. - - - -### Waf Activity Choice Include Waf Activity - - Include WAF activity in malicious user detection. - - +### Waf Activity Choice Include Waf Activity -## Attribute Reference +Include WAF activity in malicious user detection. -* `id` - This is the id of the configured app_setting. +Attribute Reference +------------------- +- `id` - This is the id of the configured app_setting. diff --git a/docs/resources/volterra_app_type.md b/docs/resources/volterra_app_type.md index 57f0e4dba..2e8c16ae1 100644 --- a/docs/resources/volterra_app_type.md +++ b/docs/resources/volterra_app_type.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: app_type" -description: "The app_type allows CRUD of App Type resource on Volterra SaaS" +description: "The app_type allows CRUD of App Type resource on Volterra SaaS" + --- -# Resource volterra_app_type -The App Type allows CRUD of App Type resource on Volterra SaaS +Resource volterra_app_type +========================== -~> **Note:** Please refer to [App Type API docs](https://docs.cloud.f5.com/docs-v2/api/app-type) to learn more +The App Type allows CRUD of App Type resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [App Type API docs](https://docs.cloud.f5.com/docs-v2/api/app-type) to learn more + +Example Usage +------------- ```hcl resource "volterra_app_type" "example" { @@ -30,214 +23,66 @@ resource "volterra_app_type" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `business_logic_markup_setting` - (Optional) Setting specifying how API Discovery will be performed. See [Business Logic Markup Setting ](#business-logic-markup-setting) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `features` - (Optional) List of various AI/ML features enabled. See [Features ](#features) below for details. +### Business Logic Markup Setting - - -### Business Logic Markup Setting - - Setting specifying how API Discovery will be performed. +Setting specifying how API Discovery will be performed. `discovered_api_settings` - (Optional) x-displayName: "Discovered API Settings". See [Business Logic Markup Setting Discovered Api Settings ](#business-logic-markup-setting-discovered-api-settings) below for details. - - - ###### One of the arguments from this list "disable, enable" can be set `disable` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - `enable` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - `sensitive_data_detection_rules` - (Optional) Rule to detect sensitive data in requests and/or response sections.. See [Business Logic Markup Setting Sensitive Data Detection Rules ](#business-logic-markup-setting-sensitive-data-detection-rules) below for details.(Deprecated) +### Features - -### Features - - List of various AI/ML features enabled. +List of various AI/ML features enabled. `type` - (Required) Feature type to be enabled (`String`). +### Business Logic Markup Setting Discovered Api Settings - -### Business Logic Markup Setting Discovered Api Settings - - x-displayName: "Discovered API Settings". +x-displayName: "Discovered API Settings". `purge_duration_for_inactive_discovered_apis` - (Optional) Inactive discovered API will be deleted after configured duration. (`Int`). +### Business Logic Markup Setting Sensitive Data Detection Rules - -### Business Logic Markup Setting Sensitive Data Detection Rules - - Rule to detect sensitive data in requests and/or response sections.. +Rule to detect sensitive data in requests and/or response sections.. `custom_sensitive_data_detection_rules` - (Optional) Rules to detect custom sensitive data in requests and/or responses sections.. See [Sensitive Data Detection Rules Custom Sensitive Data Detection Rules ](#sensitive-data-detection-rules-custom-sensitive-data-detection-rules) below for details. `disabled_built_in_rules` - (Optional) List of disabled built-in sensitive data detection rules.. See [Sensitive Data Detection Rules Disabled Built In Rules ](#sensitive-data-detection-rules-disabled-built-in-rules) below for details. +### Custom Sensitive Data Detection Rules Metadata - -### Custom Sensitive Data Detection Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -245,198 +90,131 @@ resource "volterra_app_type" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Custom Sensitive Data Detection Rules Sensitive Data Detection Config - -### Custom Sensitive Data Detection Rules Sensitive Data Detection Config - - The custom data detection config specifies targets, scopes & the pattern to be detected.. - - +The custom data detection config specifies targets, scopes & the pattern to be detected.. ###### One of the arguments from this list "any_domain, specific_domain" must be set `any_domain` - (Optional) The rule will apply for all domains. (`Bool`).(Deprecated) - `specific_domain` - (Optional) For example: api.example.com (`String`).(Deprecated) - - - -###### One of the arguments from this list "key_pattern, value_pattern, key_value_pattern" must be set +###### One of the arguments from this list "key_pattern, key_value_pattern, value_pattern" must be set `key_pattern` - (Optional) Search for pattern across all field names in the specified sections.. See [Pattern Choice Key Pattern ](#pattern-choice-key-pattern) below for details. - `key_value_pattern` - (Optional) Search for specific field and value patterns in the specified sections.. See [Pattern Choice Key Value Pattern ](#pattern-choice-key-value-pattern) below for details. - `value_pattern` - (Optional) Search for pattern across all field values in the specified sections.. See [Pattern Choice Value Pattern ](#pattern-choice-value-pattern) below for details. - - - -###### One of the arguments from this list "all_sections, all_request_sections, all_response_sections, custom_sections" must be set +###### One of the arguments from this list "all_request_sections, all_response_sections, all_sections, custom_sections" must be set `all_request_sections` - (Optional) x-displayName: "All Request" (`Bool`). - `all_response_sections` - (Optional) x-displayName: "All Response" (`Bool`). - `all_sections` - (Optional) x-displayName: "All Request & Response" (`Bool`). - `custom_sections` - (Optional) x-displayName: "Custom Sections". See [Section Choice Custom Sections ](#section-choice-custom-sections) below for details. - - - -###### One of the arguments from this list "base_path, api_group, any_target, api_endpoint_target" must be set +###### One of the arguments from this list "any_target, api_endpoint_target, api_group, base_path" must be set `any_target` - (Optional) The rule will be applied for all requests on this LB. (`Bool`). - `api_endpoint_target` - (Optional) The rule is applied only for the specified api endpoints.. See [Target Choice Api Endpoint Target ](#target-choice-api-endpoint-target) below for details. - `api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`).(Deprecated) - `base_path` - (Optional) The rule is applied only for the requests matching the specified base path. (`String`).(Deprecated) +### Custom Sensitive Data Detection Rules Sensitive Data Type - - -### Custom Sensitive Data Detection Rules Sensitive Data Type - - If the pattern is detected, the request is labeled with specified sensitive data type.. +If the pattern is detected, the request is labeled with specified sensitive data type.. `type` - (Required) The request is labeled as specified sensitive data type. (`String`). +### Domain Choice Any Domain +The rule will apply for all domains.. -### Domain Choice Any Domain - - The rule will apply for all domains.. - - - -### Key Value Pattern Key Pattern - - Pattern for key/field.. - +### Key Value Pattern Key Pattern +Pattern for key/field.. ###### One of the arguments from this list "exact_value, regex_value" must be set `exact_value` - (Optional) Search for values with exact match. (`String`). - `regex_value` - (Optional) Search for values matching this regular expression. (`String`). +### Key Value Pattern Value Pattern +Pattern for value.. - -### Key Value Pattern Value Pattern - - Pattern for value.. - - - -###### One of the arguments from this list "regex_value, exact_value" must be set +###### One of the arguments from this list "exact_value, regex_value" must be set `exact_value` - (Optional) Pattern value to be detected. (`String`). - `regex_value` - (Optional) Regular expression for this pattern. (`String`). +### Learn From Redirect Traffic Disable +Disable learning API patterns from traffic with redirect response codes 3xx. +### Learn From Redirect Traffic Enable -### Learn From Redirect Traffic Disable - - Disable learning API patterns from traffic with redirect response codes 3xx. - - - -### Learn From Redirect Traffic Enable - - Enable learning API patterns from traffic with redirect response codes 3xx. - - - -### Pattern Choice Key Pattern - - Search for pattern across all field names in the specified sections.. +Enable learning API patterns from traffic with redirect response codes 3xx. +### Pattern Choice Key Pattern +Search for pattern across all field names in the specified sections.. ###### One of the arguments from this list "exact_value, regex_value" must be set `exact_value` - (Optional) Search for values with exact match. (`String`). - `regex_value` - (Optional) Search for values matching this regular expression. (`String`). +### Pattern Choice Key Value Pattern - - -### Pattern Choice Key Value Pattern - - Search for specific field and value patterns in the specified sections.. +Search for specific field and value patterns in the specified sections.. `key_pattern` - (Required) Pattern for key/field.. See [Key Value Pattern Key Pattern ](#key-value-pattern-key-pattern) below for details. `value_pattern` - (Required) Pattern for value.. See [Key Value Pattern Value Pattern ](#key-value-pattern-value-pattern) below for details. +### Pattern Choice Value Pattern - -### Pattern Choice Value Pattern - - Search for pattern across all field values in the specified sections.. - - +Search for pattern across all field values in the specified sections.. ###### One of the arguments from this list "exact_value, regex_value" must be set `exact_value` - (Optional) Pattern value to be detected. (`String`). - `regex_value` - (Optional) Regular expression for this pattern. (`String`). +### Section Choice All Request Sections +x-displayName: "All Request". +### Section Choice All Response Sections -### Section Choice All Request Sections - - x-displayName: "All Request". - - - -### Section Choice All Response Sections - - x-displayName: "All Response". - - +x-displayName: "All Response". -### Section Choice All Sections +### Section Choice All Sections - x-displayName: "All Request & Response". +x-displayName: "All Request & Response". +### Section Choice Custom Sections - -### Section Choice Custom Sections - - x-displayName: "Custom Sections". +x-displayName: "Custom Sections". `custom_sections` - (Required) Request & Response Sections. (`List of Strings`). +### Sensitive Data Detection Rules Custom Sensitive Data Detection Rules - -### Sensitive Data Detection Rules Custom Sensitive Data Detection Rules - - Rules to detect custom sensitive data in requests and/or responses sections.. +Rules to detect custom sensitive data in requests and/or responses sections.. `metadata` - (Required) Common attributes for the rule including name and description.. See [Custom Sensitive Data Detection Rules Metadata ](#custom-sensitive-data-detection-rules-metadata) below for details. @@ -444,33 +222,25 @@ resource "volterra_app_type" "example" { `sensitive_data_type` - (Required) If the pattern is detected, the request is labeled with specified sensitive data type.. See [Custom Sensitive Data Detection Rules Sensitive Data Type ](#custom-sensitive-data-detection-rules-sensitive-data-type) below for details. +### Sensitive Data Detection Rules Disabled Built In Rules - -### Sensitive Data Detection Rules Disabled Built In Rules - - List of disabled built-in sensitive data detection rules.. +List of disabled built-in sensitive data detection rules.. `name` - (Required) Built-in rule for sensitive data detection. (`String`). +### Target Choice Any Target +The rule will be applied for all requests on this LB.. -### Target Choice Any Target - - The rule will be applied for all requests on this LB.. +### Target Choice Api Endpoint Target - - -### Target Choice Api Endpoint Target - - The rule is applied only for the specified api endpoints.. +The rule is applied only for the specified api endpoints.. `api_endpoint_path` - (Required) The rule is applied only for the specified api endpoints. (`String`). `methods` - (Required) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured app_type. - +- `id` - This is the id of the configured app_type. diff --git a/docs/resources/volterra_aws_tgw_site.md b/docs/resources/volterra_aws_tgw_site.md index 2f428bb56..bd17e1438 100644 --- a/docs/resources/volterra_aws_tgw_site.md +++ b/docs/resources/volterra_aws_tgw_site.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: aws_tgw_site" -description: "The aws_tgw_site allows CRUD of Aws Tgw Site resource on Volterra SaaS" +description: "The aws_tgw_site allows CRUD of Aws Tgw Site resource on Volterra SaaS" + --- -# Resource volterra_aws_tgw_site -The Aws Tgw Site allows CRUD of Aws Tgw Site resource on Volterra SaaS +Resource volterra_aws_tgw_site +============================== -~> **Note:** Please refer to [Aws Tgw Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-aws-tgw-site) to learn more +The Aws Tgw Site allows CRUD of Aws Tgw Site resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Aws Tgw Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-aws-tgw-site) to learn more + +Example Usage +------------- ```hcl resource "volterra_aws_tgw_site" "example" { @@ -39,12 +32,14 @@ resource "volterra_aws_tgw_site" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set + + blindfold_secret_info { + decryption_provider = "value" - clear_secret_info { - provider = "box-provider" + location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - url = "string:///U2VjcmV0SW5mb3JtYXRpb24=" + store_provider = "value" } } @@ -55,12 +50,12 @@ resource "volterra_aws_tgw_site" "example" { az_nodes { aws_az_name = "us-west-2a" - // One of the arguments from this list "reserved_inside_subnet inside_subnet" must be set + // One of the arguments from this list "inside_subnet reserved_inside_subnet" must be set reserved_inside_subnet = true disk_size = "80" outside_subnet { - // One of the arguments from this list "subnet_param existing_subnet_id" must be set + // One of the arguments from this list "existing_subnet_id subnet_param" must be set subnet_param { ipv4 = "10.1.2.0/24" @@ -69,7 +64,7 @@ resource "volterra_aws_tgw_site" "example" { } } workload_subnet { - // One of the arguments from this list "subnet_param existing_subnet_id" must be set + // One of the arguments from this list "existing_subnet_id subnet_param" must be set subnet_param { ipv4 = "10.1.2.0/24" @@ -79,7 +74,7 @@ resource "volterra_aws_tgw_site" "example" { } } - // One of the arguments from this list "aws_cred assisted" must be set + // One of the arguments from this list "assisted aws_cred" must be set aws_cred { name = "test1" @@ -93,23 +88,27 @@ resource "volterra_aws_tgw_site" "example" { disable_internet_vip = true - // One of the arguments from this list "f5xc_security_group custom_security_group" must be set + // One of the arguments from this list "custom_security_group f5xc_security_group" must be set + + custom_security_group { + inside_security_group_id = "sg-0db952838ba829943" - f5xc_security_group = true + outside_security_group_id = "sg-0db952838ba829943" + } // One of the arguments from this list "new_vpc vpc_id" must be set new_vpc { allocate_ipv6 = true - // One of the arguments from this list "name_tag autogenerate" must be set + // One of the arguments from this list "autogenerate name_tag" must be set - autogenerate = true + name_tag = "name_tag" primary_ipv4 = "10.1.0.0/16" } ssh_key = "ssh-rsa AAAAB..." - // One of the arguments from this list "new_tgw existing_tgw" must be set + // One of the arguments from this list "existing_tgw new_tgw" must be set new_tgw { // One of the arguments from this list "system_generated user_assigned" must be set @@ -117,2042 +116,900 @@ resource "volterra_aws_tgw_site" "example" { system_generated = true } - // One of the arguments from this list "nodes_per_az total_nodes no_worker_nodes" must be set - - nodes_per_az = "2" - } + // One of the arguments from this list "reserved_tgw_cidr tgw_cidr" must be set - // One of the arguments from this list "default_blocked_services block_all_services blocked_services" must be set + tgw_cidr { + ipv4 = "10.1.2.0/24" - blocked_services { - blocked_sevice { - // One of the arguments from this list "web_user_interface dns ssh" can be set + ipv6 = "1234:568:abcd:9100::/64" + } - web_user_interface = true + // One of the arguments from this list "no_worker_nodes nodes_per_az total_nodes" must be set - network_type = "network_type" - } + nodes_per_az = "2" } - // One of the arguments from this list "direct_connect_enabled private_connectivity direct_connect_disabled" must be set + // One of the arguments from this list "block_all_services blocked_services default_blocked_services" must be set + + block_all_services = true + + // One of the arguments from this list "direct_connect_disabled direct_connect_enabled private_connectivity" must be set direct_connect_disabled = true - // One of the arguments from this list "logs_streaming_disabled log_receiver" must be set + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set logs_streaming_disabled = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `aws_parameters` - (Required) Example of the managed AWS resources to name few are VPC, TGW, Route Tables etc. See [Aws Parameters ](#aws-parameters) below for details. +###### One of the arguments from this list "block_all_services, blocked_services, default_blocked_services" must be set - +`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +`blocked_services` - (Optional) Use custom blocked services configuration, to list the services which need to be blocked. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +###### One of the arguments from this list "direct_connect_disabled, direct_connect_enabled, private_connectivity" must be set +`direct_connect_disabled` - (Optional) Disable Private Connectivity to Site (`Bool`). +`direct_connect_enabled` - (Optional) Direct Connect Connection to Site is enabled(Legacy). See [Direct Connect Choice Direct Connect Enabled ](#direct-connect-choice-direct-connect-enabled) below for details. +`private_connectivity` - (Optional) Enable Private Connectivity to Site via CloudLink. See [Direct Connect Choice Private Connectivity ](#direct-connect-choice-private-connectivity) below for details. +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. - +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. - +`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). +`tgw_security` - (Optional) Security Configuration for transit gateway. See [Tgw Security ](#tgw-security) below for details. +`vn_config` - (Optional) Site Network related details will be configured. See [Vn Config ](#vn-config) below for details. +`vpc_attachments` - (Optional) Note that this choice would be deprecated in the near release.. See [Vpc Attachments ](#vpc-attachments) below for details. +### Aws Parameters +Example of the managed AWS resources to name few are VPC, TGW, Route Tables etc. - +`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Aws Parameters Admin Password ](#aws-parameters-admin-password) below for details. +`aws_certified_hw` - (Optional) Name for AWS certified hardware. (`String`).(Deprecated) +`aws_region` - (Required) AWS Region of your services vpc, where F5XC site will be deployed. (`String`). +`az_nodes` - (Required) Only Single AZ or Three AZ(s) nodes are supported currently.. See [Aws Parameters Az Nodes ](#aws-parameters-az-nodes) below for details. +###### One of the arguments from this list "assisted, aws_cred" must be set +`assisted` - (Optional) In assisted deployment get AWS parameters generated in status of this objects and run volterra provided terraform script. (`Bool`).(Deprecated) +`aws_cred` - (Optional) Reference to AWS cloud credential object used to deploy cloud resources. See [ref](#ref) below for details. +`disk_size` - (Optional) Node disk size for all node in the F5XC site. Unit is GiB (`Int`). +`instance_type` - (Required) Instance size based on the performance. (`String`). - +###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set +`disable_internet_vip` - (Optional) VIPs cannot be advertised to the internet directly on this Site (`Bool`). +`enable_internet_vip` - (Optional) VIPs can be advertised to the internet directly on this Site (`Bool`). +###### One of the arguments from this list "custom_security_group, f5xc_security_group" must be set +`custom_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via security group ids.. See [Security Group Choice Custom Security Group ](#security-group-choice-custom-security-group) below for details. +`f5xc_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via f5xc created security group. (`Bool`). +###### One of the arguments from this list "new_vpc, vpc_id" must be set - +`new_vpc` - (Optional) Details needed to create new VPC. See [Service Vpc Choice New Vpc ](#service-vpc-choice-new-vpc) below for details. +`vpc_id` - (Optional) Existing VPC ID (`String`). +`ssh_key` - (Required) Public SSH key for accessing nodes of the site. (`String`). +###### One of the arguments from this list "existing_tgw, new_tgw" must be set +`existing_tgw` - (Optional) Information about existing TGW. See [Tgw Choice Existing Tgw ](#tgw-choice-existing-tgw) below for details. - +`new_tgw` - (Optional) Details needed to create new TGW. See [Tgw Choice New Tgw ](#tgw-choice-new-tgw) below for details. +###### One of the arguments from this list "reserved_tgw_cidr, tgw_cidr" must be set +`reserved_tgw_cidr` - (Optional) Autogenerate and reserve a TGW CIDR Block from the Primary CIDR (`Bool`). +`tgw_cidr` - (Optional) Specify TGW CIDR block. See [Tgw Cidr Choice Tgw Cidr ](#tgw-cidr-choice-tgw-cidr) below for details. +###### One of the arguments from this list "no_worker_nodes, nodes_per_az, total_nodes" must be set - +`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). +`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). +`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). +### Coordinates +Site longitude and latitude co-ordinates. +`latitude` - (Optional) Latitude of the site location (`Float`). +`longitude` - (Optional) longitude of site location (`Float`). +### Custom Dns - +custom dns configure to the CE site. +`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). +`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). +`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). +`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - +### Kubernetes Upgrade Drain +Enable Kubernetes Drain during OS or SW upgrade. +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set +`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). +`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. +### Offline Survivability Mode +Enable/Disable offline survivability mode. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set - +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). +### Os +Operating System Details. +###### One of the arguments from this list "default_os_version, operating_system_version" must be set +`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). +`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). +### Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set - +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Sw +F5XC Software Details. +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Tgw Security +Security Configuration for transit gateway. - +###### One of the arguments from this list "active_east_west_service_policies, east_west_service_policy_allow_all, no_east_west_policy" must be set +`active_east_west_service_policies` - (Optional) Enable service policy so east-west traffic goes via proxy. See [East West Service Policy Choice Active East West Service Policies ](#east-west-service-policy-choice-active-east-west-service-policies) below for details. +`east_west_service_policy_allow_all` - (Optional) Enable service policy with allow all so east-west traffic goes via proxy for monitoring (`Bool`). +`no_east_west_policy` - (Optional) Disable service policy so that east-west traffic does not go via proxy (`Bool`). - +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set +`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. +`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). +`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set +`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - +`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. +`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). +### Vn Config +Site Network related details will be configured. +`allowed_vip_port` - (Optional) Allowed VIP Port Configuration. See [Vn Config Allowed Vip Port ](#vn-config-allowed-vip-port) below for details. +`allowed_vip_port_sli` - (Optional) Allowed VIP Port Configuration for Inside Network. See [Vn Config Allowed Vip Port Sli ](#vn-config-allowed-vip-port-sli) below for details. - +###### One of the arguments from this list "dc_cluster_group_inside_vn, dc_cluster_group_outside_vn, no_dc_cluster_group" must be set +`dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. +`dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. +`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). +###### One of the arguments from this list "global_network_list, no_global_network" must be set +`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - +`no_global_network` - (Optional) No global network to connect (`Bool`). +###### One of the arguments from this list "inside_static_routes, no_inside_static_routes" must be set +`inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. +`no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). +###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set - +`no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). +`outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. +###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set +`sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +### Vpc Attachments +Note that this choice would be deprecated in the near release.. +`vpc_list` - (Optional) List of VPC attachments to transit gateway. See [Vpc Attachments Vpc List ](#vpc-attachments-vpc-list) below for details. +### Admin Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Asn Choice Auto Asn +Automatically set ASN. +### Asn Choice System Generated +F5XC will automatically assign a private ASN for TGW and F5XC Site. +### Asn Choice User Assigned +User is managing the ASN for TGW and F5XC Site.. - +`tgw_asn` - (Optional) TGW ASN. Allowed range for 16-bit private ASNs include 64512 to 65534. (`Int`). +`volterra_site_asn` - (Optional) F5XC Site ASN. (`Int`). +### Aws Parameters Admin Password +Admin password user for accessing site through serial console .. - +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Aws Parameters Az Nodes +Only Single AZ or Three AZ(s) nodes are supported currently.. +`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). +###### One of the arguments from this list "inside_subnet, reserved_inside_subnet" must be set +`inside_subnet` - (Optional) Select Existing Subnet or Create New. See [Choice Inside Subnet ](#choice-inside-subnet) below for details. +`reserved_inside_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - +`outside_subnet` - (Required) Subnet for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. +`workload_subnet` - (Optional) Subnet in which workloads are launched. See [Az Nodes Workload Subnet ](#az-nodes-workload-subnet) below for details. +### Az Nodes Outside Subnet +Subnet for the outside interface of the node. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Az Nodes Workload Subnet -`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +Subnet in which workloads are launched. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set -`blocked_services` - (Optional) Use custom blocked services configuration, to list the services which need to be blocked. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set +`dns` - (Optional) Matches DNS port 53 (`Bool`). - +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). +### Blocked Services Choice Blocked Services - +Use custom blocked services configuration, to list the services which need to be blocked. +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns +Matches DNS port 53. - +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Choice Inside Subnet +Select Existing Subnet or Create New. -`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Choice Reserved Inside Subnet -`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +Autogenerate and reserve a subnet from the Primary CIDR. +### Choice Subnet Param +Parameters for creating new subnet. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). -`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +### Config Mode Choice Custom Static Route +Use Custom static route to configure all advanced options. +`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). +`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). +`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. +`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. +### Connection Choice Sli To Global Dr +Site local inside is connected directly to a given global network. -`direct_connect_disabled` - (Optional) Disable Private Connectivity to Site (`Bool`). +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connection Choice Slo To Global Dr -`direct_connect_enabled` - (Optional) Direct Connect Connection to Site is enabled(Legacy). See [Direct Connect Choice Direct Connect Enabled ](#direct-connect-choice-direct-connect-enabled) below for details. - +Site local outside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connectivity Options Site Registration Over Direct Connect +Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. - +`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). +### Connectivity Options Site Registration Over Internet +Site Registration and Site to RE tunnels go over the internet gateway. +### Custom Certificate Private Key +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Custom Static Route Nexthop +Nexthop for the route. +`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. +`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. - +`type` - (Optional) Identifies the type of next-hop (`String`). +### Custom Static Route Subnets +List of route prefixes. +###### One of the arguments from this list "ipv4, ipv6" must be set - +`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Dc Cluster Group Choice No Dc Cluster Group +This site is not a member of dc cluster group. +### Deployment Assisted +In assisted deployment get AWS parameters generated in status of this objects and run volterra provided terraform script.. - +### Direct Connect Choice Direct Connect Enabled +Direct Connect Connection to Site is enabled(Legacy). +###### One of the arguments from this list "auto_asn, custom_asn" must be set +`auto_asn` - (Optional) Automatically set ASN (`Bool`). +`custom_asn` - (Optional) Custom Autonomous System Number (`Int`). +###### One of the arguments from this list "hosted_vifs, manual_gw, standard_vifs" must be set +`hosted_vifs` - (Optional) and automatically associate provided hosted VIF and also setup BGP Peering.. See [Vif Choice Hosted Vifs ](#vif-choice-hosted-vifs) below for details. - +`manual_gw` - (Optional) and a user associate AWS DirectConnect Gateway with it. (`Bool`).(Deprecated) +`standard_vifs` - (Optional) and a user associate VIF to the DirectConnect gateway and setup BGP Peering. (`Bool`). +### Direct Connect Choice Private Connectivity +Enable Private Connectivity to Site via CloudLink. - +`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. +###### One of the arguments from this list "inside, outside" can be set +`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). +`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). +### East West Service Policy Choice Active East West Service Policies -`private_connectivity` - (Optional) Enable Private Connectivity to Site via CloudLink. See [Direct Connect Choice Private Connectivity ](#direct-connect-choice-private-connectivity) below for details. - +Enable service policy so east-west traffic goes via proxy. +`service_policies` - (Optional) A list of references to service_policy objects.. See [ref](#ref) below for details. +### East West Service Policy Choice East West Service Policy Allow All +Enable service policy with allow all so east-west traffic goes via proxy for monitoring. +### East West Service Policy Choice No East West Policy - +Disable service policy so that east-west traffic does not go via proxy. +### Enable Disable Choice Disable Interception +Disable Interception. +### Enable Disable Choice Enable Interception - +Enable Interception. +### Forward Proxy Choice Active Forward Proxy Policies +Enable Forward Proxy for this site and manage policies. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Forward Proxy Choice Disable Forward Proxy +Forward Proxy is disabled for this connector. +### Forward Proxy Choice Enable Forward Proxy -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +Forward Proxy is enabled for this connector. +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). +`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). +###### One of the arguments from this list "no_interception, tls_intercept" can be set - +`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) +`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) +`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). +`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - +### Forward Proxy Choice Forward Proxy Allow All +Enable Forward Proxy for this site and allow all requests.. +### Forward Proxy Choice No Forward Proxy +Disable Forward Proxy for this site. +### Global Network Choice Global Network List +List of global network connections. +`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. +### Global Network Choice No Global Network +No global network to connect. - +### Global Network List Global Network Connections +Global network connections. +###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set +`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - +`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. +###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set +`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) +`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) +### Hosted Vifs Vif List +List of Hosted VIF Config. +`vif_id` - (Required) AWS Direct Connect VIF ID that needs to be connected to the site (`String`). +###### One of the arguments from this list "other_region, same_as_site_region" must be set -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`other_region` - (Optional) Other Region (`String`). +`same_as_site_region` - (Optional) Use same region as that of the Site (`Bool`). -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +### Inside Static Route Choice Inside Static Routes +Manage static routes for inside network.. +`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. +### Inside Static Route Choice No Inside Static Routes -`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +Static Routes disabled for inside network.. +### Inside Static Routes Static Route List +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set - +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Interception Policy Choice Enable For All Domains +Enable interception for all domains. - +### Interception Policy Choice Policy +Policy to enable/disable specific domains, with implicit enable all domains. +`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match +Domain value or regular expression to match. -`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - +### Internet Vip Choice Disable Internet Vip +VIPs cannot be advertised to the internet directly on this Site. +### Internet Vip Choice Enable Internet Vip +VIPs can be advertised to the internet directly on this Site. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". -`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) +### Name Choice Autogenerate +Autogenerate the VPC Name. +### Network Options Inside - +CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. +### Network Options Outside +CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. +### Network Policy Choice Active Enhanced Firewall Policies +with an additional option for service insertion.. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - +### Network Policy Choice Active Network Policies +Firewall Policies active for this site.. +`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +### Network Policy Choice No Network Policy +Firewall Policy is disabled for this site.. -`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. +### Nexthop Nexthop Address +Nexthop address when type is "Use-Configured". +###### One of the arguments from this list "ipv4, ipv6" can be set +`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - +`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Offline Survivability Mode Choice Enable Offline Survivability Mode -`tgw_security` - (Optional) Security Configuration for transit gateway. See [Tgw Security ](#tgw-security) below for details. +x-displayName: "Enabled". +### Offline Survivability Mode Choice No Offline Survivability Mode +x-displayName: "Disabled". +### Operating System Version Choice Default Os Version - +Will assign latest available OS version. +### Outside Static Route Choice No Outside Static Routes +Static Routes disabled for outside network.. +### Outside Static Route Choice Outside Static Routes +Manage static routes for outside network.. - +`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. +### Outside Static Routes Static Route List +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set - +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Perf Mode Choice Jumbo +x-displayName: "Enabled". +### Perf Mode Choice No Jumbo +x-displayName: "Disabled". - +### Perf Mode Choice Perf Mode L3 Enhanced +Site optimized for L3 traffic processing. +###### One of the arguments from this list "jumbo, no_jumbo" must be set +`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). - +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Policy Interception Rules +List of ordered rules to enable or disable for TLS interception. - +`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. +###### One of the arguments from this list "disable_interception, enable_interception" must be set +`disable_interception` - (Optional) Disable Interception (`Bool`). +`enable_interception` - (Optional) Enable Interception (`Bool`). +### Port Choice Custom Ports +Custom list of ports to be allowed. - +`port_ranges` - (Required) Port Ranges (`String`). +### Port Choice Disable Allowed Vip Port +HTTP Port (80) & HTTPS Port (443) will be disabled.. +### Port Choice Use Http Https Port +HTTP Port (80) & HTTPS Port (443) will be allowed.. - +### Port Choice Use Http Port +Only HTTP Port (80) will be allowed.. +### Port Choice Use Https Port +Only HTTPS Port (443) will be allowed.. +### Private Key Blindfold Secret Info Internal - +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Ref -`vn_config` - (Optional) Site Network related details will be configured. See [Vn Config ](#vn-config) below for details. +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`vpc_attachments` - (Optional) Note that this choice would be deprecated in the near release.. See [Vpc Attachments ](#vpc-attachments) below for details. - - - - - - - - -### Aws Parameters - - Example of the managed AWS resources to name few are VPC, TGW, Route Tables etc. - -`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Aws Parameters Admin Password ](#aws-parameters-admin-password) below for details.(Deprecated) - -`aws_certified_hw` - (Optional) Name for AWS certified hardware. (`String`).(Deprecated) - -`aws_region` - (Required) AWS Region of your services vpc, where F5XC site will be deployed. (`String`). - -`az_nodes` - (Required) Only Single AZ or Three AZ(s) nodes are supported currently.. See [Aws Parameters Az Nodes ](#aws-parameters-az-nodes) below for details. - - - -###### One of the arguments from this list "aws_cred, assisted" must be set - -`assisted` - (Optional) In assisted deployment get AWS parameters generated in status of this objects and run volterra provided terraform script. (`Bool`).(Deprecated) - - -`aws_cred` - (Optional) Reference to AWS cloud credential object used to deploy cloud resources. See [ref](#ref) below for details. - - -`disk_size` - (Optional) Node disk size for all node in the F5XC site. Unit is GiB (`Int`). - -`instance_type` - (Required) Instance size based on the performance. (`String`). - - - -###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set - -`disable_internet_vip` - (Optional) VIPs cannot be advertised to the internet directly on this Site (`Bool`). - - -`enable_internet_vip` - (Optional) VIPs can be advertised to the internet directly on this Site (`Bool`). - - - - -###### One of the arguments from this list "custom_security_group, f5xc_security_group" must be set - -`custom_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via security group ids.. See [Security Group Choice Custom Security Group ](#security-group-choice-custom-security-group) below for details. - - -`f5xc_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via f5xc created security group. (`Bool`). - - - - -###### One of the arguments from this list "new_vpc, vpc_id" must be set - -`new_vpc` - (Optional) Details needed to create new VPC. See [Service Vpc Choice New Vpc ](#service-vpc-choice-new-vpc) below for details. - - -`vpc_id` - (Optional) Existing VPC ID (`String`). - - -`ssh_key` - (Required) Public SSH key for accessing nodes of the site. (`String`). - - - -###### One of the arguments from this list "new_tgw, existing_tgw" must be set - -`existing_tgw` - (Optional) Information about existing TGW. See [Tgw Choice Existing Tgw ](#tgw-choice-existing-tgw) below for details. - - -`new_tgw` - (Optional) Details needed to create new TGW. See [Tgw Choice New Tgw ](#tgw-choice-new-tgw) below for details. - - - - -###### One of the arguments from this list "nodes_per_az, total_nodes, no_worker_nodes" must be set - -`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). - - -`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). - - -`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). - - - - -### Coordinates - - Site longitude and latitude co-ordinates. - -`latitude` - (Optional) Latitude of the site location (`Float`). - -`longitude` - (Optional) longitude of site location (`Float`). - - - -### Custom Dns - - custom dns configure to the CE site. - -`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). - -`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). - -`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). - -`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - - - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set - -`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - - -`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - - - - -### Offline Survivability Mode - - Enable/Disable offline survivability mode. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Os - - Operating System Details. - - - -###### One of the arguments from this list "default_os_version, operating_system_version" must be set - -`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - - -`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). - - - - -### Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Sw - - F5XC Software Details. - - - -###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set - -`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - - -`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). - - - - -### Tgw Security - - Security Configuration for transit gateway. - - - -###### One of the arguments from this list "no_east_west_policy, active_east_west_service_policies, east_west_service_policy_allow_all" must be set - -`active_east_west_service_policies` - (Optional) Enable service policy so east-west traffic goes via proxy. See [East West Service Policy Choice Active East West Service Policies ](#east-west-service-policy-choice-active-east-west-service-policies) below for details. - - -`east_west_service_policy_allow_all` - (Optional) Enable service policy with allow all so east-west traffic goes via proxy for monitoring (`Bool`). - - -`no_east_west_policy` - (Optional) Disable service policy so that east-west traffic does not go via proxy (`Bool`). - - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set - -`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - - -`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - - -`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set - -`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - - -`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - - -`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - - -### Vn Config - - Site Network related details will be configured. - -`allowed_vip_port` - (Optional) Allowed VIP Port Configuration. See [Vn Config Allowed Vip Port ](#vn-config-allowed-vip-port) below for details. - -`allowed_vip_port_sli` - (Optional) Allowed VIP Port Configuration for Inside Network. See [Vn Config Allowed Vip Port Sli ](#vn-config-allowed-vip-port-sli) below for details. - - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group_outside_vn, dc_cluster_group_inside_vn" must be set - -`dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. - - -`dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - - -`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set - -`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - - -`no_global_network` - (Optional) No global network to connect (`Bool`). - - - - -###### One of the arguments from this list "no_inside_static_routes, inside_static_routes" must be set - -`inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - - -`no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). - - - - -###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set - -`no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - - -`outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - - - - -###### One of the arguments from this list "sm_connection_pvt_ip, sm_connection_public_ip" must be set - -`sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - -`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - - -### Vpc Attachments - - Note that this choice would be deprecated in the near release.. - -`vpc_list` - (Optional) List of VPC attachments to transit gateway. See [Vpc Attachments Vpc List ](#vpc-attachments-vpc-list) below for details. - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Asn Choice Auto Asn - - Automatically set ASN. - - - -### Asn Choice System Generated - - F5XC will automatically assign a private ASN for TGW and F5XC Site. - - - -### Asn Choice User Assigned - - User is managing the ASN for TGW and F5XC Site.. - -`tgw_asn` - (Optional) TGW ASN. Allowed range for 16-bit private ASNs include 64512 to 65534. (`Int`). - -`volterra_site_asn` - (Optional) F5XC Site ASN. (`Int`). - - - -### Aws Parameters Admin Password - - Admin password user for accessing site through serial console .. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Aws Parameters Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. - -`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). - - - -###### One of the arguments from this list "reserved_inside_subnet, inside_subnet" must be set - -`inside_subnet` - (Optional) Select Existing Subnet or Create New. See [Choice Inside Subnet ](#choice-inside-subnet) below for details. - - -`reserved_inside_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - - -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - -`outside_subnet` - (Required) Subnet for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. - -`workload_subnet` - (Optional) Subnet in which workloads are launched. See [Az Nodes Workload Subnet ](#az-nodes-workload-subnet) below for details. - - - -### Az Nodes Outside Subnet - - Subnet for the outside interface of the node. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Az Nodes Workload Subnet - - Subnet in which workloads are launched. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "web_user_interface, dns, ssh" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - Use custom blocked services configuration, to list the services which need to be blocked. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Choice Inside Subnet - - Select Existing Subnet or Create New. - - - -###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Choice Reserved Inside Subnet - - Autogenerate and reserve a subnet from the Primary CIDR. - - - -### Choice Subnet Param - - Parameters for creating new subnet. - -`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). - -`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). - - - -### Config Mode Choice Custom Static Route - - Use Custom static route to configure all advanced options. - -`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). - -`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). - -`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. - -`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. - - - -### Connection Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connection Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connectivity Options Site Registration Over Direct Connect - - Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. - -`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). - - - -### Connectivity Options Site Registration Over Internet - - Site Registration and Site to RE tunnels go over the internet gateway. - - - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Custom Static Route Nexthop - - Nexthop for the route. - -`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. - -`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. - -`type` - (Optional) Identifies the type of next-hop (`String`). - - - -### Custom Static Route Subnets - - List of route prefixes. - - - -###### One of the arguments from this list "ipv6, ipv4" must be set - -`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Dc Cluster Group Choice No Dc Cluster Group - - This site is not a member of dc cluster group. - - - -### Deployment Assisted - - In assisted deployment get AWS parameters generated in status of this objects and run volterra provided terraform script.. - - - -### Direct Connect Choice Direct Connect Enabled - - Direct Connect Connection to Site is enabled(Legacy). - - - -###### One of the arguments from this list "auto_asn, custom_asn" must be set - -`auto_asn` - (Optional) Automatically set ASN (`Bool`). - - -`custom_asn` - (Optional) Custom Autonomous System Number (`Int`). - - - - -###### One of the arguments from this list "standard_vifs, manual_gw, hosted_vifs" must be set - -`hosted_vifs` - (Optional) and automatically associate provided hosted VIF and also setup BGP Peering.. See [Vif Choice Hosted Vifs ](#vif-choice-hosted-vifs) below for details. - - -`manual_gw` - (Optional) and a user associate AWS DirectConnect Gateway with it. (`Bool`).(Deprecated) - - -`standard_vifs` - (Optional) and a user associate VIF to the DirectConnect gateway and setup BGP Peering. (`Bool`). - - - - -### Direct Connect Choice Private Connectivity - - Enable Private Connectivity to Site via CloudLink. - -`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "outside, inside" can be set - -`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). - - -`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). - - - - -### East West Service Policy Choice Active East West Service Policies - - Enable service policy so east-west traffic goes via proxy. - -`service_policies` - (Optional) A list of references to service_policy objects.. See [ref](#ref) below for details. - - - -### East West Service Policy Choice East West Service Policy Allow All - - Enable service policy with allow all so east-west traffic goes via proxy for monitoring. - - - -### East West Service Policy Choice No East West Policy - - Disable service policy so that east-west traffic does not go via proxy. - - - -### Enable Disable Choice Disable Interception - - Disable Interception. - - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site and manage policies. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Forward Proxy Choice Disable Forward Proxy - - Forward Proxy is disabled for this connector. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). - -`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - - -###### One of the arguments from this list "no_interception, tls_intercept" can be set - -`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - - -`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - - -`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). - -`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - - - -### Forward Proxy Choice Forward Proxy Allow All - - Enable Forward Proxy for this site and allow all requests.. - - - -### Forward Proxy Choice No Forward Proxy - - Disable Forward Proxy for this site. - - - -### Global Network Choice Global Network List - - List of global network connections. - -`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - - - -### Global Network Choice No Global Network - - No global network to connect. - - - -### Global Network List Global Network Connections - - Global network connections. - - - -###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - -`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - - -`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - - - - - -###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set - -`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) - - -`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) - - - - -### Hosted Vifs Vif List - - List of Hosted VIF Config. - -`vif_id` - (Required) AWS Direct Connect VIF ID that needs to be connected to the site (`String`). - - - -###### One of the arguments from this list "same_as_site_region, other_region" must be set - -`other_region` - (Optional) Other Region (`String`). - - -`same_as_site_region` - (Optional) Use same region as that of the Site (`Bool`). - - - - -### Inside Static Route Choice Inside Static Routes - - Manage static routes for inside network.. - -`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. - - - -### Inside Static Route Choice No Inside Static Routes - - Static Routes disabled for inside network.. - - - -### Inside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy - - Policy to enable/disable specific domains, with implicit enable all domains. - -`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. - - - -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### Internet Vip Choice Disable Internet Vip - - VIPs cannot be advertised to the internet directly on this Site. - - - -### Internet Vip Choice Enable Internet Vip - - VIPs can be advertised to the internet directly on this Site. - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - - - -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - - -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - - -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - - -###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set - -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - - -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - - - - -### Name Choice Autogenerate - - Autogenerate the VPC Name. - - - -### Network Options Inside - - CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. - - - -### Network Options Outside - - CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. - - - -### Network Policy Choice Active Enhanced Firewall Policies - - with an additional option for service insertion.. - -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - - - -### Network Policy Choice Active Network Policies - - Firewall Policies active for this site.. - -`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. - - - -### Network Policy Choice No Network Policy - - Firewall Policy is disabled for this site.. - - - -### Nexthop Nexthop Address - - Nexthop address when type is "Use-Configured". - - - - -###### One of the arguments from this list "ipv4, ipv6" can be set - -`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. - -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). - - - -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Offline Survivability Mode Choice Enable Offline Survivability Mode - - x-displayName: "Enabled". - - - -### Offline Survivability Mode Choice No Offline Survivability Mode - - x-displayName: "Disabled". - - - -### Operating System Version Choice Default Os Version - - Will assign latest available OS version. - - - -### Outside Static Route Choice No Outside Static Routes - - Static Routes disabled for outside network.. - - - -### Outside Static Route Choice Outside Static Routes - - Manage static routes for outside network.. - -`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. - - - -### Outside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Perf Mode Choice Jumbo - - x-displayName: "Enabled". - - - -### Perf Mode Choice No Jumbo - - x-displayName: "Disabled". - - - -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - - -###### One of the arguments from this list "no_jumbo, jumbo" must be set - -`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Policy Interception Rules - - List of ordered rules to enable or disable for TLS interception. - -`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. - - - -###### One of the arguments from this list "enable_interception, disable_interception" must be set - -`disable_interception` - (Optional) Disable Interception (`Bool`). - - -`enable_interception` - (Optional) Enable Interception (`Bool`). - - - - -### Port Choice Custom Ports - - Custom list of ports to be allowed. - -`port_ranges` - (Required) Port Ranges (`String`). - - - -### Port Choice Disable Allowed Vip Port - - HTTP Port (80) & HTTPS Port (443) will be disabled.. - - - -### Port Choice Use Http Https Port - - HTTP Port (80) & HTTPS Port (443) will be allowed.. - - - -### Port Choice Use Http Port - - Only HTTP Port (80) will be allowed.. - - - -### Port Choice Use Https Port - - Only HTTPS Port (443) will be allowed.. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2164,99 +1021,71 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Security Group Choice Custom Security Group - -### Security Group Choice Custom Security Group - - With this option, ingress and egress traffic will be controlled via security group ids.. +With this option, ingress and egress traffic will be controlled via security group ids.. `inside_security_group_id` - (Optional) Security Group ID to be attached to SLI(Site Local Inside) Interface (`String`). `outside_security_group_id` - (Optional) Security Group ID to be attached to SLO(Site Local Outside) Interface (`String`). +### Security Group Choice F5xc Security Group +With this option, ingress and egress traffic will be controlled via f5xc created security group.. -### Security Group Choice F5xc Security Group - - With this option, ingress and egress traffic will be controlled via f5xc created security group.. - +### Service Vpc Choice New Vpc - -### Service Vpc Choice New Vpc - - Details needed to create new VPC. +Details needed to create new VPC. `allocate_ipv6` - (Optional) Allocate IPv6 CIDR block from AWS (`Bool`).(Deprecated) - - -###### One of the arguments from this list "name_tag, autogenerate" must be set +###### One of the arguments from this list "autogenerate, name_tag" must be set `autogenerate` - (Optional) Autogenerate the VPC Name (`Bool`). - `name_tag` - (Optional) Specify the VPC Name (`String`). - `primary_ipv4` - (Required) The Primary IPv4 block cannot be modified. All subnets prefixes in this VPC must be part of this CIDR block. (`String`). +### Signing Cert Choice Custom Certificate - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. +Certificates for generating intermediate certificate for TLS interception.. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. -### Signing Cert Choice Volterra Certificate - - F5XC certificates for generating intermediate certificate for TLS interception.. - +### Site Mesh Group Choice Sm Connection Public Ip +creating ipsec between two sites which are part of the site mesh group. -### Site Mesh Group Choice Sm Connection Public Ip +### Site Mesh Group Choice Sm Connection Pvt Ip - creating ipsec between two sites which are part of the site mesh group. +creating ipsec between two sites which are part of the site mesh group. +### Tgw Choice Existing Tgw - -### Site Mesh Group Choice Sm Connection Pvt Ip - - creating ipsec between two sites which are part of the site mesh group. - - - -### Tgw Choice Existing Tgw - - Information about existing TGW. +Information about existing TGW. `tgw_asn` - (Optional) TGW ASN. (`Int`). @@ -2264,234 +1093,169 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `volterra_site_asn` - (Optional) F5XC Site ASN. (`Int`). +### Tgw Choice New Tgw - -### Tgw Choice New Tgw - - Details needed to create new TGW. - - +Details needed to create new TGW. ###### One of the arguments from this list "system_generated, user_assigned" must be set `system_generated` - (Optional) F5XC will automatically assign a private ASN for TGW and F5XC Site (`Bool`). - `user_assigned` - (Optional) User is managing the ASN for TGW and F5XC Site.. See [Asn Choice User Assigned ](#asn-choice-user-assigned) below for details. +### Tgw Cidr Choice Reserved Tgw Cidr +Autogenerate and reserve a TGW CIDR Block from the Primary CIDR. +### Tgw Cidr Choice Tgw Cidr -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. +Specify TGW CIDR block. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). -### Tls Interception Choice Tls Intercept +### Tls Interception Choice No Interception - Specify TLS interception configuration for the network connector. +No TLS interception is enabled for this network connector. +### Tls Interception Choice Tls Intercept +Specify TLS interception configuration for the network connector. ###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - ###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. - - - -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode - - Disable Vega Upgrade Mode. - - - -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode +When enabled, vega will inform RE to stop traffic to the specific node.. -### Ver Ipv4 +### Ver Ipv4 - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Subnet Address. +IPv4 Subnet Address. `plen` - (Optional) Prefix-length of the IPv4 subnet. Must be <= 32 (`Int`). `prefix` - (Optional) Prefix part of the IPv4 subnet in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Subnet Address. +IPv6 Subnet Address. `plen` - (Optional) Prefix length of the IPv6 subnet. Must be <= 128 (`Int`). `prefix` - (Optional) e.g. "2001:db8::2::" (`String`). +### Vif Choice Hosted Vifs +and automatically associate provided hosted VIF and also setup BGP Peering.. -### Vif Choice Hosted Vifs - - and automatically associate provided hosted VIF and also setup BGP Peering.. - - - - -###### One of the arguments from this list "site_registration_over_internet, site_registration_over_direct_connect" can be set +###### One of the arguments from this list "site_registration_over_direct_connect, site_registration_over_internet" can be set `site_registration_over_direct_connect` - (Optional) Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. See [Connectivity Options Site Registration Over Direct Connect ](#connectivity-options-site-registration-over-direct-connect) below for details. - `site_registration_over_internet` - (Optional) Site Registration and Site to RE tunnels go over the internet gateway (`Bool`). - `vif_list` - (Optional) List of Hosted VIF Config. See [Hosted Vifs Vif List ](#hosted-vifs-vif-list) below for details. `vifs` - (Optional) VIFs (`String`).(Deprecated) +### Vif Choice Manual Gw +and a user associate AWS DirectConnect Gateway with it.. -### Vif Choice Manual Gw - - and a user associate AWS DirectConnect Gateway with it.. - - +### Vif Choice Standard Vifs -### Vif Choice Standard Vifs +and a user associate VIF to the DirectConnect gateway and setup BGP Peering.. - and a user associate VIF to the DirectConnect gateway and setup BGP Peering.. +### Vif Region Choice Same As Site Region +Use same region as that of the Site. +### Vn Config Allowed Vip Port -### Vif Region Choice Same As Site Region +Allowed VIP Port Configuration. - Use same region as that of the Site. - - - -### Vn Config Allowed Vip Port - - Allowed VIP Port Configuration. - - - - -###### One of the arguments from this list "disable_allowed_vip_port, use_http_port, use_https_port, use_http_https_port, custom_ports" can be set +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set `custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - `disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - `use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - `use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - `use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Vn Config Allowed Vip Port Sli +Allowed VIP Port Configuration for Inside Network. - -### Vn Config Allowed Vip Port Sli - - Allowed VIP Port Configuration for Inside Network. - - - - -###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_port, use_https_port, use_http_https_port" can be set +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set `custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - `disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - `use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - `use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - `use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Volterra Sw Version Choice Default Sw Version +Will assign latest available F5XC Software Version. +### Vpc Attachments Vpc List -### Volterra Sw Version Choice Default Sw Version - - Will assign latest available F5XC Software Version. - - - -### Vpc Attachments Vpc List - - List of VPC attachments to transit gateway. +List of VPC attachments to transit gateway. `labels` - (Optional) Add labels for the VPC attachment. These labels can then be used in policies such as enhanced firewall. (`String`). `vpc_id` - (Optional) Information about existing VPC (`String`). +### Worker Nodes No Worker Nodes +Worker nodes is set to zero. -### Worker Nodes No Worker Nodes - - Worker nodes is set to zero. - - - -## Attribute Reference - -* `id` - This is the id of the configured aws_tgw_site. +Attribute Reference +------------------- +- `id` - This is the id of the configured aws_tgw_site. diff --git a/docs/resources/volterra_aws_vpc_site.md b/docs/resources/volterra_aws_vpc_site.md index 3b9aeb261..fa215f9a8 100644 --- a/docs/resources/volterra_aws_vpc_site.md +++ b/docs/resources/volterra_aws_vpc_site.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: aws_vpc_site" -description: "The aws_vpc_site allows CRUD of Aws Vpc Site resource on Volterra SaaS" +description: "The aws_vpc_site allows CRUD of Aws Vpc Site resource on Volterra SaaS" + --- -# Resource volterra_aws_vpc_site -The Aws Vpc Site allows CRUD of Aws Vpc Site resource on Volterra SaaS +Resource volterra_aws_vpc_site +============================== -~> **Note:** Please refer to [Aws Vpc Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-aws-vpc-site) to learn more +The Aws Vpc Site allows CRUD of Aws Vpc Site resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Aws Vpc Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-aws-vpc-site) to learn more + +Example Usage +------------- ```hcl resource "volterra_aws_vpc_site" "example" { @@ -28,7 +21,7 @@ resource "volterra_aws_vpc_site" "example" { namespace = "staging" aws_region = ["us-east-1"] - // One of the arguments from this list "default_blocked_services block_all_services blocked_services" must be set + // One of the arguments from this list "block_all_services blocked_services default_blocked_services" must be set default_blocked_services = true @@ -44,7 +37,7 @@ resource "volterra_aws_vpc_site" "example" { direct_connect_disabled = true - // One of the arguments from this list "egress_virtual_private_gateway egress_gateway_default egress_nat_gw" must be set + // One of the arguments from this list "egress_gateway_default egress_nat_gw egress_virtual_private_gateway" must be set egress_gateway_default = true instance_type = ["a1.xlarge"] @@ -53,32 +46,44 @@ resource "volterra_aws_vpc_site" "example" { disable_internet_vip = true - // One of the arguments from this list "logs_streaming_disabled log_receiver" must be set + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set logs_streaming_disabled = true - // One of the arguments from this list "f5xc_security_group custom_security_group" must be set + // One of the arguments from this list "custom_security_group f5xc_security_group" must be set f5xc_security_group = true - // One of the arguments from this list "ingress_gw ingress_egress_gw voltstack_cluster" must be set + // One of the arguments from this list "ingress_egress_gw ingress_gw voltstack_cluster" must be set - ingress_gw { + ingress_egress_gw { allowed_vip_port { - // One of the arguments from this list "disable_allowed_vip_port use_http_port use_https_port use_http_https_port custom_ports" can be set + // One of the arguments from this list "custom_ports disable_allowed_vip_port use_http_https_port use_http_port use_https_port" can be set + + custom_ports { + port_ranges = "80, 8080-8085" + } + } - disable_allowed_vip_port = true + allowed_vip_port_sli { + // One of the arguments from this list "custom_ports disable_allowed_vip_port use_http_https_port use_http_port use_https_port" can be set + + custom_ports { + port_ranges = "80, 8080-8085" + } } - aws_certified_hw = "aws-byol-voltmesh" + aws_certified_hw = "aws-byol-multi-nic-voltmesh" az_nodes { aws_az_name = "us-west-2a" - disk_size = "80" + // One of the arguments from this list "inside_subnet reserved_inside_subnet" must be set - local_subnet { - // One of the arguments from this list "subnet_param existing_subnet_id" must be set + reserved_inside_subnet = true + disk_size = "80" + outside_subnet { + // One of the arguments from this list "existing_subnet_id subnet_param" must be set subnet_param { ipv4 = "10.1.2.0/24" @@ -86,2060 +91,885 @@ resource "volterra_aws_vpc_site" "example" { ipv6 = "1234:568:abcd:9100::/64" } } + workload_subnet { + // One of the arguments from this list "existing_subnet_id subnet_param" must be set + + existing_subnet_id = "subnet-12345678901234567" + } } + // One of the arguments from this list "dc_cluster_group_inside_vn dc_cluster_group_outside_vn no_dc_cluster_group" must be set + + dc_cluster_group_inside_vn { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + + // One of the arguments from this list "active_forward_proxy_policies forward_proxy_allow_all no_forward_proxy" must be set + + no_forward_proxy = true + + // One of the arguments from this list "global_network_list no_global_network" must be set + + no_global_network = true + + // One of the arguments from this list "inside_static_routes no_inside_static_routes" must be set + + no_inside_static_routes = true + + // One of the arguments from this list "active_enhanced_firewall_policies active_network_policies no_network_policy" must be set + + no_network_policy = true + + // One of the arguments from this list "no_outside_static_routes outside_static_routes" must be set + + outside_static_routes { + static_route_list { + // One of the arguments from this list "custom_static_route simple_static_route" must be set + + simple_static_route = "10.5.1.0/24" + } + } performance_enhancement_mode { - // One of the arguments from this list "perf_mode_l7_enhanced perf_mode_l3_enhanced" must be set + // One of the arguments from this list "perf_mode_l3_enhanced perf_mode_l7_enhanced" must be set perf_mode_l7_enhanced = true } + + // One of the arguments from this list "sm_connection_public_ip sm_connection_pvt_ip" must be set + + sm_connection_public_ip = true } ssh_key = ["ssh-rsa AAAAB..."] - // One of the arguments from this list "nodes_per_az total_nodes no_worker_nodes" must be set + // One of the arguments from this list "no_worker_nodes nodes_per_az total_nodes" must be set nodes_per_az = "2" } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `address` - (Optional) Site's geographical address that can be used determine its latitude and longitude. (`String`). - - -`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details. `aws_region` - (Required) Name for AWS Region. (`String`). - - +###### One of the arguments from this list "block_all_services, blocked_services, default_blocked_services" must be set `block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). - `blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - - - - - - - - - - - - - - - - - - - - - - - - `default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). - - - `coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. - - - - `custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +###### One of the arguments from this list "aws_cred" must be set +`aws_cred` - (Optional) Reference to AWS credentials for automatic deployment. See [ref](#ref) below for details. +###### One of the arguments from this list "direct_connect_disabled, direct_connect_enabled, private_connectivity" must be set +`direct_connect_disabled` - (Optional)Disable Private Connectivity to Site (`Bool`). +`direct_connect_enabled` - (Optional) Direct Connect feature is enabled(Legacy). See [Direct Connect Choice Direct Connect Enabled ](#direct-connect-choice-direct-connect-enabled) below for details. +`private_connectivity` - (Optional) Enable Private Connectivity to Site. See [Direct Connect Choice Private Connectivity ](#direct-connect-choice-private-connectivity) below for details. +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). -`aws_cred` - (Optional) Reference to AWS credentials for automatic deployment. See [ref](#ref) below for details. +###### One of the arguments from this list "egress_gateway_default, egress_nat_gw, egress_virtual_private_gateway" must be set +`egress_gateway_default` - (Optional) With this option, egress site traffic will be routed through an Internet Gateway. (`Bool`). +`egress_nat_gw` - (Optional) With this option, egress site traffic will be routed through an Network Address Translation(NAT) Gateway.. See [Egress Gateway Choice Egress Nat Gw ](#egress-gateway-choice-egress-nat-gw) below for details. +`egress_virtual_private_gateway` - (Optional) With this option, egress site traffic will be routed through an Virtual Private Gateway.. See [Egress Gateway Choice Egress Virtual Private Gateway ](#egress-gateway-choice-egress-virtual-private-gateway) below for details. +`instance_type` - (Required) Select Instance size based on performance needed (`String`). -`direct_connect_disabled` - (Optional)Disable Private Connectivity to Site (`Bool`). +###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set +`disable_internet_vip` - (Optional) VIPs cannot be advertised to the internet directly on this Site (`Bool`). -`direct_connect_enabled` - (Optional) Direct Connect feature is enabled(Legacy). See [Direct Connect Choice Direct Connect Enabled ](#direct-connect-choice-direct-connect-enabled) below for details. - +`enable_internet_vip` - (Optional) VIPs can be advertised to the internet directly on this Site (`Bool`). +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. - +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +###### One of the arguments from this list "custom_security_group, f5xc_security_group" must be set +`custom_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via security group ids.. See [Security Group Choice Custom Security Group ](#security-group-choice-custom-security-group) below for details. +`f5xc_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via f5xc created security group. (`Bool`). +###### One of the arguments from this list "ingress_egress_gw, ingress_gw, voltstack_cluster" must be set - +`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VPC.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. +`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VPC.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. +`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. +`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). - +`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. +`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). +`vpc` - (Optional) Choice of using existing VPC or create new VPC. See [Vpc ](#vpc) below for details. +###### One of the arguments from this list "no_worker_nodes, nodes_per_az, total_nodes" must be set +`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). - +`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). +`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). +### Admin Password +Admin password user for accessing site through serial console .. - +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Coordinates +Site longitude and latitude co-ordinates. +`latitude` - (Optional) Latitude of the site location (`Float`). +`longitude` - (Optional) longitude of site location (`Float`). +### Custom Dns +custom dns configure to the CE site. - +`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). +`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). +`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). +`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - +### Kubernetes Upgrade Drain +Enable Kubernetes Drain during OS or SW upgrade. +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set +`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). +`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. -`private_connectivity` - (Optional) Enable Private Connectivity to Site. See [Direct Connect Choice Private Connectivity ](#direct-connect-choice-private-connectivity) below for details. - +### Offline Survivability Mode +Enable/Disable offline survivability mode. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - +### Os +Operating System Details. +###### One of the arguments from this list "default_os_version, operating_system_version" must be set +`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - +`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). +### Sw +F5XC Software Details. +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Vpc -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). +Choice of using existing VPC or create new VPC. +###### One of the arguments from this list "new_vpc, vpc_id" must be set +`new_vpc` - (Optional) Parameters for creating new VPC. See [Choice New Vpc ](#choice-new-vpc) below for details. +`vpc_id` - (Optional) Information about existing VPC ID (`String`). -`egress_gateway_default` - (Optional) With this option, egress site traffic will be routed through an Internet Gateway. (`Bool`). +### Admin Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. -`egress_nat_gw` - (Optional) With this option, egress site traffic will be routed through an Network Address Translation(NAT) Gateway.. See [Egress Gateway Choice Egress Nat Gw ](#egress-gateway-choice-egress-nat-gw) below for details. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Asn Choice Auto Asn +Automatically set ASN. +### Az Nodes Local Subnet -`egress_virtual_private_gateway` - (Optional) With this option, egress site traffic will be routed through an Virtual Private Gateway.. See [Egress Gateway Choice Egress Virtual Private Gateway ](#egress-gateway-choice-egress-virtual-private-gateway) below for details. - +Subnets for the site local interface of the node. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Az Nodes Outside Subnet +Subnet for the outside interface of the node. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). -`instance_type` - (Required) Select Instance size based on performance needed (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Az Nodes Workload Subnet +Subnet in which workloads are launched. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set -`disable_internet_vip` - (Optional) VIPs cannot be advertised to the internet directly on this Site (`Bool`). +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. -`enable_internet_vip` - (Optional) VIPs can be advertised to the internet directly on this Site (`Bool`). +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set +`dns` - (Optional) Matches DNS port 53 (`Bool`). -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). +### Blocked Services Choice Blocked Services - +Use custom blocked services configuration. +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns +Matches DNS port 53. - +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Choice Inside Subnet +Select Existing Subnet or Create New. +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set +`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). +`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - +### Choice New Vpc +Parameters for creating new VPC. +`allocate_ipv6` - (Optional) Allocate IPv6 CIDR block from AWS (`Bool`).(Deprecated) +###### One of the arguments from this list "autogenerate, name_tag" must be set - +`autogenerate` - (Optional) Autogenerate the VPC Name (`Bool`). +`name_tag` - (Optional) Specify the VPC Name (`String`). +`primary_ipv4` - (Required) The Primary IPv4 block cannot be modified. All subnets prefixes in this VPC must be part of this CIDR block. (`String`). +### Choice Reserved Inside Subnet +Autogenerate and reserve a subnet from the Primary CIDR. +### Choice Subnet Param +Parameters for creating new subnet. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). +### Config Mode Choice Custom Static Route -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +Use Custom static route to configure all advanced options. +`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). +`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). +`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. -`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. +### Connection Choice Sli To Global Dr +Site local inside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - +### Connection Choice Slo To Global Dr +Site local outside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connectivity Options Site Registration Over Direct Connect - +Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. +`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). +### Connectivity Options Site Registration Over Internet +Site Registration and Site to RE tunnels go over the internet gateway. +### Custom Certificate Private Key -`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set - +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Custom Static Route Nexthop +Nexthop for the route. +`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. -`custom_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via security group ids.. See [Security Group Choice Custom Security Group ](#security-group-choice-custom-security-group) below for details. - +`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. +`type` - (Optional) Identifies the type of next-hop (`String`). +### Custom Static Route Subnets +List of route prefixes. +###### One of the arguments from this list "ipv4, ipv6" must be set -`f5xc_security_group` - (Optional) With this option, ingress and egress traffic will be controlled via f5xc created security group. (`Bool`). +`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Dc Cluster Group Choice No Dc Cluster Group +This site is not a member of dc cluster group. +### Direct Connect Choice Direct Connect Enabled -`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VPC.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. - +Direct Connect feature is enabled(Legacy). +###### One of the arguments from this list "auto_asn, custom_asn" must be set - +`auto_asn` - (Optional) Automatically set ASN (`Bool`). +`custom_asn` - (Optional) Custom Autonomous System Number (`Int`). +###### One of the arguments from this list "hosted_vifs, manual_gw, standard_vifs" must be set +`hosted_vifs` - (Optional) and automatically associate provided hosted VIF and also setup BGP Peering.. See [Vif Choice Hosted Vifs ](#vif-choice-hosted-vifs) below for details. - +`manual_gw` - (Optional) and a user associate AWS DirectConnect Gateway with it. (`Bool`).(Deprecated) +`standard_vifs` - (Optional) and a user associate VIF to the DirectConnect gateway and setup BGP Peering. (`Bool`). +### Direct Connect Choice Private Connectivity +Enable Private Connectivity to Site. +`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. - +###### One of the arguments from this list "inside, outside" can be set +`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). +`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). +### Egress Gateway Choice Egress Nat Gw - +With this option, egress site traffic will be routed through an Network Address Translation(NAT) Gateway.. +###### One of the arguments from this list "nat_gw_id" must be set +`nat_gw_id` - (Optional) x-displayName: "Existing NAT Gateway ID" (`String`). +### Egress Gateway Choice Egress Virtual Private Gateway - +With this option, egress site traffic will be routed through an Virtual Private Gateway.. +###### One of the arguments from this list "vgw_id" must be set +`vgw_id` - (Optional) x-displayName: "Existing Virtual Private Gateway ID" (`String`). +### Enable Disable Choice Disable Interception - +Disable Interception. +### Enable Disable Choice Enable Interception +Enable Interception. +### Forward Proxy Choice Active Forward Proxy Policies - +Enable Forward Proxy for this site and manage policies. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Forward Proxy Choice Disable Forward Proxy +Forward Proxy is disabled for this connector. +### Forward Proxy Choice Enable Forward Proxy +Forward Proxy is enabled for this connector. +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). +`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). +###### One of the arguments from this list "no_interception, tls_intercept" can be set +`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) +`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) +`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). +`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). +### Forward Proxy Choice Forward Proxy Allow All +Enable Forward Proxy for this site and allow all requests.. +### Forward Proxy Choice No Forward Proxy +Disable Forward Proxy for this site. +### Global Network Choice Global Network List +List of global network connections. +`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - +### Global Network Choice No Global Network +No global network to connect. +### Global Network List Global Network Connections +Global network connections. +###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VPC.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). - - - -`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. - - - - - - - - - - - -`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). - - - -`vpc` - (Optional) Choice of using existing VPC or create new VPC. See [Vpc ](#vpc) below for details. - - - - - - - - - - - - - - - - - - - - - - -`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). - - -`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). - - -`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). - - - - -### Admin Password - - Admin password user for accessing site through serial console .. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Coordinates - - Site longitude and latitude co-ordinates. - -`latitude` - (Optional) Latitude of the site location (`Float`). - -`longitude` - (Optional) longitude of site location (`Float`). - - - -### Custom Dns - - custom dns configure to the CE site. - -`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). - -`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). - -`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). - -`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - - - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set - -`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - - -`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - - - - -### Offline Survivability Mode - - Enable/Disable offline survivability mode. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Os - - Operating System Details. - - - -###### One of the arguments from this list "default_os_version, operating_system_version" must be set - -`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - - -`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). - - - - -### Sw - - F5XC Software Details. - - - -###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set - -`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - - -`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). - - - - -### Vpc - - Choice of using existing VPC or create new VPC. - - - -###### One of the arguments from this list "vpc_id, new_vpc" must be set - -`new_vpc` - (Optional) Parameters for creating new VPC. See [Choice New Vpc ](#choice-new-vpc) below for details. - - -`vpc_id` - (Optional) Information about existing VPC ID (`String`). - - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Asn Choice Auto Asn - - Automatically set ASN. - - - -### Az Nodes Local Subnet - - Subnets for the site local interface of the node. - - - -###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Az Nodes Outside Subnet - - Subnet for the outside interface of the node. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Az Nodes Workload Subnet - - Subnet in which workloads are launched. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "web_user_interface, dns, ssh" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - Use custom blocked services configuration. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Choice Inside Subnet - - Select Existing Subnet or Create New. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set - -`existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - - -`subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Choice New Vpc - - Parameters for creating new VPC. - -`allocate_ipv6` - (Optional) Allocate IPv6 CIDR block from AWS (`Bool`).(Deprecated) - - - -###### One of the arguments from this list "name_tag, autogenerate" must be set - -`autogenerate` - (Optional) Autogenerate the VPC Name (`Bool`). - - -`name_tag` - (Optional) Specify the VPC Name (`String`). - - -`primary_ipv4` - (Required) The Primary IPv4 block cannot be modified. All subnets prefixes in this VPC must be part of this CIDR block. (`String`). - - - -### Choice Reserved Inside Subnet - - Autogenerate and reserve a subnet from the Primary CIDR. - - - -### Choice Subnet Param - - Parameters for creating new subnet. - -`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). - -`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). - - - -### Config Mode Choice Custom Static Route - - Use Custom static route to configure all advanced options. - -`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). - -`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). - -`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. - -`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. - - - -### Connection Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connection Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connectivity Options Site Registration Over Direct Connect - - Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. - -`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). - - - -### Connectivity Options Site Registration Over Internet - - Site Registration and Site to RE tunnels go over the internet gateway. - - - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Custom Static Route Nexthop - - Nexthop for the route. - -`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. - -`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. - -`type` - (Optional) Identifies the type of next-hop (`String`). - - - -### Custom Static Route Subnets - - List of route prefixes. - - - -###### One of the arguments from this list "ipv6, ipv4" must be set - -`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Dc Cluster Group Choice No Dc Cluster Group - - This site is not a member of dc cluster group. - - - -### Direct Connect Choice Direct Connect Enabled - - Direct Connect feature is enabled(Legacy). - - - -###### One of the arguments from this list "auto_asn, custom_asn" must be set - -`auto_asn` - (Optional) Automatically set ASN (`Bool`). - - -`custom_asn` - (Optional) Custom Autonomous System Number (`Int`). - - - - -###### One of the arguments from this list "hosted_vifs, standard_vifs, manual_gw" must be set - -`hosted_vifs` - (Optional) and automatically associate provided hosted VIF and also setup BGP Peering.. See [Vif Choice Hosted Vifs ](#vif-choice-hosted-vifs) below for details. - - -`manual_gw` - (Optional) and a user associate AWS DirectConnect Gateway with it. (`Bool`).(Deprecated) - - -`standard_vifs` - (Optional) and a user associate VIF to the DirectConnect gateway and setup BGP Peering. (`Bool`). - - - - -### Direct Connect Choice Private Connectivity - - Enable Private Connectivity to Site. - -`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "outside, inside" can be set - -`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). - - -`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). - - - - -### Egress Gateway Choice Egress Nat Gw - - With this option, egress site traffic will be routed through an Network Address Translation(NAT) Gateway.. - - - -###### One of the arguments from this list "nat_gw_id" must be set - -`nat_gw_id` - (Optional) x-displayName: "Existing NAT Gateway ID" (`String`). - - - - -### Egress Gateway Choice Egress Virtual Private Gateway - - With this option, egress site traffic will be routed through an Virtual Private Gateway.. - - - -###### One of the arguments from this list "vgw_id" must be set - -`vgw_id` - (Optional) x-displayName: "Existing Virtual Private Gateway ID" (`String`). - - - - -### Enable Disable Choice Disable Interception - - Disable Interception. - - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site and manage policies. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Forward Proxy Choice Disable Forward Proxy - - Forward Proxy is disabled for this connector. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). - -`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - - -###### One of the arguments from this list "tls_intercept, no_interception" can be set - -`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - - -`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - - -`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). - -`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - - - -### Forward Proxy Choice Forward Proxy Allow All - - Enable Forward Proxy for this site and allow all requests.. - - - -### Forward Proxy Choice No Forward Proxy - - Disable Forward Proxy for this site. - - - -### Global Network Choice Global Network List - - List of global network connections. - -`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - - - -### Global Network Choice No Global Network - - No global network to connect. - - - -### Global Network List Global Network Connections - - Global network connections. - - - -###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - -`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - - -`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - - - +`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. +`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. ###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set `disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) +`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) -`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) - - - - -### Hosted Vifs Vif List - - List of Hosted VIF Config. - -`vif_id` - (Required) AWS Direct Connect VIF ID that needs to be connected to the site (`String`). - - - -###### One of the arguments from this list "same_as_site_region, other_region" must be set - -`other_region` - (Optional) Other Region (`String`). - - -`same_as_site_region` - (Optional) Use same region as that of the Site (`Bool`). - - - - -### Ingress Egress Gw Allowed Vip Port - - Allowed VIP Port Configuration for Outside Network. - - - - -###### One of the arguments from this list "disable_allowed_vip_port, use_http_port, use_https_port, use_http_https_port, custom_ports" can be set - -`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - - -`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - - -`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - - -`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - - -`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). - - - - -### Ingress Egress Gw Allowed Vip Port Sli - - Allowed VIP Port Configuration for Inside Network. - - - - -###### One of the arguments from this list "use_http_port, use_https_port, use_http_https_port, custom_ports, disable_allowed_vip_port" can be set - -`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - - -`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - - -`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - - -`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - - -`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). - - - - -### Ingress Egress Gw Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. - -`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). - - - -###### One of the arguments from this list "reserved_inside_subnet, inside_subnet" must be set - -`inside_subnet` - (Optional) Select Existing Subnet or Create New. See [Choice Inside Subnet ](#choice-inside-subnet) below for details. - - -`reserved_inside_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - - -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - -`outside_subnet` - (Required) Subnet for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. - -`workload_subnet` - (Optional) Subnet in which workloads are launched. See [Az Nodes Workload Subnet ](#az-nodes-workload-subnet) below for details. - - - -### Ingress Egress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Ingress Gw Allowed Vip Port - - Allowed VIP Port Configuration. - - - - -###### One of the arguments from this list "disable_allowed_vip_port, use_http_port, use_https_port, use_http_https_port, custom_ports" can be set - -`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - - -`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - - -`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - - -`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - - -`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). - - - - -### Ingress Gw Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. - -`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). - -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - -`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. - - - -### Ingress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Inside Static Route Choice Inside Static Routes - - Manage static routes for inside network.. - -`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. - - - -### Inside Static Route Choice No Inside Static Routes - - Static Routes disabled for inside network.. - - - -### Inside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy - - Policy to enable/disable specific domains, with implicit enable all domains. - -`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. - - - -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "regex_value, exact_value, suffix_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### K8s Cluster Choice No K8s Cluster - - Site Local K8s API access is disabled. - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain +### Hosted Vifs Vif List - x-displayName: "Enable Node by Node Upgrade". +List of Hosted VIF Config. +`vif_id` - (Required) AWS Direct Connect VIF ID that needs to be connected to the site (`String`). +###### One of the arguments from this list "other_region, same_as_site_region" must be set -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set +`other_region` - (Optional) Other Region (`String`). -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). +`same_as_site_region` - (Optional) Use same region as that of the Site (`Bool`). +### Ingress Egress Gw Allowed Vip Port -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) +Allowed VIP Port Configuration for Outside Network. +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. +`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). +`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). -###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set +`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) +`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Ingress Egress Gw Allowed Vip Port Sli -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) +Allowed VIP Port Configuration for Inside Network. +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set +`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. +`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). -### Name Choice Autogenerate +`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - Autogenerate the VPC Name. +`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). +`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Ingress Egress Gw Az Nodes -### Network Options Inside +Only Single AZ or Three AZ(s) nodes are supported currently.. - CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. +`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). +###### One of the arguments from this list "inside_subnet, reserved_inside_subnet" must be set +`inside_subnet` - (Optional) Select Existing Subnet or Create New. See [Choice Inside Subnet ](#choice-inside-subnet) below for details. -### Network Options Outside +`reserved_inside_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) +`outside_subnet` - (Required) Subnet for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. +`workload_subnet` - (Optional) Subnet in which workloads are launched. See [Az Nodes Workload Subnet ](#az-nodes-workload-subnet) below for details. -### Network Policy Choice Active Enhanced Firewall Policies +### Ingress Egress Gw Performance Enhancement Mode - with an additional option for service insertion.. +Performance Enhancement Mode to optimize for L3 or L7 networking. -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). -### Network Policy Choice Active Network Policies +### Ingress Gw Allowed Vip Port - Firewall Policies active for this site.. +Allowed VIP Port Configuration. -`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set +`custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. +`disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). -### Network Policy Choice No Network Policy +`use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - Firewall Policy is disabled for this site.. +`use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). +`use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Ingress Gw Az Nodes -### Nexthop Nexthop Address +Only Single AZ or Three AZ(s) nodes are supported currently.. - Nexthop address when type is "Use-Configured". +`aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) +`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. +### Ingress Gw Performance Enhancement Mode -###### One of the arguments from this list "ipv4, ipv6" can be set +Performance Enhancement Mode to optimize for L3 or L7 networking. -`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. -`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Inside Static Route Choice Inside Static Routes +Manage static routes for inside network.. +`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. -### Ocsp Stapling Choice Custom Hash Algorithms +### Inside Static Route Choice No Inside Static Routes - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Static Routes disabled for inside network.. -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Inside Static Routes Static Route List +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set -### Ocsp Stapling Choice Disable Ocsp Stapling +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - This is the default behavior if no choice is selected.. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Interception Policy Choice Enable For All Domains +Enable interception for all domains. -### Ocsp Stapling Choice Use System Defaults +### Interception Policy Choice Policy - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +Policy to enable/disable specific domains, with implicit enable all domains. +`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match -### Offline Survivability Mode Choice Enable Offline Survivability Mode +Domain value or regular expression to match. - x-displayName: "Enabled". +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). -### Offline Survivability Mode Choice No Offline Survivability Mode +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - x-displayName: "Disabled". +### K8s Cluster Choice No K8s Cluster +Site Local K8s API access is disabled. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain -### Operating System Version Choice Default Os Version +x-displayName: "Disable Node by Node Upgrade". - Will assign latest available OS version. +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set -### Outside Static Route Choice No Outside Static Routes +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - Static Routes disabled for outside network.. +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set -### Outside Static Route Choice Outside Static Routes +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - Manage static routes for outside network.. +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) -`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. +### Name Choice Autogenerate +Autogenerate the VPC Name. +### Network Options Inside -### Outside Static Routes Static Route List +CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. - List of Static routes. +### Network Options Outside +CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. +### Network Policy Choice Active Enhanced Firewall Policies -###### One of the arguments from this list "custom_static_route, simple_static_route" must be set +with an additional option for service insertion.. -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Network Policies -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +Firewall Policies active for this site.. +`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +### Network Policy Choice No Network Policy +Firewall Policy is disabled for this site.. -### Perf Mode Choice Jumbo +### Nexthop Nexthop Address - x-displayName: "Enabled". +Nexthop address when type is "Use-Configured". +###### One of the arguments from this list "ipv4, ipv6" can be set +`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. -### Perf Mode Choice No Jumbo +`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - x-displayName: "Disabled". +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). -### Perf Mode Choice Perf Mode L3 Enhanced +### Ocsp Stapling Choice Disable Ocsp Stapling - Site optimized for L3 traffic processing. +This is the default behavior if no choice is selected.. +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. -###### One of the arguments from this list "no_jumbo, jumbo" must be set +### Offline Survivability Mode Choice Enable Offline Survivability Mode -`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). +x-displayName: "Enabled". +### Offline Survivability Mode Choice No Offline Survivability Mode -`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +x-displayName: "Disabled". +### Operating System Version Choice Default Os Version +Will assign latest available OS version. +### Outside Static Route Choice No Outside Static Routes -### Perf Mode Choice Perf Mode L7 Enhanced +Static Routes disabled for outside network.. - Site optimized for L7 traffic processing. +### Outside Static Route Choice Outside Static Routes +Manage static routes for outside network.. +`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. -### Policy Interception Rules +### Outside Static Routes Static Route List - List of ordered rules to enable or disable for TLS interception. +List of Static routes. -`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). -###### One of the arguments from this list "disable_interception, enable_interception" must be set +### Perf Mode Choice Jumbo -`disable_interception` - (Optional) Disable Interception (`Bool`). +x-displayName: "Enabled". +### Perf Mode Choice No Jumbo -`enable_interception` - (Optional) Enable Interception (`Bool`). +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced +Site optimized for L3 traffic processing. +###### One of the arguments from this list "jumbo, no_jumbo" must be set -### Port Choice Custom Ports +`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - Custom list of ports to be allowed. +`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). -`port_ranges` - (Required) Port Ranges (`String`). +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Policy Interception Rules -### Port Choice Disable Allowed Vip Port +List of ordered rules to enable or disable for TLS interception. - HTTP Port (80) & HTTPS Port (443) will be disabled.. +`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. +###### One of the arguments from this list "disable_interception, enable_interception" must be set +`disable_interception` - (Optional) Disable Interception (`Bool`). -### Port Choice Use Http Https Port +`enable_interception` - (Optional) Enable Interception (`Bool`). - HTTP Port (80) & HTTPS Port (443) will be allowed.. +### Port Choice Custom Ports +Custom list of ports to be allowed. +`port_ranges` - (Required) Port Ranges (`String`). -### Port Choice Use Http Port +### Port Choice Disable Allowed Vip Port - Only HTTP Port (80) will be allowed.. +HTTP Port (80) & HTTPS Port (443) will be disabled.. +### Port Choice Use Http Https Port +HTTP Port (80) & HTTPS Port (443) will be allowed.. -### Port Choice Use Https Port +### Port Choice Use Http Port - Only HTTPS Port (443) will be allowed.. +Only HTTP Port (80) will be allowed.. +### Port Choice Use Https Port +Only HTTPS Port (443) will be allowed.. -### Private Key Blindfold Secret Info Internal +### Private Key Blindfold Secret Info Internal - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2147,10 +977,7 @@ resource "volterra_aws_vpc_site" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -2160,11 +987,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2172,21 +997,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2198,73 +1019,53 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Security Group Choice Custom Security Group - -### Security Group Choice Custom Security Group - - With this option, ingress and egress traffic will be controlled via security group ids.. +With this option, ingress and egress traffic will be controlled via security group ids.. `inside_security_group_id` - (Optional) Security Group ID to be attached to SLI(Site Local Inside) Interface (`String`). `outside_security_group_id` - (Optional) Security Group ID to be attached to SLO(Site Local Outside) Interface (`String`). +### Signing Cert Choice Custom Certificate - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. +Certificates for generating intermediate certificate for TLS interception.. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. -### Signing Cert Choice Volterra Certificate - - F5XC certificates for generating intermediate certificate for TLS interception.. +### Site Mesh Group Choice Sm Connection Public Ip +creating ipsec between two sites which are part of the site mesh group. +### Site Mesh Group Choice Sm Connection Pvt Ip -### Site Mesh Group Choice Sm Connection Public Ip +creating ipsec between two sites which are part of the site mesh group. - creating ipsec between two sites which are part of the site mesh group. +### Site Type Ingress Egress Gw - - -### Site Mesh Group Choice Sm Connection Pvt Ip - - creating ipsec between two sites which are part of the site mesh group. - - - -### Site Type Ingress Egress Gw - - Two interface site is useful when site is used as ingress/egress gateway to the VPC.. +Two interface site is useful when site is used as ingress/egress gateway to the VPC.. `allowed_vip_port` - (Optional) Allowed VIP Port Configuration for Outside Network. See [Ingress Egress Gw Allowed Vip Port ](#ingress-egress-gw-allowed-vip-port) below for details. @@ -2274,92 +1075,59 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `az_nodes` - (Required) Only Single AZ or Three AZ(s) nodes are supported currently.. See [Ingress Egress Gw Az Nodes ](#ingress-egress-gw-az-nodes) below for details. - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group_outside_vn, dc_cluster_group_inside_vn" must be set +###### One of the arguments from this list "dc_cluster_group_inside_vn, dc_cluster_group_outside_vn, no_dc_cluster_group" must be set `dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. - `dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set +###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "no_inside_static_routes, inside_static_routes" must be set +###### One of the arguments from this list "inside_static_routes, no_inside_static_routes" must be set `inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - `no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). - - - -###### One of the arguments from this list "active_network_policies, active_enhanced_firewall_policies, no_network_policy" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Egress Gw Performance Enhancement Mode ](#ingress-egress-gw-performance-enhancement-mode) below for details. - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +### Site Type Ingress Gw - - -### Site Type Ingress Gw - - One interface site is useful when site is only used as ingress gateway to the VPC.. +One interface site is useful when site is only used as ingress gateway to the VPC.. `allowed_vip_port` - (Optional) Allowed VIP Port Configuration. See [Ingress Gw Allowed Vip Port ](#ingress-gw-allowed-vip-port) below for details. @@ -2369,11 +1137,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Gw Performance Enhancement Mode ](#ingress-gw-performance-enhancement-mode) below for details. +### Site Type Voltstack Cluster - -### Site Type Voltstack Cluster - - App Stack Cluster using single interface, useful for deploying K8s cluster.. +App Stack Cluster using single interface, useful for deploying K8s cluster.. `allowed_vip_port` - (Optional) Allowed VIP Port Configuration. See [Voltstack Cluster Allowed Vip Port ](#voltstack-cluster-allowed-vip-port) below for details. @@ -2381,288 +1147,191 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `az_nodes` - (Required) Only Single AZ or Three AZ(s) nodes are supported currently.. See [Voltstack Cluster Az Nodes ](#voltstack-cluster-az-nodes) below for details. - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group" must be set +###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set `dc_cluster_group` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - ###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "no_k8s_cluster, k8s_cluster" must be set +###### One of the arguments from this list "k8s_cluster, no_k8s_cluster" must be set `k8s_cluster` - (Optional) Site Local K8s API access is enabled, using k8s_cluster object. See [ref](#ref) below for details. - `no_k8s_cluster` - (Optional) Site Local K8s API access is disabled (`Bool`). - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - -###### One of the arguments from this list "outside_static_routes, no_outside_static_routes" must be set +###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for site local network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for site local network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - ###### One of the arguments from this list "default_storage, storage_class_list" must be set `default_storage` - (Optional) Use standard storage class configured as AWS EBS (`Bool`). - `storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for site. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. +### Storage Class Choice Default Storage +Use standard storage class configured as AWS EBS. +### Storage Class Choice Storage Class List -### Storage Class Choice Default Storage - - Use standard storage class configured as AWS EBS. - - - -### Storage Class Choice Storage Class List - - Add additional custom storage classes in kubernetes for site. +Add additional custom storage classes in kubernetes for site. `storage_classes` - (Optional) List of custom storage classes. See [Storage Class List Storage Classes ](#storage-class-list-storage-classes) below for details. +### Storage Class List Storage Classes - -### Storage Class List Storage Classes - - List of custom storage classes. +List of custom storage classes. `default_storage_class` - (Optional) Make this storage class default storage class for the K8s cluster (`Bool`). `storage_class_name` - (Required) Name of the storage class as it will appear in K8s. (`String`). +### Tls Interception Choice No Interception +No TLS interception is enabled for this network connector. -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. - - - -### Tls Interception Choice Tls Intercept - - Specify TLS interception configuration for the network connector. - +### Tls Interception Choice Tls Intercept +Specify TLS interception configuration for the network connector. ###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - ###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. - - - -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode - - Disable Vega Upgrade Mode. +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode +When enabled, vega will inform RE to stop traffic to the specific node.. -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode +### Ver Ipv4 - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Subnet Address. +IPv4 Subnet Address. `plen` - (Optional) Prefix-length of the IPv4 subnet. Must be <= 32 (`Int`). `prefix` - (Optional) Prefix part of the IPv4 subnet in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Subnet Address. +IPv6 Subnet Address. `plen` - (Optional) Prefix length of the IPv6 subnet. Must be <= 128 (`Int`). `prefix` - (Optional) e.g. "2001:db8::2::" (`String`). +### Vif Choice Hosted Vifs +and automatically associate provided hosted VIF and also setup BGP Peering.. -### Vif Choice Hosted Vifs - - and automatically associate provided hosted VIF and also setup BGP Peering.. - - - - -###### One of the arguments from this list "site_registration_over_internet, site_registration_over_direct_connect" can be set +###### One of the arguments from this list "site_registration_over_direct_connect, site_registration_over_internet" can be set `site_registration_over_direct_connect` - (Optional) Site Registration and Site to RE tunnels go over the AWS Direct Connect Connection. See [Connectivity Options Site Registration Over Direct Connect ](#connectivity-options-site-registration-over-direct-connect) below for details. - `site_registration_over_internet` - (Optional) Site Registration and Site to RE tunnels go over the internet gateway (`Bool`). - `vif_list` - (Optional) List of Hosted VIF Config. See [Hosted Vifs Vif List ](#hosted-vifs-vif-list) below for details. `vifs` - (Optional) VIFs (`String`).(Deprecated) +### Vif Choice Manual Gw +and a user associate AWS DirectConnect Gateway with it.. -### Vif Choice Manual Gw - - and a user associate AWS DirectConnect Gateway with it.. - - - -### Vif Choice Standard Vifs - - and a user associate VIF to the DirectConnect gateway and setup BGP Peering.. - - +### Vif Choice Standard Vifs -### Vif Region Choice Same As Site Region +and a user associate VIF to the DirectConnect gateway and setup BGP Peering.. - Use same region as that of the Site. +### Vif Region Choice Same As Site Region +Use same region as that of the Site. +### Volterra Sw Version Choice Default Sw Version -### Volterra Sw Version Choice Default Sw Version +Will assign latest available F5XC Software Version. - Will assign latest available F5XC Software Version. +### Voltstack Cluster Allowed Vip Port +Allowed VIP Port Configuration. - -### Voltstack Cluster Allowed Vip Port - - Allowed VIP Port Configuration. - - - - -###### One of the arguments from this list "disable_allowed_vip_port, use_http_port, use_https_port, use_http_https_port, custom_ports" can be set +###### One of the arguments from this list "custom_ports, disable_allowed_vip_port, use_http_https_port, use_http_port, use_https_port" can be set `custom_ports` - (Optional) Custom list of ports to be allowed. See [Port Choice Custom Ports ](#port-choice-custom-ports) below for details. - `disable_allowed_vip_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be disabled. (`Bool`). - `use_http_https_port` - (Optional) HTTP Port (80) & HTTPS Port (443) will be allowed. (`Bool`). - `use_http_port` - (Optional) Only HTTP Port (80) will be allowed. (`Bool`). - `use_https_port` - (Optional) Only HTTPS Port (443) will be allowed. (`Bool`). +### Voltstack Cluster Az Nodes - - -### Voltstack Cluster Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. +Only Single AZ or Three AZ(s) nodes are supported currently.. `aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. (`String`). @@ -2670,9 +1339,7 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured aws_vpc_site. - +- `id` - This is the id of the configured aws_vpc_site. diff --git a/docs/resources/volterra_azure_vnet_site.md b/docs/resources/volterra_azure_vnet_site.md index aeadce503..32a91b9ca 100644 --- a/docs/resources/volterra_azure_vnet_site.md +++ b/docs/resources/volterra_azure_vnet_site.md @@ -1,33 +1,26 @@ - - - - - - - - - - - - --- + page_title: "Volterra: azure_vnet_site" -description: "The azure_vnet_site allows CRUD of Azure Vnet Site resource on Volterra SaaS" +description: "The azure_vnet_site allows CRUD of Azure Vnet Site resource on Volterra SaaS" + --- -# Resource volterra_azure_vnet_site -The Azure Vnet Site allows CRUD of Azure Vnet Site resource on Volterra SaaS +Resource volterra_azure_vnet_site +================================= -~> **Note:** Please refer to [Azure Vnet Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-azure-vnet-site) to learn more +The Azure Vnet Site allows CRUD of Azure Vnet Site resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Azure Vnet Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-azure-vnet-site) to learn more + +Example Usage +------------- ```hcl resource "volterra_azure_vnet_site" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "default_blocked_services block_all_services blocked_services" must be set + // One of the arguments from this list "block_all_services blocked_services default_blocked_services" must be set default_blocked_services = true @@ -39,17 +32,17 @@ resource "volterra_azure_vnet_site" "example" { tenant = "acmecorp" } - // One of the arguments from this list "logs_streaming_disabled log_receiver" must be set + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set logs_streaming_disabled = true machine_type = ["Standard_D3_v2"] - // One of the arguments from this list "azure_region alternate_region" must be set + // One of the arguments from this list "alternate_region azure_region" must be set - azure_region = "eastus" + alternate_region = "northcentralus" resource_group = ["my-resources"] - // One of the arguments from this list "ingress_gw ingress_egress_gw voltstack_cluster ingress_gw_ar ingress_egress_gw_ar voltstack_cluster_ar" must be set + // One of the arguments from this list "ingress_egress_gw ingress_egress_gw_ar ingress_gw ingress_gw_ar voltstack_cluster voltstack_cluster_ar" must be set ingress_egress_gw_ar { accelerated_networking { @@ -60,52 +53,44 @@ resource "volterra_azure_vnet_site" "example" { azure_certified_hw = "azure-byol-multi-nic-voltmesh" - // One of the arguments from this list "no_dc_cluster_group dc_cluster_group_outside_vn dc_cluster_group_inside_vn" must be set + // One of the arguments from this list "dc_cluster_group_inside_vn dc_cluster_group_outside_vn no_dc_cluster_group" must be set no_dc_cluster_group = true - // One of the arguments from this list "forward_proxy_allow_all no_forward_proxy active_forward_proxy_policies" must be set + // One of the arguments from this list "active_forward_proxy_policies forward_proxy_allow_all no_forward_proxy" must be set - forward_proxy_allow_all = true + no_forward_proxy = true - // One of the arguments from this list "no_global_network global_network_list" must be set + // One of the arguments from this list "global_network_list no_global_network" must be set no_global_network = true - // One of the arguments from this list "not_hub hub" must be set - - not_hub = true + // One of the arguments from this list "k8s_cluster no_k8s_cluster" must be set - // One of the arguments from this list "inside_static_routes no_inside_static_routes" must be set + no_k8s_cluster = true - inside_static_routes { - static_route_list { - // One of the arguments from this list "simple_static_route custom_static_route" must be set - - simple_static_route = "10.5.1.0/24" - } - } - - // One of the arguments from this list "no_network_policy active_network_policies active_enhanced_firewall_policies" must be set + // One of the arguments from this list "active_enhanced_firewall_policies active_network_policies no_network_policy" must be set no_network_policy = true node { fault_domain = "1" inside_subnet { - // One of the arguments from this list "subnet_param subnet" must be set + // One of the arguments from this list "subnet subnet_param" must be set - subnet_param { - ipv4 = "10.1.2.0/24" + subnet { + // One of the arguments from this list "subnet_resource_grp vnet_resource_group" can be set - ipv6 = "1234:568:abcd:9100::/64" + subnet_resource_grp = "subnet_resource_grp" + + subnet_name = "MySubnet" } } node_number = "1" outside_subnet { - // One of the arguments from this list "subnet_param subnet" must be set + // One of the arguments from this list "subnet subnet_param" must be set subnet_param { ipv4 = "10.1.2.0/24" @@ -121,7 +106,7 @@ resource "volterra_azure_vnet_site" "example" { no_outside_static_routes = true performance_enhancement_mode { - // One of the arguments from this list "perf_mode_l7_enhanced perf_mode_l3_enhanced" must be set + // One of the arguments from this list "perf_mode_l3_enhanced perf_mode_l7_enhanced" must be set perf_mode_l7_enhanced = true } @@ -132,10 +117,10 @@ resource "volterra_azure_vnet_site" "example" { } ssh_key = ["ssh-rsa AAAAB..."] vnet { - // One of the arguments from this list "new_vnet existing_vnet" must be set + // One of the arguments from this list "existing_vnet new_vnet" must be set new_vnet { - // One of the arguments from this list "name autogenerate" must be set + // One of the arguments from this list "autogenerate name" must be set name = "name" @@ -145,2577 +130,995 @@ resource "volterra_azure_vnet_site" "example" { // One of the arguments from this list "no_worker_nodes nodes_per_az total_nodes" must be set - total_nodes = "1" + nodes_per_az = "2" } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `address` - (Optional) Site's geographical address that can be used determine its latitude and longitude. (`String`). +`admin_password` - (Optional)Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details. +###### One of the arguments from this list "block_all_services, blocked_services, default_blocked_services" must be set -`admin_password` - (Optional)Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details.(Deprecated) +`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +`blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +###### One of the arguments from this list "azure_cred" must be set +`azure_cred` - (Optional) Reference to Azure credentials for automatic deployment. See [ref](#ref) below for details. +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set - +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`machine_type` - (Required) > advanced options. (`String`). +`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +###### One of the arguments from this list "alternate_region, azure_region" must be set +`alternate_region` - (Optional) Name of the azure region which does not support availability zones. (`String`). - +`azure_region` - (Optional) Name of the azure region which supports availability zones. (`String`). +`resource_group` - (Required) Azure resource group for resources that will be created (`String`). +###### One of the arguments from this list "ingress_egress_gw, ingress_egress_gw_ar, ingress_gw, ingress_gw_ar, voltstack_cluster, voltstack_cluster_ar" must be set +`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VNet.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. +`ingress_egress_gw_ar` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VNet.. See [Site Type Ingress Egress Gw Ar ](#site-type-ingress-egress-gw-ar) below for details. +`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VNet.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. - +`ingress_gw_ar` - (Optional) One interface site is useful when site is only used as ingress gateway to the VNet.. See [Site Type Ingress Gw Ar ](#site-type-ingress-gw-ar) below for details. +`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. +`voltstack_cluster_ar` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster Ar ](#site-type-voltstack-cluster-ar) below for details. +`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). +`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. +`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in Azure console. (`String`). +`vnet` - (Required) Choice of using existing VNet or create new VNet. See [Vnet ](#vnet) below for details. +###### One of the arguments from this list "no_worker_nodes, nodes_per_az, total_nodes" must be set +`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). - +`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). +`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). +### Admin Password +Admin password user for accessing site through serial console .. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set -`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. -`blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - +### Coordinates +Site longitude and latitude co-ordinates. +`latitude` - (Optional) Latitude of the site location (`Float`). +`longitude` - (Optional) longitude of site location (`Float`). - +### Custom Dns +custom dns configure to the CE site. +`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). +`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). - +`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). +`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). +### Kubernetes Upgrade Drain +Enable Kubernetes Drain during OS or SW upgrade. - +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set +`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). +`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. +### Offline Survivability Mode +Enable/Disable offline survivability mode. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set -`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). +### Os +Operating System Details. -`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +###### One of the arguments from this list "default_os_version, operating_system_version" must be set +`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). +`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). +### Sw +F5XC Software Details. -`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Vnet +Choice of using existing VNet or create new VNet. +###### One of the arguments from this list "existing_vnet, new_vnet" must be set +`existing_vnet` - (Optional) Information about existing Vnet. See [Choice Existing Vnet ](#choice-existing-vnet) below for details. +`new_vnet` - (Optional) Parameters for creating new Vnet. See [Choice New Vnet ](#choice-new-vnet) below for details. -`azure_cred` - (Optional) Reference to Azure credentials for automatic deployment. See [ref](#ref) below for details. +### Accelerated Networking Disable +infrastructure.. +### Accelerated Networking Enable +improving networking performance. -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). +### Admin Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Asn Choice Auto Asn +(Recommended) Automatically set ASN for F5XC Site. - +### Authorized Key Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Az Nodes Inside Subnet +Subnets for the inside interface of the node. +###### One of the arguments from this list "subnet, subnet_param" must be set +`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. +`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Az Nodes Local Subnet +Subnets for the site local interface of the node. +###### One of the arguments from this list "subnet, subnet_param" must be set - +`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. +`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Az Nodes Outside Subnet +Subnets for the outside interface of the node. - +###### One of the arguments from this list "subnet, subnet_param" must be set +`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. +`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set +`dns` - (Optional) Matches DNS port 53 (`Bool`). +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +### Blocked Services Choice Blocked Services +Use custom blocked services configuration. +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns -`machine_type` - (Required) > advanced options. (`String`). +Matches DNS port 53. +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". -`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Choice Auto +The subnet CIDR is autogenerated.. - +### Choice Existing Vnet +Information about existing Vnet. +`resource_group` - (Required) Resource group of existing Vnet (`String`). +`vnet_name` - (Required) Name of existing Vnet (`String`). - +### Choice New Vnet +Parameters for creating new Vnet. +###### One of the arguments from this list "autogenerate, name" must be set +`autogenerate` - (Optional) Autogenerate the Vnet Name (`Bool`). +`name` - (Optional) Specify the Vnet Name (`String`). -`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +`primary_ipv4` - (Required) IPv4 CIDR block for this Vnet. It has to be private address space. (`String`). +### Choice Subnet +An existing subnet in specified resource group is used.. +###### One of the arguments from this list "subnet_resource_grp, vnet_resource_group" can be set - +`subnet_resource_grp` - (Optional) Specify name of Resource Group (`String`). +`vnet_resource_group` - (Optional) Use the same Resource Group as the Vnet (`Bool`). +### Choice Subnet +Information about existing subnet.. +###### One of the arguments from this list "subnet_resource_grp, vnet_resource_group" can be set +`subnet_resource_grp` - (Optional) Specify name of Resource Group (`String`). +`vnet_resource_group` - (Optional) Use the same Resource Group as the Vnet (`Bool`). -`alternate_region` - (Optional) Name of the azure region which does not support availability zones. (`String`). +`subnet_name` - (Required) Name of existing subnet. (`String`). +### Choice Subnet Param -`azure_region` - (Optional) Name of the azure region which supports availability zones. (`String`). +Parameters for creating new subnet.. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). +### Config Mode Choice Custom Static Route -`resource_group` - (Required) Azure resource group for resources that will be created (`String`). +Use Custom static route to configure all advanced options. +`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). +`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). +`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. -`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VNet.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. - +`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. +### Connection Choice Sli To Global Dr - +Site local inside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connection Choice Slo To Global Dr +Site local outside is connected directly to a given global network. - +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connections Metadata +Connection Metadata like name and description. +`description` - (Optional) Human readable description. (`String`). - +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Connectivity Options Site Registration Over Express Route +Site Registration and Site to RE tunnels go over the Azure Express Route. - +`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). +### Connectivity Options Site Registration Over Internet +Site Registration and Site to RE tunnels go over the internet. +### Custom Certificate Private Key - +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set - +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Custom Static Route Nexthop - +Nexthop for the route. +`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. +`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. +`type` - (Optional) Identifies the type of next-hop (`String`). +### Custom Static Route Subnets +List of route prefixes. +###### One of the arguments from this list "ipv4, ipv6" must be set - +`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Dc Cluster Group Choice No Dc Cluster Group +This site is not a member of dc cluster group. +### Enable Disable Choice Disable Interception +Disable Interception. - +### Enable Disable Choice Enable Interception +Enable Interception. +### Express Route Choice Express Route Disabled +Express Route is disabled on this site. +### Express Route Choice Express Route Enabled +Express Route is enabled on this site. +###### One of the arguments from this list "auto_asn, custom_asn" must be set +`auto_asn` - (Optional) (Recommended) Automatically set ASN for F5XC Site (`Bool`). +`custom_asn` - (Optional) Set custom ASN for F5XC Site (`Int`). +`connections` - (Required) Add the ExpressRoute Circuit Connections to this site. See [Express Route Enabled Connections ](#express-route-enabled-connections) below for details. +###### One of the arguments from this list "site_registration_over_express_route, site_registration_over_internet" can be set +`site_registration_over_express_route` - (Optional) Site Registration and Site to RE tunnels go over the Azure Express Route. See [Connectivity Options Site Registration Over Express Route ](#connectivity-options-site-registration-over-express-route) below for details. +`site_registration_over_internet` - (Optional) Site Registration and Site to RE tunnels go over the internet (`Bool`). +`gateway_subnet` - (Optional) Select the type of subnet to be used for VNet Gateway. See [Express Route Enabled Gateway Subnet ](#express-route-enabled-gateway-subnet) below for details. +`route_server_subnet` - (Optional) Select the type of subnet to be used for Azure Route Server. See [Express Route Enabled Route Server Subnet ](#express-route-enabled-route-server-subnet) below for details. - +###### One of the arguments from this list "sku_ergw1az, sku_ergw2az, sku_high_perf, sku_standard" can be set +`sku_ergw1az` - (Optional) ErGw1Az SKU (Standard + Zone protection) (`Bool`). +`sku_ergw2az` - (Optional) ErGw2Az SKU (High Perf + Zone protection) (`Bool`). +`sku_high_perf` - (Optional) High Perf SKU (`Bool`). +`sku_standard` - (Optional) Standard SKU (`Bool`). +###### One of the arguments from this list "advertise_to_route_server, do_not_advertise_to_route_server" can be set - +`advertise_to_route_server` - (Optional) Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP (`Bool`). +`do_not_advertise_to_route_server` - (Optional) Do Not Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP (`Bool`). +### Express Route Enabled Connections +Add the ExpressRoute Circuit Connections to this site. +`metadata` - (Required) Connection Metadata like name and description. See [Connections Metadata ](#connections-metadata) below for details. - +###### One of the arguments from this list "circuit_id, other_subscription" can be set +`circuit_id` - (Optional) ExpressRoute Circuit is in same subscription as the site (`String`). +`other_subscription` - (Optional) ExpressRoute Circuit is in a different subscription than the site. In this case both Circuit ID and Authorization key are needed. See [Subscription Choice Other Subscription ](#subscription-choice-other-subscription) below for details. +`weight` - (Optional) The weight (or priority) for the routes received from this connection. The default value is 10. (`Int`). - +### Express Route Enabled Gateway Subnet +Select the type of subnet to be used for VNet Gateway. +###### One of the arguments from this list "auto, subnet, subnet_param" must be set +`auto` - (Optional) The subnet CIDR is autogenerated. (`Bool`). +`subnet` - (Optional) An existing subnet in specified resource group is used.. See [Choice Subnet ](#choice-subnet) below for details. +`subnet_param` - (Optional) A new subnet with specified CIDR is created.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - +### Express Route Enabled Route Server Subnet +Select the type of subnet to be used for Azure Route Server. - +###### One of the arguments from this list "auto, subnet, subnet_param" must be set +`auto` - (Optional) The subnet CIDR is autogenerated. (`Bool`). +`subnet` - (Optional) An existing subnet in specified resource group is used.. See [Choice Subnet ](#choice-subnet) below for details. +`subnet_param` - (Optional) A new subnet with specified CIDR is created.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - +### Forward Proxy Choice Active Forward Proxy Policies +Enable Forward Proxy for this site and manage policies. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Forward Proxy Choice Disable Forward Proxy +Forward Proxy is disabled for this connector. - +### Forward Proxy Choice Enable Forward Proxy +Forward Proxy is enabled for this connector. +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). +`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). +###### One of the arguments from this list "no_interception, tls_intercept" can be set +`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) +`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - +`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). +`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). +### Forward Proxy Choice Forward Proxy Allow All +Enable Forward Proxy for this site and allow all requests.. - +### Forward Proxy Choice No Forward Proxy +Disable Forward Proxy for this site. +### Global Network Choice Global Network List +List of global network connections. +`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. +### Global Network Choice No Global Network - +No global network to connect. +### Global Network List Global Network Connections +Global network connections. +###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - +`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. +`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. +###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set +`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) - +`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) +### Hub Spoke Vnets +Spoke VNet Peering. +`labels` - (Optional) These labels used must be from known key and label defined in shared namespace (`String`). - +###### One of the arguments from this list "auto, manual" must be set +`auto` - (Optional) setup routing for all existing subnets on spoke VNet (`Bool`). - +`manual` - (Optional) Manually setup routing on spoke VNet (`Bool`). +`vnet` - (Optional) Information about existing VNet. See [Spoke Vnets Vnet ](#spoke-vnets-vnet) below for details. - +### Hub Choice Hub +This VNet is a hub VNet. +###### One of the arguments from this list "express_route_disabled, express_route_enabled" must be set +`express_route_disabled` - (Optional) Express Route is disabled on this site (`Bool`). +`express_route_enabled` - (Optional) Express Route is enabled on this site. See [Express Route Choice Express Route Enabled ](#express-route-choice-express-route-enabled) below for details. +`spoke_vnets` - (Optional) Spoke VNet Peering. See [Hub Spoke Vnets ](#hub-spoke-vnets) below for details. +### Hub Choice Not Hub +This VNet is a standalone VNet. +### Ingress Egress Gw Accelerated Networking - +disruption will be seen. +###### One of the arguments from this list "disable, enable" must be set +`disable` - (Optional) infrastructure. (`Bool`). +`enable` - (Optional) improving networking performance (`Bool`). - +### Ingress Egress Gw Az Nodes +Only Single AZ or Three AZ(s) nodes are supported currently.. +`azure_az` - (Required) Azure availability zone. (`String`). +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) +`inside_subnet` - (Optional) Subnets for the inside interface of the node. See [Az Nodes Inside Subnet ](#az-nodes-inside-subnet) below for details. +`outside_subnet` - (Optional) Subnets for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. +### Ingress Egress Gw Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. - +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Ingress Egress Gw Ar Accelerated Networking +disruption will be seen. +###### One of the arguments from this list "disable, enable" must be set - +`disable` - (Optional) infrastructure. (`Bool`). +`enable` - (Optional) improving networking performance (`Bool`). +### Ingress Egress Gw Ar Node +Ingress/Egress Gateway (Two Interface) Node information.. +`fault_domain` - (Optional) Namuber of fault domains to be used while creating the availability set (`Int`). - +`inside_subnet` - (Optional) Subnets for the inside interface of the node. See [Node Inside Subnet ](#node-inside-subnet) below for details. +`node_number` - (Required) Number of main nodes to create, either 1 or 3. (`Int`). +`outside_subnet` - (Optional) Subnets for the outside interface of the node. See [Node Outside Subnet ](#node-outside-subnet) below for details. +`update_domain` - (Optional) Namuber of update domains to be used while creating the availability set (`Int`). - +### Ingress Egress Gw Ar Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Ingress Gw Accelerated Networking - +disruption will be seen. +###### One of the arguments from this list "disable, enable" must be set +`disable` - (Optional) infrastructure. (`Bool`). +`enable` - (Optional) improving networking performance (`Bool`). +### Ingress Gw Az Nodes +Only Single AZ or Three AZ(s) nodes are supported currently.. +`azure_az` - (Required) Azure availability zone. (`String`). +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) +`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. +### Ingress Gw Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Ingress Gw Ar Accelerated Networking +disruption will be seen. +###### One of the arguments from this list "disable, enable" must be set +`disable` - (Optional) infrastructure. (`Bool`). +`enable` - (Optional) improving networking performance (`Bool`). +### Ingress Gw Ar Node +Ingress Gateway (One Interface) Node information. +`fault_domain` - (Optional) Namuber of fault domains to be used while creating the availability set (`Int`). - +`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Node Local Subnet ](#node-local-subnet) below for details. +`node_number` - (Required) Number of main nodes to create, either 1 or 3. (`Int`). +`update_domain` - (Optional) Namuber of update domains to be used while creating the availability set (`Int`). +### Ingress Gw Ar Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Inside Static Route Choice Inside Static Routes +Manage static routes for inside network.. +`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. +### Inside Static Route Choice No Inside Static Routes +Static Routes disabled for inside network.. +### Inside Static Routes Static Route List +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Interception Policy Choice Enable For All Domains - +Enable interception for all domains. +### Interception Policy Choice Policy +Policy to enable/disable specific domains, with implicit enable all domains. +`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match +Domain value or regular expression to match. - +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - +### K8s Cluster Choice No K8s Cluster +Site Local K8s API access is disabled. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". - +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - +### Name Choice Autogenerate +Autogenerate the Vnet Name. - +### Network Policy Choice Active Enhanced Firewall Policies +with an additional option for service insertion.. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Network Policies - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ingress_egress_gw_ar` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VNet.. See [Site Type Ingress Egress Gw Ar ](#site-type-ingress-egress-gw-ar) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VNet.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ingress_gw_ar` - (Optional) One interface site is useful when site is only used as ingress gateway to the VNet.. See [Site Type Ingress Gw Ar ](#site-type-ingress-gw-ar) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`voltstack_cluster_ar` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster Ar ](#site-type-voltstack-cluster-ar) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). - - - -`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. - - - - - - - - - - - -`tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in Azure console. (`String`). - - - -`vnet` - (Required) Choice of using existing VNet or create new VNet. See [Vnet ](#vnet) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - -`no_worker_nodes` - (Optional) Worker nodes is set to zero (`Bool`). - - -`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`). - - -`total_nodes` - (Optional) Total number of worker nodes to be deployed across all AZ's used in the Site (`Int`). - - - - -### Admin Password - -Admin password user for accessing site through serial console .. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Coordinates - - Site longitude and latitude co-ordinates. - -`latitude` - (Optional) Latitude of the site location (`Float`). - -`longitude` - (Optional) longitude of site location (`Float`). - - - -### Custom Dns - - custom dns configure to the CE site. - -`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). - -`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). - -`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). - -`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - - - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set - -`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - - -`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - - - - -### Offline Survivability Mode - - Enable/Disable offline survivability mode. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Os - - Operating System Details. - - - -###### One of the arguments from this list "default_os_version, operating_system_version" must be set - -`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - - -`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). - - - - -### Sw - - F5XC Software Details. - - - -###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set - -`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - - -`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). - - - - -### Vnet - - Choice of using existing VNet or create new VNet. - - - -###### One of the arguments from this list "new_vnet, existing_vnet" must be set - -`existing_vnet` - (Optional) Information about existing Vnet. See [Choice Existing Vnet ](#choice-existing-vnet) below for details. - - -`new_vnet` - (Optional) Parameters for creating new Vnet. See [Choice New Vnet ](#choice-new-vnet) below for details. - - - - -### Accelerated Networking Disable - - infrastructure.. - - - -### Accelerated Networking Enable - - improving networking performance. - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Asn Choice Auto Asn - - (Recommended) Automatically set ASN for F5XC Site. - - - -### Authorized Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Az Nodes Inside Subnet - - Subnets for the inside interface of the node. - - - -###### One of the arguments from this list "subnet_param, subnet" must be set - -`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - - -`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Az Nodes Local Subnet - - Subnets for the site local interface of the node. - - - -###### One of the arguments from this list "subnet, subnet_param" must be set - -`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - - -`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Az Nodes Outside Subnet - - Subnets for the outside interface of the node. - - - -###### One of the arguments from this list "subnet_param, subnet" must be set - -`subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - - -`subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "web_user_interface, dns, ssh" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - Use custom blocked services configuration. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Choice Auto - - The subnet CIDR is autogenerated.. - - - -### Choice Existing Vnet - - Information about existing Vnet. - -`resource_group` - (Required) Resource group of existing Vnet (`String`). - -`vnet_name` - (Required) Name of existing Vnet (`String`). - - - -### Choice New Vnet - - Parameters for creating new Vnet. - - - -###### One of the arguments from this list "name, autogenerate" must be set - -`autogenerate` - (Optional) Autogenerate the Vnet Name (`Bool`). - - -`name` - (Optional) Specify the Vnet Name (`String`). - - -`primary_ipv4` - (Required) IPv4 CIDR block for this Vnet. It has to be private address space. (`String`). - - - -### Choice Subnet - - An existing subnet in specified resource group is used.. - - - - -###### One of the arguments from this list "subnet_resource_grp, vnet_resource_group" can be set - -`subnet_resource_grp` - (Optional) Specify name of Resource Group (`String`). - - -`vnet_resource_group` - (Optional) Use the same Resource Group as the Vnet (`Bool`). - - - - -### Choice Subnet - - Information about existing subnet.. - - - - -###### One of the arguments from this list "subnet_resource_grp, vnet_resource_group" can be set - -`subnet_resource_grp` - (Optional) Specify name of Resource Group (`String`). - - -`vnet_resource_group` - (Optional) Use the same Resource Group as the Vnet (`Bool`). - - -`subnet_name` - (Required) Name of existing subnet. (`String`). - - - -### Choice Subnet Param - - Parameters for creating new subnet.. - -`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). - -`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). - - - -### Config Mode Choice Custom Static Route - - Use Custom static route to configure all advanced options. - -`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). - -`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). - -`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. - -`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. - - - -### Connection Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connection Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connections Metadata - - Connection Metadata like name and description. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Connectivity Options Site Registration Over Express Route - - Site Registration and Site to RE tunnels go over the Azure Express Route. - -`cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). - - - -### Connectivity Options Site Registration Over Internet - - Site Registration and Site to RE tunnels go over the internet. - - - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Custom Static Route Nexthop - - Nexthop for the route. - -`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. - -`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. - -`type` - (Optional) Identifies the type of next-hop (`String`). - - - -### Custom Static Route Subnets - - List of route prefixes. - - - -###### One of the arguments from this list "ipv4, ipv6" must be set - -`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Dc Cluster Group Choice No Dc Cluster Group - - This site is not a member of dc cluster group. - - - -### Enable Disable Choice Disable Interception - - Disable Interception. - - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Express Route Choice Express Route Disabled - - Express Route is disabled on this site. - - - -### Express Route Choice Express Route Enabled - - Express Route is enabled on this site. - - - -###### One of the arguments from this list "custom_asn, auto_asn" must be set - -`auto_asn` - (Optional) (Recommended) Automatically set ASN for F5XC Site (`Bool`). - - -`custom_asn` - (Optional) Set custom ASN for F5XC Site (`Int`). - - -`connections` - (Required) Add the ExpressRoute Circuit Connections to this site. See [Express Route Enabled Connections ](#express-route-enabled-connections) below for details. - - - - -###### One of the arguments from this list "site_registration_over_internet, site_registration_over_express_route" can be set - -`site_registration_over_express_route` - (Optional) Site Registration and Site to RE tunnels go over the Azure Express Route. See [Connectivity Options Site Registration Over Express Route ](#connectivity-options-site-registration-over-express-route) below for details. - - -`site_registration_over_internet` - (Optional) Site Registration and Site to RE tunnels go over the internet (`Bool`). - - -`gateway_subnet` - (Optional) Select the type of subnet to be used for VNet Gateway. See [Express Route Enabled Gateway Subnet ](#express-route-enabled-gateway-subnet) below for details. - -`route_server_subnet` - (Optional) Select the type of subnet to be used for Azure Route Server. See [Express Route Enabled Route Server Subnet ](#express-route-enabled-route-server-subnet) below for details. - - - - -###### One of the arguments from this list "sku_ergw2az, sku_standard, sku_ergw1az, sku_high_perf" can be set - -`sku_ergw1az` - (Optional) ErGw1Az SKU (Standard + Zone protection) (`Bool`). - - -`sku_ergw2az` - (Optional) ErGw2Az SKU (High Perf + Zone protection) (`Bool`). - - -`sku_high_perf` - (Optional) High Perf SKU (`Bool`). - - -`sku_standard` - (Optional) Standard SKU (`Bool`). - - - - - -###### One of the arguments from this list "advertise_to_route_server, do_not_advertise_to_route_server" can be set - -`advertise_to_route_server` - (Optional) Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP (`Bool`). - - -`do_not_advertise_to_route_server` - (Optional) Do Not Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP (`Bool`). - - - - -### Express Route Enabled Connections - - Add the ExpressRoute Circuit Connections to this site. - -`metadata` - (Required) Connection Metadata like name and description. See [Connections Metadata ](#connections-metadata) below for details. - - - - -###### One of the arguments from this list "other_subscription, circuit_id" can be set - -`circuit_id` - (Optional) ExpressRoute Circuit is in same subscription as the site (`String`). - - -`other_subscription` - (Optional) ExpressRoute Circuit is in a different subscription than the site. In this case both Circuit ID and Authorization key are needed. See [Subscription Choice Other Subscription ](#subscription-choice-other-subscription) below for details. - - -`weight` - (Optional) The weight (or priority) for the routes received from this connection. The default value is 10. (`Int`). - - - -### Express Route Enabled Gateway Subnet - - Select the type of subnet to be used for VNet Gateway. - - - -###### One of the arguments from this list "auto, subnet_param, subnet" must be set - -`auto` - (Optional) The subnet CIDR is autogenerated. (`Bool`). - - -`subnet` - (Optional) An existing subnet in specified resource group is used.. See [Choice Subnet ](#choice-subnet) below for details. - - -`subnet_param` - (Optional) A new subnet with specified CIDR is created.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Express Route Enabled Route Server Subnet - - Select the type of subnet to be used for Azure Route Server. - - - -###### One of the arguments from this list "auto, subnet_param, subnet" must be set - -`auto` - (Optional) The subnet CIDR is autogenerated. (`Bool`). - - -`subnet` - (Optional) An existing subnet in specified resource group is used.. See [Choice Subnet ](#choice-subnet) below for details. - - -`subnet_param` - (Optional) A new subnet with specified CIDR is created.. See [Choice Subnet Param ](#choice-subnet-param) below for details. - - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site and manage policies. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Forward Proxy Choice Disable Forward Proxy - - Forward Proxy is disabled for this connector. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). - -`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - - -###### One of the arguments from this list "tls_intercept, no_interception" can be set - -`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - - -`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - - -`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). - -`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - - - -### Forward Proxy Choice Forward Proxy Allow All - - Enable Forward Proxy for this site and allow all requests.. - - - -### Forward Proxy Choice No Forward Proxy - - Disable Forward Proxy for this site. - - - -### Global Network Choice Global Network List - - List of global network connections. - -`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - - - -### Global Network Choice No Global Network - - No global network to connect. - - - -### Global Network List Global Network Connections - - Global network connections. - - - -###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - -`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - - -`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - - - - - -###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set - -`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) - - -`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) - - - - -### Hub Spoke Vnets - - Spoke VNet Peering. - -`labels` - (Optional) These labels used must be from known key and label defined in shared namespace (`String`). - - - -###### One of the arguments from this list "auto, manual" must be set - -`auto` - (Optional) setup routing for all existing subnets on spoke VNet (`Bool`). - - -`manual` - (Optional) Manually setup routing on spoke VNet (`Bool`). - - -`vnet` - (Optional) Information about existing VNet. See [Spoke Vnets Vnet ](#spoke-vnets-vnet) below for details. - - - -### Hub Choice Hub - - This VNet is a hub VNet. - - - -###### One of the arguments from this list "express_route_disabled, express_route_enabled" must be set - -`express_route_disabled` - (Optional) Express Route is disabled on this site (`Bool`). - - -`express_route_enabled` - (Optional) Express Route is enabled on this site. See [Express Route Choice Express Route Enabled ](#express-route-choice-express-route-enabled) below for details. - - -`spoke_vnets` - (Optional) Spoke VNet Peering. See [Hub Spoke Vnets ](#hub-spoke-vnets) below for details. - - - -### Hub Choice Not Hub - - This VNet is a standalone VNet. - - - -### Ingress Egress Gw Accelerated Networking - - disruption will be seen. - - - -###### One of the arguments from this list "disable, enable" must be set - -`disable` - (Optional) infrastructure. (`Bool`). - - -`enable` - (Optional) improving networking performance (`Bool`). - - - - -### Ingress Egress Gw Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. - -`azure_az` - (Required) Azure availability zone. (`String`). - -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - -`inside_subnet` - (Optional) Subnets for the inside interface of the node. See [Az Nodes Inside Subnet ](#az-nodes-inside-subnet) below for details. - -`outside_subnet` - (Optional) Subnets for the outside interface of the node. See [Az Nodes Outside Subnet ](#az-nodes-outside-subnet) below for details. - - - -### Ingress Egress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Ingress Egress Gw Ar Accelerated Networking - - disruption will be seen. - - - -###### One of the arguments from this list "enable, disable" must be set - -`disable` - (Optional) infrastructure. (`Bool`). - - -`enable` - (Optional) improving networking performance (`Bool`). - - - - -### Ingress Egress Gw Ar Node - - Ingress/Egress Gateway (Two Interface) Node information.. - -`fault_domain` - (Optional) Namuber of fault domains to be used while creating the availability set (`Int`). - -`inside_subnet` - (Optional) Subnets for the inside interface of the node. See [Node Inside Subnet ](#node-inside-subnet) below for details. - -`node_number` - (Required) Number of main nodes to create, either 1 or 3. (`Int`). - -`outside_subnet` - (Optional) Subnets for the outside interface of the node. See [Node Outside Subnet ](#node-outside-subnet) below for details. - -`update_domain` - (Optional) Namuber of update domains to be used while creating the availability set (`Int`). - - - -### Ingress Egress Gw Ar Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Ingress Gw Accelerated Networking - - disruption will be seen. - - - -###### One of the arguments from this list "disable, enable" must be set - -`disable` - (Optional) infrastructure. (`Bool`). - - -`enable` - (Optional) improving networking performance (`Bool`). - - - - -### Ingress Gw Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. - -`azure_az` - (Required) Azure availability zone. (`String`). - -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`).(Deprecated) - -`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. - - - -### Ingress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Ingress Gw Ar Accelerated Networking - - disruption will be seen. - - - -###### One of the arguments from this list "disable, enable" must be set - -`disable` - (Optional) infrastructure. (`Bool`). - - -`enable` - (Optional) improving networking performance (`Bool`). - - - - -### Ingress Gw Ar Node - - Ingress Gateway (One Interface) Node information. - -`fault_domain` - (Optional) Namuber of fault domains to be used while creating the availability set (`Int`). - -`local_subnet` - (Optional) Subnets for the site local interface of the node. See [Node Local Subnet ](#node-local-subnet) below for details. - -`node_number` - (Required) Number of main nodes to create, either 1 or 3. (`Int`). - -`update_domain` - (Optional) Namuber of update domains to be used while creating the availability set (`Int`). - - - -### Ingress Gw Ar Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Inside Static Route Choice Inside Static Routes - - Manage static routes for inside network.. - -`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. - - - -### Inside Static Route Choice No Inside Static Routes - - Static Routes disabled for inside network.. - - - -### Inside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy - - Policy to enable/disable specific domains, with implicit enable all domains. - -`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. - - - -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### K8s Cluster Choice No K8s Cluster - - Site Local K8s API access is disabled. - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - - - -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - - -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - - -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - - -###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set - -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - - -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - - - - -### Name Choice Autogenerate - - Autogenerate the Vnet Name. - - - -### Network Policy Choice Active Enhanced Firewall Policies - - with an additional option for service insertion.. - -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - - - -### Network Policy Choice Active Network Policies - - Firewall Policies active for this site.. +Firewall Policies active for this site.. `network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +### Network Policy Choice No Network Policy +Firewall Policy is disabled for this site.. -### Network Policy Choice No Network Policy - - Firewall Policy is disabled for this site.. - - - -### Nexthop Nexthop Address - - Nexthop address when type is "Use-Configured". - - +### Nexthop Nexthop Address +Nexthop address when type is "Use-Configured". ###### One of the arguments from this list "ipv4, ipv6" can be set `ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Node Inside Subnet +Subnets for the inside interface of the node. - -### Node Inside Subnet - - Subnets for the inside interface of the node. - - - -###### One of the arguments from this list "subnet_param, subnet" must be set +###### One of the arguments from this list "subnet, subnet_param" must be set `subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - `subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Node Local Subnet +Subnets for the site local interface of the node. - -### Node Local Subnet - - Subnets for the site local interface of the node. - - - -###### One of the arguments from this list "subnet_param, subnet" must be set +###### One of the arguments from this list "subnet, subnet_param" must be set `subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - `subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Node Outside Subnet +Subnets for the outside interface of the node. - -### Node Outside Subnet - - Subnets for the outside interface of the node. - - - -###### One of the arguments from this list "subnet_param, subnet" must be set +###### One of the arguments from this list "subnet, subnet_param" must be set `subnet` - (Optional) Information about existing subnet.. See [Choice Subnet ](#choice-subnet) below for details. - `subnet_param` - (Optional) Parameters for creating new subnet.. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Ocsp Stapling Choice Custom Hash Algorithms - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling +### Ocsp Stapling Choice Use System Defaults - This is the default behavior if no choice is selected.. +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Offline Survivability Mode Choice Enable Offline Survivability Mode +x-displayName: "Enabled". -### Ocsp Stapling Choice Use System Defaults +### Offline Survivability Mode Choice No Offline Survivability Mode - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +x-displayName: "Disabled". +### Operating System Version Choice Default Os Version +Will assign latest available OS version. -### Offline Survivability Mode Choice Enable Offline Survivability Mode +### Other Subscription Authorized Key - x-displayName: "Enabled". - - - -### Offline Survivability Mode Choice No Offline Survivability Mode - - x-displayName: "Disabled". - - - -### Operating System Version Choice Default Os Version - - Will assign latest available OS version. - - - -### Other Subscription Authorized Key - - Authorization Key created by the circuit owner. +Authorization Key created by the circuit owner. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Authorized Key Blindfold Secret Info Internal ](#authorized-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Outside Static Route Choice No Outside Static Routes +Static Routes disabled for outside network.. +### Outside Static Route Choice Outside Static Routes -### Outside Static Route Choice No Outside Static Routes - - Static Routes disabled for outside network.. - - - -### Outside Static Route Choice Outside Static Routes - - Manage static routes for outside network.. +Manage static routes for outside network.. `static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. +### Outside Static Routes Static Route List - -### Outside Static Routes Static Route List - - List of Static routes. - - +List of Static routes. ###### One of the arguments from this list "custom_static_route, simple_static_route" must be set `custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - `simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Perf Mode Choice Jumbo +x-displayName: "Enabled". +### Perf Mode Choice No Jumbo -### Perf Mode Choice Jumbo - - x-displayName: "Enabled". - - - -### Perf Mode Choice No Jumbo - - x-displayName: "Disabled". +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced +Site optimized for L3 traffic processing. -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - - -###### One of the arguments from this list "no_jumbo, jumbo" must be set +###### One of the arguments from this list "jumbo, no_jumbo" must be set `jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - `no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Policy Interception Rules -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Policy Interception Rules - - List of ordered rules to enable or disable for TLS interception. +List of ordered rules to enable or disable for TLS interception. `domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. - - ###### One of the arguments from this list "disable_interception, enable_interception" must be set `disable_interception` - (Optional) Disable Interception (`Bool`). - `enable_interception` - (Optional) Enable Interception (`Bool`). +### Private Key Blindfold Secret Info Internal - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). `location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Resource Group Choice Vnet Resource Group +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - Use the same Resource Group as the Vnet. +### Ref +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). -### Routing Choice Auto +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - setup routing for all existing subnets on spoke VNet. +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Resource Group Choice Vnet Resource Group +Use the same Resource Group as the Vnet. -### Routing Choice Manual +### Routing Choice Auto - Manually setup routing on spoke VNet. +setup routing for all existing subnets on spoke VNet. +### Routing Choice Manual +Manually setup routing on spoke VNet. -### Secret Info Oneof Blindfold Secret Info +### Secret Info Oneof Blindfold Secret Info - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2723,21 +1126,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2749,63 +1148,45 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Signing Cert Choice Custom Certificate - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. +Certificates for generating intermediate certificate for TLS interception.. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. -### Signing Cert Choice Volterra Certificate - - F5XC certificates for generating intermediate certificate for TLS interception.. - - - -### Site Mesh Group Choice Sm Connection Public Ip - - creating ipsec between two sites which are part of the site mesh group. +### Site Mesh Group Choice Sm Connection Public Ip +creating ipsec between two sites which are part of the site mesh group. +### Site Mesh Group Choice Sm Connection Pvt Ip -### Site Mesh Group Choice Sm Connection Pvt Ip +creating ipsec between two sites which are part of the site mesh group. - creating ipsec between two sites which are part of the site mesh group. +### Site Type Ingress Egress Gw - - -### Site Type Ingress Egress Gw - - Two interface site is useful when site is used as ingress/egress gateway to the VNet.. +Two interface site is useful when site is used as ingress/egress gateway to the VNet.. `accelerated_networking` - (Optional) disruption will be seen. See [Ingress Egress Gw Accelerated Networking ](#ingress-egress-gw-accelerated-networking) below for details. @@ -2813,205 +1194,131 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `azure_certified_hw` - (Required) Name for Azure certified hardware. (`String`). - - -###### One of the arguments from this list "dc_cluster_group_outside_vn, dc_cluster_group_inside_vn, no_dc_cluster_group" must be set +###### One of the arguments from this list "dc_cluster_group_inside_vn, dc_cluster_group_outside_vn, no_dc_cluster_group" must be set `dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. - `dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - -###### One of the arguments from this list "forward_proxy_allow_all, no_forward_proxy, active_forward_proxy_policies" must be set +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - ###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "not_hub, hub" must be set +###### One of the arguments from this list "hub, not_hub" must be set `hub` - (Optional) This VNet is a hub VNet. See [Hub Choice Hub ](#hub-choice-hub) below for details. - `not_hub` - (Optional) This VNet is a standalone VNet (`Bool`). - - - ###### One of the arguments from this list "inside_static_routes, no_inside_static_routes" must be set `inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - `no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). - - - -###### One of the arguments from this list "active_enhanced_firewall_policies, no_network_policy, active_network_policies" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Egress Gw Performance Enhancement Mode ](#ingress-egress-gw-performance-enhancement-mode) below for details. - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +### Site Type Ingress Egress Gw Ar - - -### Site Type Ingress Egress Gw Ar - - Two interface site is useful when site is used as ingress/egress gateway to the VNet.. +Two interface site is useful when site is used as ingress/egress gateway to the VNet.. `accelerated_networking` - (Optional) disruption will be seen. See [Ingress Egress Gw Ar Accelerated Networking ](#ingress-egress-gw-ar-accelerated-networking) below for details. `azure_certified_hw` - (Required) Name for Azure certified hardware. (`String`). - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group_outside_vn, dc_cluster_group_inside_vn" must be set +###### One of the arguments from this list "dc_cluster_group_inside_vn, dc_cluster_group_outside_vn, no_dc_cluster_group" must be set `dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. - `dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set +###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "not_hub, hub" must be set +###### One of the arguments from this list "hub, not_hub" must be set `hub` - (Optional) This VNet is a hub VNet. See [Hub Choice Hub ](#hub-choice-hub) below for details. - `not_hub` - (Optional) This VNet is a standalone VNet (`Bool`). - - - -###### One of the arguments from this list "no_inside_static_routes, inside_static_routes" must be set +###### One of the arguments from this list "inside_static_routes, no_inside_static_routes" must be set `inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - `no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - `node` - (Optional) Ingress/Egress Gateway (Two Interface) Node information.. See [Ingress Egress Gw Ar Node ](#ingress-egress-gw-ar-node) below for details. - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Egress Gw Ar Performance Enhancement Mode ](#ingress-egress-gw-ar-performance-enhancement-mode) below for details. - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +### Site Type Ingress Gw - - -### Site Type Ingress Gw - - One interface site is useful when site is only used as ingress gateway to the VNet.. +One interface site is useful when site is only used as ingress gateway to the VNet.. `accelerated_networking` - (Optional) disruption will be seen. See [Ingress Gw Accelerated Networking ](#ingress-gw-accelerated-networking) below for details. @@ -3021,11 +1328,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Gw Performance Enhancement Mode ](#ingress-gw-performance-enhancement-mode) below for details. +### Site Type Ingress Gw Ar - -### Site Type Ingress Gw Ar - - One interface site is useful when site is only used as ingress gateway to the VNet.. +One interface site is useful when site is only used as ingress gateway to the VNet.. `accelerated_networking` - (Optional) disruption will be seen. See [Ingress Gw Ar Accelerated Networking ](#ingress-gw-ar-accelerated-networking) below for details. @@ -3035,11 +1340,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Gw Ar Performance Enhancement Mode ](#ingress-gw-ar-performance-enhancement-mode) below for details. +### Site Type Voltstack Cluster - -### Site Type Voltstack Cluster - - App Stack Cluster using single interface, useful for deploying K8s cluster.. +App Stack Cluster using single interface, useful for deploying K8s cluster.. `accelerated_networking` - (Optional) disruption will be seen. See [Voltstack Cluster Accelerated Networking ](#voltstack-cluster-accelerated-networking) below for details. @@ -3047,393 +1350,261 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `azure_certified_hw` - (Required) Name for Azure certified hardware. (`String`). - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group" must be set +###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set `dc_cluster_group` - (Optional) This site is member of dc cluster group via Outside Network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - -###### One of the arguments from this list "forward_proxy_allow_all, no_forward_proxy, active_forward_proxy_policies" must be set +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set +###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "no_k8s_cluster, k8s_cluster" must be set +###### One of the arguments from this list "k8s_cluster, no_k8s_cluster" must be set `k8s_cluster` - (Optional) Site Local K8s API access is enabled, using k8s_cluster object. See [ref](#ref) below for details. - `no_k8s_cluster` - (Optional) Site Local K8s API access is disabled (`Bool`). - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - ###### One of the arguments from this list "default_storage, storage_class_list" must be set `default_storage` - (Optional) Use standard storage class configured as AWS EBS (`Bool`). - `storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for site. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. +### Site Type Voltstack Cluster Ar - - -### Site Type Voltstack Cluster Ar - - App Stack Cluster using single interface, useful for deploying K8s cluster.. +App Stack Cluster using single interface, useful for deploying K8s cluster.. `accelerated_networking` - (Optional) disruption will be seen. See [Voltstack Cluster Ar Accelerated Networking ](#voltstack-cluster-ar-accelerated-networking) below for details. `azure_certified_hw` - (Required) Name for Azure certified hardware. (`String`). - - ###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set `dc_cluster_group` - (Optional) This site is member of dc cluster group via outside network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - ###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set `active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - `forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - `no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set +###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "no_k8s_cluster, k8s_cluster" must be set +###### One of the arguments from this list "k8s_cluster, no_k8s_cluster" must be set `k8s_cluster` - (Optional) Site Local K8s API access is enabled, using k8s_cluster object. See [ref](#ref) below for details. - `no_k8s_cluster` - (Optional) Site Local K8s API access is disabled (`Bool`). - - - -###### One of the arguments from this list "active_network_policies, active_enhanced_firewall_policies, no_network_policy" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - `node` - (Optional) Only Single AZ or Three AZ(s) nodes are supported currently.. See [Voltstack Cluster Ar Node ](#voltstack-cluster-ar-node) below for details. - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - - - ###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - ###### One of the arguments from this list "default_storage, storage_class_list" must be set `default_storage` - (Optional) Use standard storage class configured as AWS EBS (`Bool`). - `storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for site. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. +### Sku Choice Sku Ergw1az +ErGw1Az SKU (Standard + Zone protection). +### Sku Choice Sku Ergw2az -### Sku Choice Sku Ergw1az - - ErGw1Az SKU (Standard + Zone protection). - - - -### Sku Choice Sku Ergw2az - - ErGw2Az SKU (High Perf + Zone protection). - - - -### Sku Choice Sku High Perf - - High Perf SKU. - +ErGw2Az SKU (High Perf + Zone protection). +### Sku Choice Sku High Perf -### Sku Choice Sku Standard +High Perf SKU. - Standard SKU. +### Sku Choice Sku Standard +Standard SKU. +### Spoke Vnet Routes Advertise To Route Server -### Spoke Vnet Routes Advertise To Route Server +Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP. - Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP. +### Spoke Vnet Routes Do Not Advertise To Route Server +Do Not Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP. +### Spoke Vnets Vnet -### Spoke Vnet Routes Do Not Advertise To Route Server - - Do Not Advertise Spoke Vnet CIDR Routes To Azure Route Server via BGP. - - - -### Spoke Vnets Vnet - - Information about existing VNet. +Information about existing VNet. `resource_group` - (Required) Resource group of existing Vnet (`String`). `vnet_name` - (Required) Name of existing Vnet (`String`). +### Storage Class Choice Default Storage +Use standard storage class configured as AWS EBS. -### Storage Class Choice Default Storage - - Use standard storage class configured as AWS EBS. - - +### Storage Class Choice Storage Class List -### Storage Class Choice Storage Class List - - Add additional custom storage classes in kubernetes for site. +Add additional custom storage classes in kubernetes for site. `storage_classes` - (Optional) List of custom storage classes. See [Storage Class List Storage Classes ](#storage-class-list-storage-classes) below for details. +### Storage Class List Storage Classes - -### Storage Class List Storage Classes - - List of custom storage classes. +List of custom storage classes. `default_storage_class` - (Optional) Make this storage class default storage class for the K8s cluster (`Bool`). `storage_class_name` - (Required) Name of the storage class as it will appear in K8s. (`String`). +### Subscription Choice Other Subscription - -### Subscription Choice Other Subscription - - ExpressRoute Circuit is in a different subscription than the site. In this case both Circuit ID and Authorization key are needed. +ExpressRoute Circuit is in a different subscription than the site. In this case both Circuit ID and Authorization key are needed. `authorized_key` - (Optional) Authorization Key created by the circuit owner. See [Other Subscription Authorized Key ](#other-subscription-authorized-key) below for details. `circuit_id` - (Optional) Circuit ID (`String`). +### Tls Interception Choice No Interception +No TLS interception is enabled for this network connector. -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. - - - -### Tls Interception Choice Tls Intercept - - Specify TLS interception configuration for the network connector. - +### Tls Interception Choice Tls Intercept +Specify TLS interception configuration for the network connector. ###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - -###### One of the arguments from this list "volterra_trusted_ca, trusted_ca_url" must be set +###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. - - - -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode +Disable Vega Upgrade Mode. - Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode +When enabled, vega will inform RE to stop traffic to the specific node.. +### Ver Ipv4 -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Subnet Address. +IPv4 Subnet Address. `plen` - (Optional) Prefix-length of the IPv4 subnet. Must be <= 32 (`Int`). `prefix` - (Optional) Prefix part of the IPv4 subnet in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Subnet Address. +IPv6 Subnet Address. `plen` - (Optional) Prefix length of the IPv6 subnet. Must be <= 128 (`Int`). `prefix` - (Optional) e.g. "2001:db8::2::" (`String`). +### Volterra Sw Version Choice Default Sw Version +Will assign latest available F5XC Software Version. -### Volterra Sw Version Choice Default Sw Version - - Will assign latest available F5XC Software Version. - - - -### Voltstack Cluster Accelerated Networking - - disruption will be seen. - +### Voltstack Cluster Accelerated Networking +disruption will be seen. ###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) infrastructure. (`Bool`). - `enable` - (Optional) improving networking performance (`Bool`). +### Voltstack Cluster Az Nodes - - -### Voltstack Cluster Az Nodes - - Only Single AZ or Three AZ(s) nodes are supported currently.. +Only Single AZ or Three AZ(s) nodes are supported currently.. `azure_az` - (Required) Azure availability zone. (`String`). @@ -3441,27 +1612,19 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `local_subnet` - (Optional) Subnets for the site local interface of the node. See [Az Nodes Local Subnet ](#az-nodes-local-subnet) below for details. +### Voltstack Cluster Ar Accelerated Networking - -### Voltstack Cluster Ar Accelerated Networking - - disruption will be seen. - - +disruption will be seen. ###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) infrastructure. (`Bool`). - `enable` - (Optional) improving networking performance (`Bool`). +### Voltstack Cluster Ar Node - - -### Voltstack Cluster Ar Node - - Only Single AZ or Three AZ(s) nodes are supported currently.. +Only Single AZ or Three AZ(s) nodes are supported currently.. `fault_domain` - (Optional) Namuber of fault domains to be used while creating the availability set (`Int`). @@ -3471,9 +1634,7 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `update_domain` - (Optional) Namuber of update domains to be used while creating the availability set (`Int`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured azure_vnet_site. - +- `id` - This is the id of the configured azure_vnet_site. diff --git a/docs/resources/volterra_bgp.md b/docs/resources/volterra_bgp.md index 98b217e81..11e1e6486 100644 --- a/docs/resources/volterra_bgp.md +++ b/docs/resources/volterra_bgp.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: bgp" -description: "The bgp allows CRUD of Bgp resource on Volterra SaaS" +description: "The bgp allows CRUD of Bgp resource on Volterra SaaS" + --- -# Resource volterra_bgp -The Bgp allows CRUD of Bgp resource on Volterra SaaS +Resource volterra_bgp +===================== + +The Bgp allows CRUD of Bgp resource on Volterra SaaS -~> **Note:** Please refer to [Bgp API docs](https://docs.cloud.f5.com/docs-v2/api/bgp) to learn more +~> **Note:** Please refer to [Bgp API docs](https://docs.cloud.f5.com/docs-v2/api/bgp) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_bgp" "example" { @@ -42,7 +35,7 @@ resource "volterra_bgp" "example" { bgp_router_id_type = "bgp_router_id_type" - // One of the arguments from this list "local_address from_site ip_address" must be set + // One of the arguments from this list "from_site ip_address local_address" must be set local_address = true } @@ -64,32 +57,36 @@ resource "volterra_bgp" "example" { // One of the arguments from this list "external internal" must be set external { - // One of the arguments from this list "address subnet_begin_offset subnet_end_offset from_site default_gateway disable" must be set + // One of the arguments from this list "address default_gateway disable from_site subnet_begin_offset subnet_end_offset" must be set address = "address" - // One of the arguments from this list "default_gateway_v6 disable_v6 address_ipv6 subnet_begin_offset_v6 subnet_end_offset_v6 from_site_v6" must be set + // One of the arguments from this list "address_ipv6 default_gateway_v6 disable_v6 from_site_v6 subnet_begin_offset_v6 subnet_end_offset_v6" must be set - address_ipv6 = "address_ipv6" + default_gateway_v6 = true asn = "64512" - // One of the arguments from this list "no_authentication md5_auth_key" can be set + // One of the arguments from this list "md5_auth_key no_authentication" can be set no_authentication = true family_inet { // One of the arguments from this list "disable enable" must be set - disable = true + enable = true } family_inet_v6 { - // One of the arguments from this list "enable disable" must be set + // One of the arguments from this list "disable enable" must be set - enable = true + disable = true } - // One of the arguments from this list "interface interface_list inside_interfaces outside_interfaces" must be set + // One of the arguments from this list "inside_interfaces interface interface_list outside_interfaces" must be set - outside_interfaces = true + interface { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } port = "179" } } @@ -121,320 +118,34 @@ resource "volterra_bgp" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `bgp_parameters` - (Required) BGP parameters for local site. See [Bgp Parameters ](#bgp-parameters) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `peers` - (Required) List of peers. See [Peers ](#peers) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `where` - (Required) Site or virtual site where this BGP configuration should be applied.. See [Where ](#where) below for details. +### Bgp Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Bgp Parameters - - BGP parameters for local site. +BGP parameters for local site. `asn` - (Required) Autonomous System Number (`Int`). @@ -444,309 +155,201 @@ resource "volterra_bgp" "example" { `bgp_router_id_type` - (Optional) Decides how BGP router id is derived (`String`).(Deprecated) - - -###### One of the arguments from this list "local_address, from_site, ip_address" must be set +###### One of the arguments from this list "from_site, ip_address, local_address" must be set `from_site` - (Optional) Use the Router ID field from the site object. (`Bool`). - `ip_address` - (Optional) Use the configured IPv4 Address as Router ID. (`String`). - `local_address` - (Optional) Use an interface address of the site as the Router ID. (`Bool`). +### Peers - - -### Peers - - List of peers. +List of peers. `metadata` - (Required) Common attributes for the peer including name and description.. See [Peers Metadata ](#peers-metadata) below for details. - - ###### One of the arguments from this list "passive_mode_disabled, passive_mode_enabled" must be set `passive_mode_disabled` - (Optional) x-displayName: "Disabled" (`Bool`). - `passive_mode_enabled` - (Optional) x-displayName: "Enabled" (`Bool`). - `target_service` - (Optional) Specify whether this peer should be configured in "phobos" or "frr". (`String`).(Deprecated) - - ###### One of the arguments from this list "external, internal" must be set `external` - (Optional) External BGP peer.. See [Type Choice External ](#type-choice-external) below for details. - `internal` - (Optional) Internal BGP peer.. See [Type Choice Internal ](#type-choice-internal) below for details.(Deprecated) +### Where - - -### Where - - Site or virtual site where this BGP configuration should be applied.. - - +Site or virtual site where this BGP configuration should be applied.. ###### One of the arguments from this list "site, virtual_site" must be set `site` - (Optional) Direct reference to site object. See [Ref Or Selector Site ](#ref-or-selector-site) below for details. - `virtual_site` - (Optional) Direct reference to virtual site object. See [Ref Or Selector Virtual Site ](#ref-or-selector-virtual-site) below for details. +### Address Choice Default Gateway +Use the default gateway address.. +### Address Choice Disable -### Address Choice Default Gateway - - Use the default gateway address.. - - - -### Address Choice Disable - - No Peer Ipv4 Address.. - - - -### Address Choice From Site - - Use the address specified in the site object.. - - - -### Address Choice V6 Default Gateway V6 - - Use the default gateway address.. - - - -### Address Choice V6 Disable V6 - - No Peer IPv6 Address.. - +No Peer Ipv4 Address.. +### Address Choice From Site -### Address Choice V6 From Site V6 +Use the address specified in the site object.. - Use the address specified in the site object.. +### Address Choice V6 Default Gateway V6 +Use the default gateway address.. +### Address Choice V6 Disable V6 -### Auth Choice No Authentication +No Peer IPv6 Address.. - No Authentication of BGP session. +### Address Choice V6 From Site V6 +Use the address specified in the site object.. +### Auth Choice No Authentication -### Bgp Parameters Bgp Router Id +No Authentication of BGP session. - If Router ID Type is set to "From IP Address", this is used as Router ID. Else, this is ignored.. +### Bgp Parameters Bgp Router Id +If Router ID Type is set to "From IP Address", this is used as Router ID. Else, this is ignored.. - - -###### One of the arguments from this list "ipv6, ipv4" can be set +###### One of the arguments from this list "ipv4, ipv6" can be set `ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Enable Choice Disable +Disable IPv4 family Route Exchange.. +### Enable Choice Enable -### Enable Choice Disable - - Disable IPv4 family Route Exchange.. - - - -### Enable Choice Enable +Enable IPv4 family Route Exchange.. - Enable IPv4 family Route Exchange.. +### Enable Choice Enable +Enable the IPv4 Unicast family.. - -### Enable Choice Enable - - Enable the IPv4 Unicast family.. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable the IPv4 Unicast family. (`Bool`).(Deprecated) - `enable` - (Optional) Enable the IPv4 Unicast family. (`Bool`). +### External Family Inet +Enable/Disable Ipv4 family of routes exchange with peer. - -### External Family Inet - - Enable/Disable Ipv4 family of routes exchange with peer. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable IPv4 family Route Exchange. (`Bool`). - `enable` - (Optional) Enable IPv4 family Route Exchange. (`Bool`). +### External Family Inet V6 +Enable/Disable IPv6 family of routes exchange with peer. - -### External Family Inet V6 - - Enable/Disable IPv6 family of routes exchange with peer. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable IPv6 family Route Exchange. (`Bool`). - `enable` - (Optional) Enable IPv6 family Route Exchange. (`Bool`). +### Interface Choice Inside Interfaces +All interfaces in the site local inside network.. +### Interface Choice Interface List -### Interface Choice Inside Interfaces - - All interfaces in the site local inside network.. - - - -### Interface Choice Interface List - - List of network interfaces.. +List of network interfaces.. `interfaces` - (Required) List of network interfaces.. See [ref](#ref) below for details. +### Interface Choice Outside Interfaces +All interfaces in the site local outside network.. -### Interface Choice Outside Interfaces - - All interfaces in the site local outside network.. - - - -### Internal Family Inet6vpn - - Parameters for IPv6 VPN Unicast family.. - +### Internal Family Inet6vpn +Parameters for IPv6 VPN Unicast family.. -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable the IPv6 Unicast family. (`Bool`).(Deprecated) - `enable` - (Optional) Enable the IPv6 Unicast family. (`Bool`). +### Internal Family Inetvpn +Parameters for IPv4 VPN Unicast family.. - -### Internal Family Inetvpn - - Parameters for IPv4 VPN Unicast family.. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable the IPv4 Unicast family. (`Bool`).(Deprecated) - `enable` - (Optional) Enable the IPv4 Unicast family.. See [Enable Choice Enable ](#enable-choice-enable) below for details. +### Internal Family Rtarget +Parameters for Route Target family.. - -### Internal Family Rtarget - - Parameters for Route Target family.. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable the Route Target family. (`Bool`). - `enable` - (Optional) Enable the Route Target family. (`Bool`). +### Internal Family Uuidvpn +Parameters for UUID VPN Unicast family.. - -### Internal Family Uuidvpn - - Parameters for UUID VPN Unicast family.. - - - -###### One of the arguments from this list "enable, disable" must be set +###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) Disable the UUID Unicast family. (`Bool`).(Deprecated) - `enable` - (Optional) Enable the UUID Unicast family. (`Bool`). +### Internet Vip Choice Disable Internet Vip +Do not enable advertise on external internet vip.. +### Internet Vip Choice Enable Internet Vip -### Internet Vip Choice Disable Internet Vip - - Do not enable advertise on external internet vip.. - +Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### Mtls Choice Disable Mtls -### Internet Vip Choice Enable Internet Vip +Disable mTLS. - Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### Mtls Choice Enable Mtls +Enable mTLS. +### Passive Choice Passive Mode Disabled -### Mtls Choice Disable Mtls +x-displayName: "Disabled". - Disable mTLS. +### Passive Choice Passive Mode Enabled +x-displayName: "Enabled". +### Peers Metadata -### Mtls Choice Enable Mtls - - Enable mTLS. - - - -### Passive Choice Passive Mode Disabled - - x-displayName: "Disabled". - - - -### Passive Choice Passive Mode Enabled - - x-displayName: "Enabled". - - - -### Peers Metadata - - Common attributes for the peer including name and description.. +Common attributes for the peer including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -754,10 +357,7 @@ resource "volterra_bgp" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -767,178 +367,122 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Ref Or Selector Site +Direct reference to site object. -### Ref Or Selector Site - - Direct reference to site object. - - - -###### One of the arguments from this list "enable_internet_vip, disable_internet_vip" must be set +###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred site (`String`). `ref` - (Required) A site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Ref Or Selector Virtual Site - -### Ref Or Selector Virtual Site - - Direct reference to virtual site object. - - +Direct reference to virtual site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred virtual_site (`String`). `ref` - (Required) A virtual_site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Router Id Choice From Site +Use the Router ID field from the site object.. -### Router Id Choice From Site - - Use the Router ID field from the site object.. - - - -### Router Id Choice Local Address - - Use an interface address of the site as the Router ID.. - - +### Router Id Choice Local Address -### Sr Choice Disable +Use an interface address of the site as the Router ID.. - Disable the IPv4 Unicast family.. +### Sr Choice Disable +Disable the IPv4 Unicast family.. +### Sr Choice Enable -### Sr Choice Enable +Enable the IPv4 Unicast family.. - Enable the IPv4 Unicast family.. +### Type Choice External +External BGP peer.. - -### Type Choice External - - External BGP peer.. - - - -###### One of the arguments from this list "disable, address, subnet_begin_offset, subnet_end_offset, from_site, default_gateway" must be set +###### One of the arguments from this list "address, default_gateway, disable, from_site, subnet_begin_offset, subnet_end_offset" must be set `address` - (Optional) Specify IPV4 peer address. (`String`). - `default_gateway` - (Optional) Use the default gateway address. (`Bool`). - `disable` - (Optional) No Peer Ipv4 Address. (`Bool`). - `from_site` - (Optional) Use the address specified in the site object. (`Bool`). - `subnet_begin_offset` - (Optional) Calculate peer address using offset from the beginning of the subnet. (`Int`). - `subnet_end_offset` - (Optional) Calculate peer address using offset from the end of the subnet. (`Int`). - - - -###### One of the arguments from this list "disable_v6, address_ipv6, subnet_begin_offset_v6, subnet_end_offset_v6, from_site_v6, default_gateway_v6" must be set +###### One of the arguments from this list "address_ipv6, default_gateway_v6, disable_v6, from_site_v6, subnet_begin_offset_v6, subnet_end_offset_v6" must be set `address_ipv6` - (Optional) Specify peer IPv6 address. (`String`). - `default_gateway_v6` - (Optional) Use the default gateway address. (`Bool`). - `disable_v6` - (Optional) No Peer IPv6 Address. (`Bool`). - `from_site_v6` - (Optional) Use the address specified in the site object. (`Bool`). - `subnet_begin_offset_v6` - (Optional) Calculate peer address using offset from the beginning of the subnet. (`Int`). - `subnet_end_offset_v6` - (Optional) Calculate peer address using offset from the end of the subnet. (`Int`). - `asn` - (Required) Autonomous System Number for BGP peer (`Int`). - - - -###### One of the arguments from this list "no_authentication, md5_auth_key" can be set +###### One of the arguments from this list "md5_auth_key, no_authentication" can be set `md5_auth_key` - (Optional) MD5 key for protecting BGP Sessions (RFC 2385) (`String`). - `no_authentication` - (Optional) No Authentication of BGP session (`Bool`). - `family_inet` - (Optional) Enable/Disable Ipv4 family of routes exchange with peer. See [External Family Inet ](#external-family-inet) below for details. `family_inet_v6` - (Optional) Enable/Disable IPv6 family of routes exchange with peer. See [External Family Inet V6 ](#external-family-inet-v6) below for details. - - -###### One of the arguments from this list "interface, interface_list, inside_interfaces, outside_interfaces" must be set +###### One of the arguments from this list "inside_interfaces, interface, interface_list, outside_interfaces" must be set `inside_interfaces` - (Optional) All interfaces in the site local inside network. (`Bool`).(Deprecated) - `interface` - (Optional) Specify interface.. See [ref](#ref) below for details. - `interface_list` - (Optional) List of network interfaces.. See [Interface Choice Interface List ](#interface-choice-interface-list) below for details. - `outside_interfaces` - (Optional) All interfaces in the site local outside network. (`Bool`).(Deprecated) - `port` - (Optional) Peer TCP port number. (`Int`). +### Type Choice Internal +Internal BGP peer.. -### Type Choice Internal - - Internal BGP peer.. - - - -###### One of the arguments from this list "address, from_site, dns_name" must be set +###### One of the arguments from this list "address, dns_name, from_site" must be set `address` - (Optional) Specify peer address. (`String`). - `dns_name` - (Optional) Use the addresse by resolving the given DNS name. (`String`).(Deprecated) - `from_site` - (Optional) Use the address specified in the site object. (`Bool`). - `family_inet6vpn` - (Optional) Parameters for IPv6 VPN Unicast family.. See [Internal Family Inet6vpn ](#internal-family-inet6vpn) below for details. `family_inetvpn` - (Optional) Parameters for IPv4 VPN Unicast family.. See [Internal Family Inetvpn ](#internal-family-inetvpn) below for details. @@ -947,38 +491,27 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `family_uuidvpn` - (Optional) Parameters for UUID VPN Unicast family.. See [Internal Family Uuidvpn ](#internal-family-uuidvpn) below for details. - - - ###### One of the arguments from this list "disable_mtls, enable_mtls" can be set `disable_mtls` - (Optional) Disable mTLS (`Bool`).(Deprecated) - `enable_mtls` - (Optional) Enable mTLS (`Bool`).(Deprecated) - `port` - (Optional) Local Peer TCP Port Number. (`Int`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured bgp. - +- `id` - This is the id of the configured bgp. diff --git a/docs/resources/volterra_bgp_asn_set.md b/docs/resources/volterra_bgp_asn_set.md index 0d7069670..6b6c3ad98 100644 --- a/docs/resources/volterra_bgp_asn_set.md +++ b/docs/resources/volterra_bgp_asn_set.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: bgp_asn_set" -description: "The bgp_asn_set allows CRUD of Bgp Asn Set resource on Volterra SaaS" +description: "The bgp_asn_set allows CRUD of Bgp Asn Set resource on Volterra SaaS" + --- -# Resource volterra_bgp_asn_set -The Bgp Asn Set allows CRUD of Bgp Asn Set resource on Volterra SaaS +Resource volterra_bgp_asn_set +============================= + +The Bgp Asn Set allows CRUD of Bgp Asn Set resource on Volterra SaaS -~> **Note:** Please refer to [Bgp Asn Set API docs](https://docs.cloud.f5.com/docs-v2/api/bgp-asn-set) to learn more +~> **Note:** Please refer to [Bgp Asn Set API docs](https://docs.cloud.f5.com/docs-v2/api/bgp-asn-set) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_bgp_asn_set" "example" { @@ -32,35 +25,28 @@ resource "volterra_bgp_asn_set" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create whitelists or blacklists for use in network policy or service policy. (`List of Int`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured bgp_asn_set. - +- `id` - This is the id of the configured bgp_asn_set. diff --git a/docs/resources/volterra_bigip_centralmanager_site.md b/docs/resources/volterra_bigip_centralmanager_site.md new file mode 100644 index 000000000..62fd5c18d --- /dev/null +++ b/docs/resources/volterra_bigip_centralmanager_site.md @@ -0,0 +1,64 @@ +--- + +page_title: "Volterra: bigip_centralmanager_site" +description: "The bigip_centralmanager_site allows CRUD of Bigip Centralmanager Site resource on Volterra SaaS" + +--- + +Resource volterra_bigip_centralmanager_site +=========================================== + +The Bigip Centralmanager Site allows CRUD of Bigip Centralmanager Site resource on Volterra SaaS + +~> **Note:** Please refer to [Bigip Centralmanager Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-bigip-centralmanager-site) to learn more + +Example Usage +------------- + +```hcl +resource "volterra_bigip_centralmanager_site" "example" { + name = "acmecorp-web" + namespace = "staging" +} + +``` + +Argument Reference +------------------ + +### Metadata Argument Reference + +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). + +`description` - (Optional) Human readable description for the object (`String`). + +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). + +`labels` - (Optional) by selector expression (`String`). + +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). + +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). + +### Spec Argument Reference + +`volterra_software` - (Optional) Refer to release notes to find required released SW versions.. See [Volterra Software ](#volterra-software) below for details. + +### Volterra Software + +Refer to release notes to find required released SW versions.. + +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set + +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). + +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). + +### Volterra Sw Version Choice Default Sw Version + +Will assign latest available F5XC Software Version. + +Attribute Reference +------------------- + +- `id` - This is the id of the configured bigip_centralmanager_site. diff --git a/docs/resources/volterra_bigip_instance_site.md b/docs/resources/volterra_bigip_instance_site.md new file mode 100644 index 000000000..6d794847e --- /dev/null +++ b/docs/resources/volterra_bigip_instance_site.md @@ -0,0 +1,246 @@ +--- + +page_title: "Volterra: bigip_instance_site" +description: "The bigip_instance_site allows CRUD of Bigip Instance Site resource on Volterra SaaS" + +--- + +Resource volterra_bigip_instance_site +===================================== + +The Bigip Instance Site allows CRUD of Bigip Instance Site resource on Volterra SaaS + +~> **Note:** Please refer to [Bigip Instance Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-bigip-instance-site) to learn more + +Example Usage +------------- + +```hcl +resource "volterra_bigip_instance_site" "example" { + name = "acmecorp-web" + namespace = "staging" + + central_manager { + central_manager_site { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } +} + +``` + +Argument Reference +------------------ + +### Metadata Argument Reference + +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). + +`description` - (Optional) Human readable description for the object (`String`). + +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). + +`labels` - (Optional) by selector expression (`String`). + +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). + +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). + +### Spec Argument Reference + +`central_manager` - (Required) BIG-IP Central manager site managing this BIG-IP instance. See [Central Manager ](#central-manager) below for details. + +`node_list` - (Optional) Once a node is created and registers with the site, it will be shown in this section.. See [Node List ](#node-list) below for details. + +`volterra_software` - (Optional) Refer to release notes to find required released SW versions.. See [Volterra Software ](#volterra-software) below for details. + +### Central Manager + +BIG-IP Central manager site managing this BIG-IP instance. + +`central_manager_site` - (Optional) BIG-IP Central manager site managing this BIG-IP instance. See [ref](#ref) below for details. + +### Node List + +Once a node is created and registers with the site, it will be shown in this section.. + +`hostname` - (Optional) Hostname for this Node (`String`). + +`interface_list` - (Optional) Manage interfaces belonging to this node. See [Node List Interface List ](#node-list-interface-list) below for details. + +`public_ip` - (Optional) Public IP for this Node (`String`). + +`type` - (Optional) Type for this Node, can be Control or Worker (`String`). + +### Volterra Software + +Refer to release notes to find required released SW versions.. + +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set + +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). + +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). + +### Address Choice Dhcp Client + +Interface gets it's IP address from an external DHCP server.. + +### Address Choice Dhcp Server + +DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. + +### Address Choice No Ipv4 Address + +Interface does not have an IPv4 Address.. + +### Address Choice Static Ip + +Interface IP address is configured statically.. + +### Interface Choice Bond Interface + +x-displayName: "Bond Interface". + +### Interface Choice Ethernet Interface + +x-displayName: "Ethernet Interface". + +`device` - (Required) Once configured, this interface will be part of this sites dataplane and can participate in the networking services configured on this site. (`String`). + +`mac` - (Optional) x-example: "01:10:20:0a:bb:1c" (`String`). + +### Interface Choice Vlan Interface + +x-displayName: "VLAN Interface". + +`device` - (Required) Select a parent interface from the dropdown. (`String`). + +`vlan_id` - (Optional) Configure the VLAN tag for this interface. (`Int`). + +### Interface List Network Option + +Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. + +###### One of the arguments from this list "segment_network, site_local_inside_network, site_local_network" can be set + +`segment_network` - (Optional) x-displayName: "Segment (Global VRF)". See [ref](#ref) below for details. + +`site_local_inside_network` - (Optional) x-displayName: "Site Local Inside (Local VRF)" (`Bool`). + +`site_local_network` - (Optional) x-displayName: "Site Local Outside (Local VRF)" (`Bool`). + +### Ipv6 Address Choice Ipv6 Auto Config + +Interface IPv6 address will be configured via Auto Configuration.. + +### Ipv6 Address Choice No Ipv6 Address + +Interface does not have an IPv6 Address.. + +### Ipv6 Address Choice Static Ipv6 Address + +Interface IPv6 address is configured statically.. + +### Monitoring Choice Monitor + +x-displayName: "Enabled". + +### Monitoring Choice Monitor Disabled + +x-displayName: "Disabled". + +### Network Choice Site Local Inside Network + +x-displayName: "Site Local Inside (Local VRF)". + +### Network Choice Site Local Network + +x-displayName: "Site Local Outside (Local VRF)". + +### Node List Interface List + +Manage interfaces belonging to this node. + +###### One of the arguments from this list "dhcp_client, dhcp_server, no_ipv4_address, static_ip" must be set + +`dhcp_client` - (Optional) Interface gets it's IP address from an external DHCP server. (`Bool`). + +`dhcp_server` - (Optional) DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. + +`no_ipv4_address` - (Optional) Interface does not have an IPv4 Address. (`Bool`). + +`static_ip` - (Optional) Interface IP address is configured statically.. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. + +`description` - (Optional) Description for this Interface (`String`). + +###### One of the arguments from this list "bond_interface, ethernet_interface, vlan_interface" must be set + +`bond_interface` - (Optional) x-displayName: "Bond Interface". See [Interface Choice Bond Interface ](#interface-choice-bond-interface) below for details. + +`ethernet_interface` - (Optional) x-displayName: "Ethernet Interface". See [Interface Choice Ethernet Interface ](#interface-choice-ethernet-interface) below for details. + +`vlan_interface` - (Optional) x-displayName: "VLAN Interface". See [Interface Choice Vlan Interface ](#interface-choice-vlan-interface) below for details. + +###### One of the arguments from this list "ipv6_auto_config, no_ipv6_address, static_ipv6_address" can be set + +`ipv6_auto_config` - (Optional) Interface IPv6 address will be configured via Auto Configuration.. See [Ipv6 Address Choice Ipv6 Auto Config ](#ipv6-address-choice-ipv6-auto-config) below for details. + +`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). + +`static_ipv6_address` - (Optional) Interface IPv6 address is configured statically.. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. + +`is_management` - (Optional) To be used internally to set an interface as management interface (`Bool`).(Deprecated) + +`is_primary` - (Optional) Use for Primary Interface (`Bool`).(Deprecated) + +`labels` - (Optional) Add Labels for this Interface, these labels can be used in firewall policy (`String`). + +###### One of the arguments from this list "monitor, monitor_disabled" can be set + +`monitor` - (Optional) x-displayName: "Enabled". See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. + +`monitor_disabled` - (Optional) x-displayName: "Disabled" (`Bool`). + +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). + +`name` - (Optional) Name of this Interface (`String`). + +`network_option` - (Required) Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. See [Interface List Network Option ](#interface-list-network-option) below for details. + +`priority` - (Optional) Greater the value, higher the priority (`Int`). + +###### One of the arguments from this list "site_to_site_connectivity_interface_disabled, site_to_site_connectivity_interface_enabled" can be set + +`site_to_site_connectivity_interface_disabled` - (Optional) Do not use this interface for site to site connectivity. (`Bool`). + +`site_to_site_connectivity_interface_enabled` - (Optional) Use this this interface for site to site connectivity. (`Bool`). + +### Ref + +Reference to another volterra object is shown like below + +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). + +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). + +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). + +### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Disabled + +Do not use this interface for site to site connectivity.. + +### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Enabled + +Use this this interface for site to site connectivity.. + +### Volterra Sw Version Choice Default Sw Version + +Will assign latest available F5XC Software Version. + +Attribute Reference +------------------- + +- `id` - This is the id of the configured bigip_instance_site. diff --git a/docs/resources/volterra_cdn_loadbalancer.md b/docs/resources/volterra_cdn_loadbalancer.md index 1e8c7c244..c2dbdfdd7 100644 --- a/docs/resources/volterra_cdn_loadbalancer.md +++ b/docs/resources/volterra_cdn_loadbalancer.md @@ -1,116 +1,84 @@ - - - - - - - - - - - - --- + page_title: "Volterra: cdn_loadbalancer" -description: "The cdn_loadbalancer allows CRUD of Cdn Loadbalancer resource on Volterra SaaS" +description: "The cdn_loadbalancer allows CRUD of Cdn Loadbalancer resource on Volterra SaaS" + --- -# Resource volterra_cdn_loadbalancer -The Cdn Loadbalancer allows CRUD of Cdn Loadbalancer resource on Volterra SaaS +Resource volterra_cdn_loadbalancer +================================== -~> **Note:** Please refer to [Cdn Loadbalancer API docs](https://docs.cloud.f5.com/docs-v2/api/views-cdn-loadbalancer) to learn more +The Cdn Loadbalancer allows CRUD of Cdn Loadbalancer resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Cdn Loadbalancer API docs](https://docs.cloud.f5.com/docs-v2/api/views-cdn-loadbalancer) to learn more + +Example Usage +------------- ```hcl resource "volterra_cdn_loadbalancer" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "disable_api_definition api_specification api_specification_on_cache_miss" must be set + // One of the arguments from this list "api_specification api_specification_on_cache_miss disable_api_definition" must be set disable_api_definition = true - // One of the arguments from this list "enable_api_discovery disable_api_discovery api_discovery_on_cache_miss" must be set + // One of the arguments from this list "api_discovery_on_cache_miss disable_api_discovery enable_api_discovery" must be set enable_api_discovery { + api_discovery_from_code_scan { + code_base_integrations { + // One of the arguments from this list "all_repos selected_repos" must be set + + all_repos = true + + code_base_integration { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } + } + discovered_api_settings {} - // One of the arguments from this list "enable_learn_from_redirect_traffic disable_learn_from_redirect_traffic" must be set + // One of the arguments from this list "disable_learn_from_redirect_traffic enable_learn_from_redirect_traffic" must be set disable_learn_from_redirect_traffic = true sensitive_data_detection_rules {} } - // One of the arguments from this list "disable_bot_defense bot_defense bot_defense_advanced" must be set + // One of the arguments from this list "bot_defense bot_defense_advanced disable_bot_defense" must be set disable_bot_defense = true - // One of the arguments from this list "js_challenge captcha_challenge policy_based_challenge no_challenge enable_challenge challenge_on_cache_miss" must be set - - captcha_challenge { - cookie_expiry = "1000" + // One of the arguments from this list "captcha_challenge challenge_on_cache_miss enable_challenge js_challenge no_challenge policy_based_challenge" must be set - custom_page = "string:///PHA+IFBsZWFzZSBXYWl0IDwvcD4=" - } + no_challenge = true - // One of the arguments from this list "disable_client_side_defense client_side_defense" must be set + // One of the arguments from this list "client_side_defense disable_client_side_defense" must be set disable_client_side_defense = true domains = ["www.foo.com"] - // One of the arguments from this list "l7_ddos_action_default l7_ddos_action_block l7_ddos_action_js_challenge l7_ddos_action_none" must be set - - l7_ddos_action_default = true - - // One of the arguments from this list "https http https_auto_cert" must be set - - https { - add_hsts = true - - http_redirect = true - - tls_parameters { - tls_certificates { - certificate_url = "value" - - description = "Certificate used in production environment" - - // One of the arguments from this list "custom_hash_algorithms use_system_defaults disable_ocsp_stapling" can be set - - use_system_defaults {} - private_key { - blindfold_secret_info_internal { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" + // One of the arguments from this list "l7_ddos_action_block l7_ddos_action_default l7_ddos_action_js_challenge l7_ddos_action_none" must be set - store_provider = "value" - } + l7_ddos_action_block = true - secret_encoding_type = "secret_encoding_type" + // One of the arguments from this list "http https https_auto_cert" must be set - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + http { + dns_volterra_managed = true - clear_secret_info { - provider = "box-provider" + // One of the arguments from this list "port port_ranges" must be set - url = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - } - } - } - - tls_config { - // One of the arguments from this list "tls_12_plus tls_11_plus" must be set - - tls_12_plus = true - } - } + port = "80" } // One of the arguments from this list "disable_malicious_user_detection enable_malicious_user_detection malicious_user_detection_on_cache_miss" must be set - disable_malicious_user_detection = true + malicious_user_detection_on_cache_miss = true origin_pool { follow_origin_redirect = true @@ -125,10 +93,10 @@ resource "volterra_cdn_loadbalancer" "example" { origin_servers { // One of the arguments from this list "public_ip public_name" must be set - public_ip { - // One of the arguments from this list "ip ipv6" must be set + public_name { + dns_name = "value" - ip = "8.8.8.8" + refresh_interval = "20" } port = "80" @@ -145,9656 +113,4610 @@ resource "volterra_cdn_loadbalancer" "example" { no_tls = true } - // One of the arguments from this list "disable_rate_limit api_rate_limit rate_limit" must be set + // One of the arguments from this list "api_rate_limit disable_rate_limit rate_limit" must be set disable_rate_limit = true - // One of the arguments from this list "sensitive_data_policy default_sensitive_data_policy" must be set + // One of the arguments from this list "default_sensitive_data_policy sensitive_data_policy" must be set default_sensitive_data_policy = true - // One of the arguments from this list "service_policies_from_namespace no_service_policies active_service_policies" must be set + // One of the arguments from this list "active_service_policies no_service_policies service_policies_from_namespace" must be set service_policies_from_namespace = true - // One of the arguments from this list "system_default_timeouts slow_ddos_mitigation" must be set + // One of the arguments from this list "slow_ddos_mitigation system_default_timeouts" must be set system_default_timeouts = true // One of the arguments from this list "disable_threat_mesh enable_threat_mesh" must be set - enable_threat_mesh = true + disable_threat_mesh = true // One of the arguments from this list "user_id_client_ip user_identification" must be set user_id_client_ip = true - // One of the arguments from this list "disable_waf app_firewall app_firewall_on_cache_miss" must be set - + // One of the arguments from this list "app_firewall disable_waf" must be set + disable_waf = true + } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `add_location` - (Optional) Appends header x-volterra-location = in responses. (`Bool`).(Deprecated) +###### One of the arguments from this list "api_specification, api_specification_on_cache_miss, disable_api_definition" must be set +`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details.(Deprecated) +`api_specification_on_cache_miss` - (Optional) Enable API definition and OpenAPI Validation only on cache miss in this distribution. See [Api Definition Choice Api Specification On Cache Miss ](#api-definition-choice-api-specification-on-cache-miss) below for details.(Deprecated) -`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details. - +`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`).(Deprecated) +###### One of the arguments from this list "api_discovery_on_cache_miss, disable_api_discovery, enable_api_discovery" must be set +`api_discovery_on_cache_miss` - (Optional) Enable api discovery only on cache miss in this distribution. See [Api Discovery Choice Api Discovery On Cache Miss ](#api-discovery-choice-api-discovery-on-cache-miss) below for details.(Deprecated) +`disable_api_discovery` - (Optional) Disable api discovery for this distribution (`Bool`).(Deprecated) +`enable_api_discovery` - (Optional) Enable api discovery for all requests in this distribution. See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details.(Deprecated) - +`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Rules ](#api-protection-rules) below for details.(Deprecated) +`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Blocked Clients ](#blocked-clients) below for details. - +###### One of the arguments from this list "bot_defense, bot_defense_advanced, disable_bot_defense" must be set +`bot_defense` - (Optional) Select Bot Defense Standard. See [Bot Defense Choice Bot Defense ](#bot-defense-choice-bot-defense) below for details.(Deprecated) +`bot_defense_advanced` - (Optional) Select Bot Defense Advanced. See [Bot Defense Choice Bot Defense Advanced ](#bot-defense-choice-bot-defense-advanced) below for details.(Deprecated) +`disable_bot_defense` - (Optional) No Bot Defense configuration for this load balancer (`Bool`).(Deprecated) - +`cache_rules` - (Optional) Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. See [Cache Rules ](#cache-rules) below for details. +###### One of the arguments from this list "captcha_challenge, challenge_on_cache_miss, enable_challenge, js_challenge, no_challenge, policy_based_challenge" must be set +`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. +`challenge_on_cache_miss` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. See [Challenge Type Challenge On Cache Miss ](#challenge-type-challenge-on-cache-miss) below for details.(Deprecated) - +`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. +`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. - +`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). +`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. +###### One of the arguments from this list "client_side_defense, disable_client_side_defense" must be set +`client_side_defense` - (Optional) Client-Side Defense configuration for JavaScript insertion. See [Client Side Defense Choice Client Side Defense ](#client-side-defense-choice-client-side-defense) below for details.(Deprecated) - +`disable_client_side_defense` - (Optional) No Client-Side Defense configuration for this load balancer (`Bool`).(Deprecated) +`cors_policy` - (Optional) resources from a server at a different origin. See [Cors Policy ](#cors-policy) below for details. +`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Csrf Policy ](#csrf-policy) below for details. +`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Data Guard Rules ](#data-guard-rules) below for details. - +`ddos_mitigation_rules` - (Optional) Define manual mitigation rules to block L7 DDoS attacks.. See [Ddos Mitigation Rules ](#ddos-mitigation-rules) below for details. +`default_cache_action` - (Optional) Default value for Cache action.. See [Default Cache Action ](#default-cache-action) below for details. +`domains` - (Required) [This can be a domain or a sub-domain](`List of String`). +`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Graphql Rules ](#graphql-rules) below for details. - +###### One of the arguments from this list "disable_ip_reputation, enable_ip_reputation, ip_reputation_on_cache_miss" can be set +`disable_ip_reputation` - (Optional) No IP reputation configured this distribution (`Bool`). +`enable_ip_reputation` - (Optional) Enable IP reputation for all requests in this distribution. See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. +`ip_reputation_on_cache_miss` - (Optional) Enable IP reputation only on cache miss in this distribution. See [Ip Reputation Choice Ip Reputation On Cache Miss ](#ip-reputation-choice-ip-reputation-on-cache-miss) below for details.(Deprecated) +`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Jwt Validation ](#jwt-validation) below for details. +###### One of the arguments from this list "l7_ddos_action_block, l7_ddos_action_default, l7_ddos_action_js_challenge, l7_ddos_action_none" must be set - +`l7_ddos_action_block` - (Optional) Block suspicious sources (`Bool`). +`l7_ddos_action_default` - (Optional) Block suspicious sources (`Bool`). +`l7_ddos_action_js_challenge` - (Optional) Serve JavaScript challenge to suspicious sources. See [L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge ](#l7-ddos-auto-mitigation-action-l7-ddos-action-js-challenge) below for details. +`l7_ddos_action_none` - (Optional) Disable auto mitigation (`Bool`).(Deprecated) +###### One of the arguments from this list "http, https, https_auto_cert" must be set +`http` - (Optional) CDN Distribution serving content over HTTP. See [Loadbalancer Type Http ](#loadbalancer-type-http) below for details. +`https` - (Optional) User is responsible for managing DNS.. See [Loadbalancer Type Https ](#loadbalancer-type-https) below for details. +`https_auto_cert` - (Optional) DNS records will be managed by Volterra.. See [Loadbalancer Type Https Auto Cert ](#loadbalancer-type-https-auto-cert) below for details. - +###### One of the arguments from this list "disable_malicious_user_detection, enable_malicious_user_detection, malicious_user_detection_on_cache_miss" must be set +`disable_malicious_user_detection` - (Optional) Disable malicious user detection for this distribution (`Bool`). +`enable_malicious_user_detection` - (Optional) Enable malicious user detection for all requests in this distribution (`Bool`). +`malicious_user_detection_on_cache_miss` - (Optional) Enable malicious user detection only on cache miss in this distribution (`Bool`).(Deprecated) +`more_option` - (Optional) More options like header manipulation, compression etc.. See [More Option ](#more-option) below for details.(Deprecated) +`origin_pool` - (Required) x-required. See [Origin Pool ](#origin-pool) below for details. +`other_settings` - (Optional) x-displayName: "Other Settings". See [Other Settings ](#other-settings) below for details. +`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Protected Cookies ](#protected-cookies) below for details. +###### One of the arguments from this list "api_rate_limit, disable_rate_limit, rate_limit" must be set - +`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. +`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). +`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. +###### One of the arguments from this list "default_sensitive_data_policy, sensitive_data_policy" must be set - +`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`).(Deprecated) +`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details.(Deprecated) +###### One of the arguments from this list "active_service_policies, no_service_policies, service_policies_from_namespace" must be set +`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. - +`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). +`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). +###### One of the arguments from this list "slow_ddos_mitigation, system_default_timeouts" must be set +`slow_ddos_mitigation` - (Optional) Custom Settings for Slow DDoS Mitigation. See [Slow Ddos Mitigation Choice Slow Ddos Mitigation ](#slow-ddos-mitigation-choice-slow-ddos-mitigation) below for details. - +`system_default_timeouts` - (Optional) Default Settings for Slow DDoS Mitigation (`Bool`). +###### One of the arguments from this list "disable_threat_mesh, enable_threat_mesh" must be set +`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`).(Deprecated) +`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`).(Deprecated) - +`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Trusted Clients ](#trusted-clients) below for details. +###### One of the arguments from this list "user_id_client_ip, user_identification" must be set +`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). +`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. +###### One of the arguments from this list "app_firewall, app_firewall_on_cache_miss, disable_waf" must be set +`app_firewall` - (Optional) Enable WAF configuration for all requests in this distribution. See [ref](#ref) below for details. +`app_firewall_on_cache_miss` - (Optional) Enable WAF configuration only on cache miss in this distribution. See [ref](#ref) below for details.(Deprecated) +`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). +`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Waf Exclusion Rules ](#waf-exclusion-rules) below for details. +### Api Protection Rules +Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. +`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. +`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. +### Blocked Clients - +Define rules to block IP Prefixes or AS numbers.. +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set - +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. +### Cache Rules - +Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. +###### One of the arguments from this list "cache_bypass, eligible_for_cache" must be set +`cache_bypass` - (Optional) Bypass Caching of content from the origin (`Bool`). +`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details. - +`rule_expression_list` - (Required) Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... See [Cache Rules Rule Expression List ](#cache-rules-rule-expression-list) below for details. +`rule_name` - (Required) Name of the Cache Rule (`String`). +### Cors Policy +resources from a server at a different origin. - +`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). +`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). +`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). +`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - +`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). +`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) +`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). +### Csrf Policy - +Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. +###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set +`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). +`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - +`disabled` - (Optional) Allow all source origin domains. (`Bool`). +### Data Guard Rules +Note: App Firewall should be enabled, to use Data Guard feature.. +###### One of the arguments from this list "apply_data_guard, skip_data_guard" must be set +`apply_data_guard` - (Optional) x-displayName: "Apply" (`Bool`). - +`skip_data_guard` - (Optional) x-displayName: "Skip" (`Bool`). +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set +`any_domain` - (Optional) Enable Data Guard for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). - +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Data Guard Rules Metadata ](#data-guard-rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Data Guard Rules Path ](#data-guard-rules-path) below for details. +### Ddos Mitigation Rules +Define manual mitigation rules to block L7 DDoS attacks.. +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Ddos Mitigation Rules Metadata ](#ddos-mitigation-rules-metadata) below for details. +###### One of the arguments from this list "block" must be set +`block` - (Optional) Block user for a duration determined by the expiration time (`Bool`). +###### One of the arguments from this list "ddos_client_source, ip_prefix_list" must be set +`ddos_client_source` - (Optional) Combination of Region, ASN and TLS Fingerprints. See [Mitigation Choice Ddos Client Source ](#mitigation-choice-ddos-client-source) below for details. +`ip_prefix_list` - (Optional) IPv4 prefix string.. See [Mitigation Choice Ip Prefix List ](#mitigation-choice-ip-prefix-list) below for details. - +### Default Cache Action +Default value for Cache action.. +###### One of the arguments from this list "cache_disabled, cache_ttl_default, cache_ttl_override, eligible_for_cache" can be set +`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). - +`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). +`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). +`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details.(Deprecated) +### Graphql Rules +queries and prevent GraphQL tailored attacks.. +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set +`any_domain` - (Optional) Enable GraphQL inspection for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +`exact_path` - (Required) Specifies the exact path to GraphQL endpoint. Default value is /graphql. (`String`). +`graphql_settings` - (Optional) GraphQL configuration.. See [Graphql Rules Graphql Settings ](#graphql-rules-graphql-settings) below for details. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Graphql Rules Metadata ](#graphql-rules-metadata) below for details. +###### One of the arguments from this list "method_get, method_post" must be set +`method_get` - (Optional) x-displayName: "GET" (`Bool`). +`method_post` - (Optional) x-displayName: "POST" (`Bool`). - +### Jwt Validation +tokens or tokens that are not yet valid.. - +`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. +###### One of the arguments from this list "auth_server_uri, jwks, jwks_config" must be set +`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) +`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) +`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. +`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. +`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. +`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. +`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. +### More Option - +More options like header manipulation, compression etc.. +`cache_options` - (Optional) Cache Options. See [More Option Cache Options ](#more-option-cache-options) below for details. +`cache_ttl_options` - (Optional) Cache Options. See [More Option Cache Ttl Options ](#more-option-cache-ttl-options) below for details.(Deprecated) +`header_options` - (Optional) Request/Response header related options. See [More Option Header Options ](#more-option-header-options) below for details. +`logging_options` - (Optional) Logging related options. See [More Option Logging Options ](#more-option-logging-options) below for details. +`security_options` - (Optional) Security related options. See [More Option Security Options ](#more-option-security-options) below for details. +### Origin Pool +x-required. +`follow_origin_redirect` - (Optional) Instructs the CDN to follow redirects from the origin server(s) (`Bool`).(Deprecated) +`more_origin_options` - (Optional) x-displayName: "Advanced Configuration". See [Origin Pool More Origin Options ](#origin-pool-more-origin-options) below for details. +`origin_request_timeout` - (Optional) Configures the time after which a request to the origin will time out waiting for a response (`String`). - +`origin_servers` - (Required) List of original servers. See [Origin Pool Origin Servers ](#origin-pool-origin-servers) below for details. +`public_name` - (Required) The DNS name to be used as the host header for the request to the origin server. See [Origin Pool Public Name ](#origin-pool-public-name) below for details. +###### One of the arguments from this list "no_tls, use_tls" must be set +`no_tls` - (Optional) Origin servers do not use TLS (`Bool`). +`use_tls` - (Optional) Origin servers use TLS. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Other Settings - +x-displayName: "Other Settings". +`add_location` - (Optional) Appends header x-volterra-location = in responses. (`Bool`). +`geo_filtering` - (Optional) Geo filtering options. See [Other Settings Geo Filtering ](#other-settings-geo-filtering) below for details.(Deprecated) +`header_options` - (Optional) Request/Response header related options. See [Other Settings Header Options ](#other-settings-header-options) below for details. +`ip_filtering` - (Optional) IP filtering options. See [Other Settings Ip Filtering ](#other-settings-ip-filtering) below for details.(Deprecated) +`logging_options` - (Optional) Logging related options. See [Other Settings Logging Options ](#other-settings-logging-options) below for details. +### Protected Cookies +Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. +###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set +`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set +`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). +###### One of the arguments from this list "ignore_max_age, max_age_value" can be set +`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) +`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) +`name` - (Required) Name of the Cookie (`String`). +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). - +### Trusted Clients +Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. +### Waf Exclusion Rules +When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set +`any_domain` - (Optional) Apply this WAF exclusion rule for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Waf Exclusion Rules Metadata ](#waf-exclusion-rules-metadata) below for details. +`methods` - (Optional) methods to be matched (`List of Strings`). +###### One of the arguments from this list "any_path, path_prefix, path_regex" must be set +`any_path` - (Optional) Match all paths (`Bool`). +`path_prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`path_regex` - (Optional) Define the regex for the path. For example, the regex ^/.*$ will match on all paths (`String`). +###### One of the arguments from this list "app_firewall_detection_control, waf_skip_processing" can be set - +`app_firewall_detection_control` - (Optional) Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. See [Waf Advanced Configuration App Firewall Detection Control ](#waf-advanced-configuration-app-firewall-detection-control) below for details. +`waf_skip_processing` - (Optional) Skip all App Firewall processing for this request (`Bool`). +### Action Allow +Allow the request to proceed.. +### Action Deny -`api_specification_on_cache_miss` - (Optional) Enable API definition and OpenAPI Validation only on cache miss in this distribution. See [Api Definition Choice Api Specification On Cache Miss ](#api-definition-choice-api-specification-on-cache-miss) below for details.(Deprecated) - +Deny the request.. +### Action Choice Action Block +Block the request and issue an API security event. +### Action Choice Action Report +Continue processing the request and issue an API security event. +### Action Choice Action Skip +Continue processing the request. +### Action Choice Apply Data Guard +x-displayName: "Apply". +### Action Choice Block +Block the request and report the issue. +### Action Choice Bot Skip Processing +Skip Bot Defense processing for clients matching this rule.. +### Action Choice Report +Allow the request and report the issue. -`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`). +### Action Choice Skip Data Guard +x-displayName: "Skip". +### Action Choice Skip Processing +Skip both WAF and Bot Defense processing for clients matching this rule.. +### Action Choice Waf Skip Processing -`api_discovery_on_cache_miss` - (Optional) Enable api discovery only on cache miss in this distribution. See [Api Discovery Choice Api Discovery On Cache Miss ](#api-discovery-choice-api-discovery-on-cache-miss) below for details.(Deprecated) - +Skip WAF processing for clients matching this rule.. +### Action Type Block - +Block bot request and send response with custom content.. +`body` - (Optional) E.g. "

Your request was blocked

". Base64 encoded string for this html is "LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==" (`String`). +`body_hash` - (Optional) Represents the corresponding MD5 Hash for the body message. (`String`).(Deprecated) +`status` - (Optional) HTTP Status code to respond with (`String`). - +### Action Type Flag +Flag the request while not taking any invasive actions.. +###### One of the arguments from this list "append_headers, no_headers" can be set +`append_headers` - (Optional) Append mitigation headers.. See [Send Headers Choice Append Headers ](#send-headers-choice-append-headers) below for details. - +`no_headers` - (Optional) No mitigation headers. (`Bool`). +### Action Type None +No mitigation actions.. +### Action Type Redirect - +Redirect bot request to a custom URI.. +`uri` - (Required) URI location for redirect may be relative or absolute. (`String`). +### Additional Headers Choice Allow Additional Headers -`disable_api_discovery` - (Optional) Disable api discovery for this distribution (`Bool`). +Allow extra headers (on top of what specified in the OAS documentation). +### Additional Headers Choice Disallow Additional Headers -`enable_api_discovery` - (Optional) Enable api discovery for all requests in this distribution. See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details. - +Disallow extra headers (on top of what specified in the OAS documentation). +### Additional Parameters Choice Allow Additional Parameters - +Allow extra query parameters (on top of what specified in the OAS documentation). +### Additional Parameters Choice Disallow Additional Parameters +Disallow extra query parameters (on top of what specified in the OAS documentation). +### Allow Introspection Queries Choice Disable Introspection +Disable introspection queries for the load balancer.. +### Allow Introspection Queries Choice Enable Introspection +Enable introspection queries for the load balancer.. +### Allowed Domains All Load Balancer Domains +Add All load balancer domains to source origin (allow) list.. +### Allowed Domains Custom Domain List - +Add one or more domains to source origin (allow) list.. +`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). +### Allowed Domains Disabled +Allow all source origin domains.. +### Api Definition Choice Api Specification -`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Rules ](#api-protection-rules) below for details. +Specify API definition and OpenAPI Validation. +`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. - +###### One of the arguments from this list "validation_all_spec_endpoints, validation_custom_list, validation_disabled" must be set +`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. - +`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. +`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). +### Api Definition Choice Api Specification On Cache Miss +Enable API definition and OpenAPI Validation only on cache miss in this distribution. - +`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. +###### One of the arguments from this list "validation_all_spec_endpoints, validation_custom_list, validation_disabled" must be set +`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. +`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. - +`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). +### Api Definition Choice Disable Api Definition +API Definition is not currently used for this load balancer. +### Api Discovery Choice Api Discovery On Cache Miss - +Enable api discovery only on cache miss in this distribution. +`api_discovery_from_code_scan` - (Optional) Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. See [Api Discovery On Cache Miss Api Discovery From Code Scan ](#api-discovery-on-cache-miss-api-discovery-from-code-scan) below for details. +`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Api Discovery On Cache Miss Discovered Api Settings ](#api-discovery-on-cache-miss-discovered-api-settings) below for details. +###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set +`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - +`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Api Discovery On Cache Miss Sensitive Data Detection Rules ](#api-discovery-on-cache-miss-sensitive-data-detection-rules) below for details.(Deprecated) +### Api Discovery Choice Disable Api Discovery +Disable api discovery for this distribution. - +### Api Discovery Choice Enable Api Discovery +Enable api discovery for all requests in this distribution. +`api_discovery_from_code_scan` - (Optional) Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. See [Enable Api Discovery Api Discovery From Code Scan ](#enable-api-discovery-api-discovery-from-code-scan) below for details. +`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Api Discovery Discovered Api Settings ](#enable-api-discovery-discovered-api-settings) below for details. - +###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set +`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Api Discovery Sensitive Data Detection Rules ](#enable-api-discovery-sensitive-data-detection-rules) below for details.(Deprecated) +### Api Discovery From Code Scan Code Base Integrations - +x-required. +###### One of the arguments from this list "all_repos, selected_repos" must be set +`all_repos` - (Optional) x-displayName: "All API Repositories" (`Bool`). +`selected_repos` - (Optional) x-displayName: "Selected API Repositories". See [Api Repos Choice Selected Repos ](#api-repos-choice-selected-repos) below for details. +`code_base_integration` - (Required) Select the code base integration for use in code-based API discovery. See [ref](#ref) below for details. +### Api Discovery On Cache Miss Api Discovery From Code Scan +Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. - +`code_base_integrations` - (Required) x-required. See [Api Discovery From Code Scan Code Base Integrations ](#api-discovery-from-code-scan-code-base-integrations) below for details. +### Api Discovery On Cache Miss Discovered Api Settings +Configure Discovered API Settings.. +### Api Discovery On Cache Miss Sensitive Data Detection Rules - +Manage rules to detect sensitive data in requests and/or response sections.. +### Api Endpoint Rules Action +The action to take if the input request matches the rule.. +###### One of the arguments from this list "allow, deny" must be set +`allow` - (Optional) Allow the request to proceed. (`Bool`). - +`deny` - (Optional) Deny the request. (`Bool`). +### Api Endpoint Rules Api Endpoint Method +The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - +### Api Endpoint Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Api Endpoint Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Api Endpoint Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Api Groups Rules Action +The action to take if the input request matches the rule.. +###### One of the arguments from this list "allow, deny" must be set +`allow` - (Optional) Allow the request to proceed. (`Bool`). - +`deny` - (Optional) Deny the request. (`Bool`). +### Api Groups Rules Client Matcher - +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Api Groups Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Api Groups Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Api Protection Api Protection Rules +Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. +`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. +`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. +### Api Protection Jwt Validation +tokens or tokens that are not yet valid.. +`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. +###### One of the arguments from this list "auth_server_uri, jwks, jwks_config" must be set +`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) +`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) +`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. +`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. +`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. +`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. +`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. - +### Api Protection Rules Api Endpoint Rules +If request matches any of these rules, skipping second category rules.. +`action` - (Required) The action to take if the input request matches the rule.. See [Api Endpoint Rules Action ](#api-endpoint-rules-action) below for details. +`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. +`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) For example: api.example.com (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Endpoint Rules Metadata ](#api-endpoint-rules-metadata) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. +### Api Protection Rules Api Groups Rules +For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. +`action` - (Required) The action to take if the input request matches the rule.. See [Api Groups Rules Action ](#api-groups-rules-action) below for details. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - +`base_path` - (Required) For example: /v1 (`String`). +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Groups Rules Client Matcher ](#api-groups-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) For example: api.example.com (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Groups Rules Metadata ](#api-groups-rules-metadata) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Groups Rules Request Matcher ](#api-groups-rules-request-matcher) below for details. +### Api Rate Limit Api Endpoint Rules +For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. +`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. +`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). +`base_path` - (Optional) The request base path. (`String`).(Deprecated) +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - +`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. +### Api Rate Limit Server Url Rules +For matching also specific endpoints you can use the API endpoint rules set bellow.. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). +`base_path` - (Required) Prefix of the request path. (`String`). +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - +`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. +### Api Repos Choice All Repos +x-displayName: "All API Repositories". +### Api Repos Choice Selected Repos +x-displayName: "Selected API Repositories". +`api_code_repo` - (Required) Code repository which contain API endpoints (`String`). +### App Firewall Detection Control Exclude Attack Type Contexts +Attack Types to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). +`exclude_attack_type` - (Required) x-required (`String`). +### App Firewall Detection Control Exclude Bot Name Contexts +Bot Names to be excluded for the defined match criteria. +`bot_name` - (Required) x-example: "Hydra" (`String`). +### App Firewall Detection Control Exclude Signature Contexts +Signature IDs to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). +`signature_id` - (Required) 0 implies that all signatures will be excluded for the specified context. (`Int`). +### App Firewall Detection Control Exclude Violation Contexts +Violations to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). +`exclude_violation` - (Required) x-required (`String`). +### App Traffic Type Choice Mobile +Mobile traffic channel.. +### App Traffic Type Choice Mobile Client +Mobile traffic channel.. +### App Traffic Type Choice Web +Web traffic channel.. +### App Traffic Type Choice Web Client +Web traffic channel.. +### App Traffic Type Choice Web Mobile +Web and mobile traffic channel.. +`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Header ](#web-mobile-header) below for details.(Deprecated) +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Headers ](#web-mobile-headers) below for details.(Deprecated) - +`mobile_identifier` - (Optional) Mobile identifier type (`String`). +### App Traffic Type Choice Web Mobile Client +Web and mobile traffic channel.. +`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Client Header ](#web-mobile-client-header) below for details.(Deprecated) +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Client Headers ](#web-mobile-client-headers) below for details.(Deprecated) - +`mobile_identifier` - (Optional) Mobile identifier type (`String`). +### Asn Choice Any Asn +any_asn. +### Asn Choice Asn List +asn_list. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Asn Choice Asn Matcher -`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Blocked Clients ](#blocked-clients) below for details. +asn_matcher. +`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Audience Validation Audience +x-displayName: "Exact Match". - +`audiences` - (Required) x-required (`String`). +### Audience Validation Audience Disable +x-displayName: "Disable". +### Auth Options Custom - +Enable Custom Authentication. +`custom_auth_config` - (Optional) This is custom authentication configuration parameters. Please reach out to the support for custom authentication details. (`String`). +### Auth Options Disable Auth +No Authentication. - +### Auth Options Jwt +Enable JWT Authentication. +`backup_key` - (Optional) Backup JWT Key - If specified is also checked in addition to the primary secret key. See [Jwt Backup Key ](#jwt-backup-key) below for details. +`secret_key` - (Required) Secret Key for JWT. See [Jwt Secret Key ](#jwt-secret-key) below for details. +###### One of the arguments from this list "bearer_token, cookie, header, query_param" can be set +`bearer_token` - (Optional) Token is found in the Bearer-Token (`Bool`). +`cookie` - (Optional) Token is found in the cookie. See [Token Source Cookie ](#token-source-cookie) below for details. +`header` - (Optional) Token is found in the header. See [Token Source Header ](#token-source-header) below for details. - +`query_param` - (Optional) Token is found in the Query-Param. See [Token Source Query Param ](#token-source-query-param) below for details. +### Backup Key Blindfold Secret Info Internal - +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Blocked Clients Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Bot Defense Policy +Bot Defense Policy.. +###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set +`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). +`js_insert_all_pages` - (Optional) Insert Bot Defense JavaScript in all pages.. See [Java Script Choice Js Insert All Pages ](#java-script-choice-js-insert-all-pages) below for details. - +`js_insert_all_pages_except` - (Optional) Insert Bot Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. +`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. +`javascript_mode` - (Required) The larger chunk can be loaded asynchronously or synchronously. It can also be cacheable or non-cacheable on the browser. (`String`). +`js_download_path` - (Optional) Customize Bot Defense Client JavaScript path. If not specified, default `/common.js` (`String`). +###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set +`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). +`mobile_sdk_config` - (Optional) Mobile SDK configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. -`bot_defense` - (Optional) Select Bot Defense Standard. See [Bot Defense Choice Bot Defense ](#bot-defense-choice-bot-defense) below for details. - +`protected_app_endpoints` - (Required) List of protected application endpoints (max 128 items).. See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. +### Bot Defense Advanced Policy +Bot Defense Advanced Policy.. +`js_download_path` - (Required) Customize Bot Defense Web Client JavaScript path (`String`). - +###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set +`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). +`mobile_sdk_config` - (Optional) Enable Mobile SDK Configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. +`protected_app_endpoints` - (Required) List of protected endpoints (max 128 items). See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. - +### Bot Defense Choice Bot Defense +Select Bot Defense Standard. +###### One of the arguments from this list "disable_cors_support, enable_cors_support" must be set +`disable_cors_support` - (Optional) protect against Bot Attacks. (`Bool`).(Deprecated) - +`enable_cors_support` - (Optional) Allows Bot Defense to work with your existing CORS policies. (`Bool`).(Deprecated) +`policy` - (Required) Bot Defense Policy.. See [Bot Defense Policy ](#bot-defense-policy) below for details. +`regional_endpoint` - (Required) x-required (`String`). +`timeout` - (Optional) The timeout for the inference check, in milliseconds. (`Int`). - +### Bot Defense Choice Bot Defense Advanced +Select Bot Defense Advanced. +`mobile` - (Optional) Select infrastructure for mobile.. See [ref](#ref) below for details. +`policy` - (Required) Bot Defense Advanced Policy.. See [Bot Defense Advanced Policy ](#bot-defense-advanced-policy) below for details. - +`web` - (Optional) Select infrastructure for web.. See [ref](#ref) below for details. +### Bypass Rate Limiting Rules Bypass Rate Limiting Rules +This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Bypass Rate Limiting Rules Client Matcher ](#bypass-rate-limiting-rules-client-matcher) below for details. +###### One of the arguments from this list "any_url, api_endpoint, api_groups, base_path" must be set - +`any_url` - (Optional) Any URL (`Bool`). +`api_endpoint` - (Required) The endpoint (path) of the request.. See [Destination Type Api Endpoint ](#destination-type-api-endpoint) below for details. - +`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Destination Type Api Groups ](#destination-type-api-groups) below for details. +`base_path` - (Optional) The base path which this validation applies to (`String`). +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - +`specific_domain` - (Optional) For example: api.example.com (`String`). +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Bypass Rate Limiting Rules Request Matcher ](#bypass-rate-limiting-rules-request-matcher) below for details. +### Bypass Rate Limiting Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Bypass Rate Limiting Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Cache Actions Cache Bypass +Bypass Caching of content from the origin. +### Cache Actions Cache Disabled +Disable Caching of content from the origin. +### Cache Actions Eligible For Cache +Eligible for caching the content. +###### One of the arguments from this list "hostname_uri, scheme_hostname_request_uri, scheme_hostname_uri, scheme_hostname_uri_query, scheme_proxy_host_request_uri, scheme_proxy_host_uri" must be set - +`hostname_uri` - (Optional) . See [Eligible For Cache Hostname Uri ](#eligible-for-cache-hostname-uri) below for details.(Deprecated) +`scheme_hostname_request_uri` - (Optional) . See [Eligible For Cache Scheme Hostname Request Uri ](#eligible-for-cache-scheme-hostname-request-uri) below for details.(Deprecated) - +`scheme_hostname_uri` - (Optional) . See [Eligible For Cache Scheme Hostname Uri ](#eligible-for-cache-scheme-hostname-uri) below for details.(Deprecated) +`scheme_hostname_uri_query` - (Optional) . See [Eligible For Cache Scheme Hostname Uri Query ](#eligible-for-cache-scheme-hostname-uri-query) below for details.(Deprecated) +`scheme_proxy_host_request_uri` - (Optional) . See [Eligible For Cache Scheme Proxy Host Request Uri ](#eligible-for-cache-scheme-proxy-host-request-uri) below for details. +`scheme_proxy_host_uri` - (Optional) . See [Eligible For Cache Scheme Proxy Host Uri ](#eligible-for-cache-scheme-proxy-host-uri) below for details. +### Cache Actions Eligible For Cache +Eligible for caching the content. +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +### Cache Headers Operator +Available operators. +###### One of the arguments from this list "Contains, DoesNotContain, DoesNotEndWith, DoesNotEqual, DoesNotStartWith, Endswith, Equals, MatchRegex, Startswith" can be set +`Contains` - (Optional) Field must contain (`String`). +`DoesNotContain` - (Optional) Field must not contain (`String`). - +`DoesNotEndWith` - (Optional) Field must not end with (`String`). +`DoesNotEqual` - (Optional) Field must not equal (`String`). +`DoesNotStartWith` - (Optional) Field must not start with (`String`). +`Endswith` - (Optional) Field must end with (`String`). +`Equals` - (Optional) Field must exactly match (`String`). +`MatchRegex` - (Optional) Field matches regular expression (`String`). +`Startswith` - (Optional) Field must start with (`String`). +### Cache Options Cache Rules +Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. +###### One of the arguments from this list "cache_bypass, eligible_for_cache" must be set +`cache_bypass` - (Optional) Bypass Caching of content from the origin (`Bool`). - +`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details. +`rule_expression_list` - (Required) Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... See [Cache Rules Rule Expression List ](#cache-rules-rule-expression-list) below for details. +`rule_name` - (Required) Name of the Cache Rule (`String`). +### Cache Options Default Cache Action +Default value for Cache action.. - +###### One of the arguments from this list "cache_disabled, cache_ttl_default, cache_ttl_override, eligible_for_cache" can be set +`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). +`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). +`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). +`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details.(Deprecated) +### Cache Rule Expression Cache Headers +Configure cache rule headers to match the criteria. +`name` - (Optional) Name of the header (`String`). +`operator` - (Optional) Available operators. See [Cache Headers Operator ](#cache-headers-operator) below for details. +### Cache Rule Expression Cookie Matcher +Note that all specified cookie matcher predicates must evaluate to true.. +`name` - (Required) A case-sensitive cookie name. (`String`). +`operator` - (Optional) . See [Cookie Matcher Operator ](#cookie-matcher-operator) below for details. - +### Cache Rule Expression Path Match +URI path of route. +`operator` - (Optional) A specification of path match. See [Path Match Operator ](#path-match-operator) below for details. +### Cache Rule Expression Query Parameters - +List of (key, value) query parameters. +`key` - (Required) In the above example, assignee_username is the key (`String`). - +`operator` - (Optional) . See [Query Parameters Operator ](#query-parameters-operator) below for details. +### Cache Rules Rule Expression List - +Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... +`cache_rule_expression` - (Required) The Cache Rule Expression Terms that are ANDed. See [Rule Expression List Cache Rule Expression ](#rule-expression-list-cache-rule-expression) below for details. +`expression_name` - (Required) Name of the Expressions items that are ANDed (`String`). +### Captcha Challenge Parameters Choice Captcha Challenge Parameters +Configure captcha challenge parameters. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +### Captcha Challenge Parameters Choice Default Captcha Challenge Parameters +Use default parameters. +### Challenge Action Disable Challenge +Disable the challenge type selected in PolicyBasedChallenge. +### Challenge Action Enable Captcha Challenge +Enable captcha challenge. +### Challenge Action Enable Javascript Challenge +Enable javascript challenge. +### Challenge Choice Always Enable Captcha Challenge +Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests.. - +### Challenge Choice Always Enable Js Challenge +Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests.. +### Challenge Choice No Challenge +Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests.. - +### Challenge Type Captcha Challenge +Configure Captcha challenge on this load balancer. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - +### Challenge Type Challenge On Cache Miss +Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. +###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set +`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - +`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). +###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set - +`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). +`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. +###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set +`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). +`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. +### Challenge Type Enable Challenge +Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. +###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set +`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. +`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). +###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set +`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). +`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. +###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set - +`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). +`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. +### Challenge Type Js Challenge +Configure JavaScript challenge on this load balancer. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). +### Challenge Type No Challenge +No challenge is enabled for this load balancer. +### Challenge Type Policy Based Challenge +Specifies the settings for policy rule based challenge. +###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set +`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. +`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). +###### One of the arguments from this list "always_enable_captcha_challenge, always_enable_js_challenge, no_challenge" must be set +`always_enable_captcha_challenge` - (Optional) Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests. (`Bool`). +`always_enable_js_challenge` - (Optional) Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests. (`Bool`). +`no_challenge` - (Optional) Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests. (`Bool`). +###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set +`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). +`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. +###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set +`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). +`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. +`rule_list` - (Optional) list challenge rules to be used in policy based challenge. See [Policy Based Challenge Rule List ](#policy-based-challenge-rule-list) below for details. +###### One of the arguments from this list "default_temporary_blocking_parameters, temporary_user_blocking" can be set +`default_temporary_blocking_parameters` - (Optional) Use default parameters (`Bool`).(Deprecated) - +`temporary_user_blocking` - (Optional) Specifies configuration for temporary user blocking resulting from malicious user detection. See [Temporary Blocking Parameters Choice Temporary User Blocking ](#temporary-blocking-parameters-choice-temporary-user-blocking) below for details.(Deprecated) +### Choice Custom Security +Custom selection of TLS versions and cipher suites. +`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - +`max_version` - (Optional) Maximum TLS protocol version. (`String`). +`min_version` - (Optional) Minimum TLS protocol version. (`String`). +### Choice Default Security +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - +### Choice Low Security +TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. +### Choice Medium Security +TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. - +### Choice Public Ip +Specify origin server with public IP. +###### One of the arguments from this list "ip, ipv6" must be set +`ip` - (Optional) Public IPV4 address (`String`). +`ipv6` - (Optional) Public IPV6 address (`String`). +### Choice Public Name - +Specify origin server with public DNS name. +`dns_name` - (Required) DNS Name (`String`). +`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). +### Choice Tls 11 Plus - +TLS v1.1+ with PFS ciphers and medium strength crypto algorithms.. +### Choice Tls 12 Plus +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. +### Client Choice Any Client - +Any Client. +### Client Choice Client Name Matcher +client_name_matcher. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - +### Client Choice Client Selector +The predicate evaluates to true if the expressions in the label selector are true for the client labels.. +`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Client Choice Ip Threat Category List +IP threat categories to choose from. - +`ip_threat_categories` - (Required) The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions (`List of Strings`). +### Client Matcher Tls Fingerprint Matcher +The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). +### Client Side Defense Policy +Please ensure that the same domains are configured in the Client-Side Defense configuration.. +###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set - +`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). +`js_insert_all_pages` - (Optional) Insert Client-Side Defense JavaScript in all pages. (`Bool`). +`js_insert_all_pages_except` - (Optional) Insert Client-Side Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. +`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. - +### Client Side Defense Choice Client Side Defense +Client-Side Defense configuration for JavaScript insertion. +`policy` - (Required) Please ensure that the same domains are configured in the Client-Side Defense configuration.. See [Client Side Defense Policy ](#client-side-defense-policy) below for details. +### Client Source Choice Http Header - +Request header name and value pairs. +`headers` - (Required) List of HTTP header name and value pairs. See [Http Header Headers ](#http-header-headers) below for details. +### Common Security Controls Blocked Clients +Define rules to block IP Prefixes or AS numbers.. - +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set - +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. +### Common Security Controls Cors Policy +resources from a server at a different origin. - +`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). +`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). +`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). +`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - +`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). +`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) +`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). +### Common Security Controls Trusted Clients - +Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. - +### Condition Type Choice Api Endpoint +The API endpoint (Path + Method) which this validation applies to. +`methods` - (Optional) Methods to be matched (`List of Strings`). +`path` - (Required) Path to be matched (`String`). - +### Cookie Matcher Operator +. +###### One of the arguments from this list "Contains, DoesNotContain, DoesNotEndWith, DoesNotEqual, DoesNotStartWith, Endswith, Equals, MatchRegex, Startswith" can be set +`Contains` - (Optional) Field must contain (`String`). +`DoesNotContain` - (Optional) Field must not contain (`String`). +`DoesNotEndWith` - (Optional) Field must not end with (`String`). - +`DoesNotEqual` - (Optional) Field must not equal (`String`). +`DoesNotStartWith` - (Optional) Field must not start with (`String`). +`Endswith` - (Optional) Field must end with (`String`). +`Equals` - (Optional) Field must exactly match (`String`). - +`MatchRegex` - (Optional) Field matches regular expression (`String`). +`Startswith` - (Optional) Field must start with (`String`). +### Cookie Tampering Disable Tampering Protection +x-displayName: "Disable". - +### Cookie Tampering Enable Tampering Protection +x-displayName: "Enable". +### Cors Support Choice Disable Cors Support +protect against Bot Attacks.. - +### Cors Support Choice Enable Cors Support +Allows Bot Defense to work with your existing CORS policies.. +### Count By Choice Use Http Lb User Id +Defined in HTTP-LB Security Configuration -> User Identifier.. - +### Crl Choice No Crl +Client certificate revocation status is not verified. +### Data Guard Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Data Guard Rules Path +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set - +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Ddos Client Source Asn List - +The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Ddos Client Source Tls Fingerprint Matcher +The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. - +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). +### Ddos Mitigation Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - +### Destination Type Any Url +Any URL . +### Destination Type Api Endpoint +The endpoint (path) of the request.. - +`methods` - (Optional) Methods to be matched (`List of Strings`). +`path` - (Required) Path to be matched (`String`). +### Destination Type Api Groups +Validation will be performed for the endpoints mentioned in the API Groups. - +`api_groups` - (Required) x-required (`String`). +### Domain Choice Any Domain +The rule will apply for all domains.. +### Domain Matcher Choice Any Domain - +Any Domain.. +### Domain Matcher Choice Domain +Domain matcher.. +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set - +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Eligible For Cache Hostname Uri - +. +`cache_override` - (Optional) Honour Cache Override (`Bool`). +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - +### Eligible For Cache Scheme Hostname Request Uri +. +`cache_override` - (Optional) Honour Cache Override (`Bool`). +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). +### Eligible For Cache Scheme Hostname Uri +. +`cache_override` - (Optional) Honour Cache Override (`Bool`). +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). +### Eligible For Cache Scheme Hostname Uri Query +. - +`cache_override` - (Optional) Honour Cache Override (`Bool`). +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). +### Eligible For Cache Scheme Proxy Host Request Uri +. +`cache_override` - (Optional) Honour Cache Override (`Bool`). - +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). +### Eligible For Cache Scheme Proxy Host Uri +. - +`cache_override` - (Optional) Honour Cache Override (`Bool`). +`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). +`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). +### Enable Api Discovery Api Discovery From Code Scan +Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. - +`code_base_integrations` - (Required) x-required. See [Api Discovery From Code Scan Code Base Integrations ](#api-discovery-from-code-scan-code-base-integrations) below for details. +### Enable Api Discovery Discovered Api Settings +Configure Discovered API Settings.. +### Enable Api Discovery Sensitive Data Detection Rules +Manage rules to detect sensitive data in requests and/or response sections.. - +### Exclude List Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Exclude List Path +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - +### Fail Configuration Fail Close +Handle the transaction as it failed the OpenAPI specification validation (Block or Report). +### Fail Configuration Fail Open +Continue to process the transaction without enforcing OpenAPI specification (Allow). - +### Fall Through Mode Choice Fall Through Mode Allow +Allow any unprotected end point. +### Fall Through Mode Choice Fall Through Mode Custom +Custom rules for any unprotected end point. +`open_api_validation_rules` - (Required) x-displayName: "Custom Fall Through Rule List". See [Fall Through Mode Custom Open Api Validation Rules ](#fall-through-mode-custom-open-api-validation-rules) below for details. +### Fall Through Mode Custom Open Api Validation Rules - +x-displayName: "Custom Fall Through Rule List". +###### One of the arguments from this list "action_block, action_report, action_skip" must be set +`action_block` - (Optional) Block the request and issue an API security event (`Bool`). +`action_report` - (Optional) Continue processing the request and issue an API security event (`Bool`). +`action_skip` - (Optional) Continue processing the request (`Bool`). +###### One of the arguments from this list "api_endpoint, api_group, base_path" must be set - +`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. +`api_group` - (Optional) The API group which this validation applies to (`String`). +`base_path` - (Optional) The base path which this validation applies to (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. - +### Flow Label Choice Account Management +x-displayName: "Account Management". +###### One of the arguments from this list "create, password_reset" must be set +`create` - (Optional) x-displayName: "Account Creation" (`Bool`). +`password_reset` - (Optional) x-displayName: "Password Reset" (`Bool`). - +### Flow Label Choice Authentication +x-displayName: "Authentication". +###### One of the arguments from this list "login, login_mfa, login_partner, logout, token_refresh" must be set +`login` - (Optional) x-displayName: "Login". See [Label Choice Login ](#label-choice-login) below for details. +`login_mfa` - (Optional) x-displayName: "Login MFA" (`Bool`). +`login_partner` - (Optional) x-displayName: "Login for a Channel Partner" (`Bool`). +`logout` - (Optional) x-displayName: "Logout" (`Bool`). +`token_refresh` - (Optional) x-displayName: "Token Refresh" (`Bool`). +### Flow Label Choice Financial Services +x-displayName: "Financial Services". +###### One of the arguments from this list "apply, money_transfer" must be set -`bot_defense_advanced` - (Optional) Select Bot Defense Advanced. See [Bot Defense Choice Bot Defense Advanced ](#bot-defense-choice-bot-defense-advanced) below for details.(Deprecated) - +`apply` - (Optional) x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)" (`Bool`). +`money_transfer` - (Optional) x-displayName: "Money Transfer" (`Bool`). +### Flow Label Choice Flight - +x-displayName: "Flight". +###### One of the arguments from this list "checkin" must be set +`checkin` - (Optional) x-displayName: "Check into Flight" (`Bool`). +### Flow Label Choice Flow Label +x-displayName: "Specify Endpoint label category". +###### One of the arguments from this list "account_management, authentication, financial_services, flight, profile_management, search, shopping_gift_cards" must be set +`account_management` - (Optional) x-displayName: "Account Management". See [Flow Label Choice Account Management ](#flow-label-choice-account-management) below for details. +`authentication` - (Optional) x-displayName: "Authentication". See [Flow Label Choice Authentication ](#flow-label-choice-authentication) below for details. - +`financial_services` - (Optional) x-displayName: "Financial Services". See [Flow Label Choice Financial Services ](#flow-label-choice-financial-services) below for details. +`flight` - (Optional) x-displayName: "Flight". See [Flow Label Choice Flight ](#flow-label-choice-flight) below for details. +`profile_management` - (Optional) x-displayName: "Profile Management". See [Flow Label Choice Profile Management ](#flow-label-choice-profile-management) below for details. +`search` - (Optional) x-displayName: "Search". See [Flow Label Choice Search ](#flow-label-choice-search) below for details. +`shopping_gift_cards` - (Optional) x-displayName: "Shopping & Gift Cards". See [Flow Label Choice Shopping Gift Cards ](#flow-label-choice-shopping-gift-cards) below for details. - +### Flow Label Choice Profile Management +x-displayName: "Profile Management". +###### One of the arguments from this list "create, update, view" must be set +`create` - (Optional) x-displayName: "Profile Creation" (`Bool`). - +`update` - (Optional) x-displayName: "Profile Update" (`Bool`). +`view` - (Optional) x-displayName: "Profile View" (`Bool`). +### Flow Label Choice Search +x-displayName: "Search". - +###### One of the arguments from this list "flight_search, product_search, reservation_search, room_search" can be set +`flight_search` - (Optional) x-displayName: "Flight Search" (`Bool`). +`product_search` - (Optional) x-displayName: "Product Search" (`Bool`). +`reservation_search` - (Optional) x-displayName: "Reservation Search (e.g., sporting events, concerts)" (`Bool`). - +`room_search` - (Optional) x-displayName: "Room Search" (`Bool`). +### Flow Label Choice Shopping Gift Cards - +x-displayName: "Shopping & Gift Cards". +###### One of the arguments from this list "gift_card_make_purchase_with_gift_card, gift_card_validation, shop_add_to_cart, shop_checkout, shop_choose_seat, shop_enter_drawing_submission, shop_make_payment, shop_order, shop_price_inquiry, shop_promo_code_validation, shop_purchase_gift_card, shop_update_quantity" can be set +`gift_card_make_purchase_with_gift_card` - (Optional) x-displayName: "Purchase with Gift Card" (`Bool`). +`gift_card_validation` - (Optional) x-displayName: "Gift Card Validation" (`Bool`). +`shop_add_to_cart` - (Optional) x-displayName: "Add to Cart" (`Bool`). +`shop_checkout` - (Optional) x-displayName: "Checkout" (`Bool`). +`shop_choose_seat` - (Optional) x-displayName: "Select Seat(s)" (`Bool`). +`shop_enter_drawing_submission` - (Optional) x-displayName: "Enter Drawing Submission" (`Bool`). +`shop_make_payment` - (Optional) x-displayName: "Payment / Billing" (`Bool`). +`shop_order` - (Optional) x-displayName: "Order Submit" (`Bool`). +`shop_price_inquiry` - (Optional) x-displayName: "Price Inquiry" (`Bool`). +`shop_promo_code_validation` - (Optional) x-displayName: "Promo Code Validation" (`Bool`). +`shop_purchase_gift_card` - (Optional) x-displayName: "Purchase a Gift Card" (`Bool`). +`shop_update_quantity` - (Optional) x-displayName: "Update Quantity" (`Bool`). - +### Flow Label Choice Undefined Flow Label +x-displayName: "Undefined". +### Geo Filtering Type Allow List +Allow list of countries. +`country_codes` - (Required) List of Country Codes (`List of Strings`). +`invert_match` - (Optional) Invert the match result. (`Bool`). +### Geo Filtering Type Block List +Block list of countries. +`country_codes` - (Required) List of Country Codes (`List of Strings`). +`invert_match` - (Optional) Invert the match result. (`Bool`). +### Goodbot Choice Allow Good Bots +System flags Good Bot traffic and allow it to continue to the origin. +### Goodbot Choice Mitigate Good Bots +System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above. +### Graphql Rules Graphql Settings +GraphQL configuration.. +###### One of the arguments from this list "disable_introspection, enable_introspection" must be set +`disable_introspection` - (Optional) Disable introspection queries for the load balancer. (`Bool`). +`enable_introspection` - (Optional) Enable introspection queries for the load balancer. (`Bool`). +`max_batched_queries` - (Required) Specify maximum number of queries in a single batched request. (`Int`). +`max_depth` - (Required) Specify maximum depth for the GraphQL query. (`Int`). +`max_total_length` - (Required) Specify maximum length in bytes for the GraphQL query. (`Int`). +`max_value_length` - (Required) Specify maximum value length in bytes for the GraphQL query. (`Int`).(Deprecated) +`policy_name` - (Optional) Sets the BD Policy to use (`String`).(Deprecated) +### Graphql Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Header Options Request Headers To Add +Headers specified at this level are applied after headers from matched Route are applied. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). - +### Header Options Response Headers To Add +Headers specified at this level are applied after headers from matched Route are applied. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set - +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). +### Http Header Headers +List of HTTP header name and value pairs. +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). +`name` - (Required) Name of the header (`String`). - +###### One of the arguments from this list "exact, presence, regex" can be set +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). +`regex` - (Optional) Regex match of the header value in re2 format (`String`). +### Httponly Add Httponly +x-displayName: "Add". +### Httponly Ignore Httponly +x-displayName: "Ignore". +### Https Tls Cert Options -`disable_bot_defense` - (Optional) No Bot Defense configuration for this load balancer (`Bool`). +TLS Certificate Options. +###### One of the arguments from this list "tls_cert_params, tls_inline_params" must be set +`tls_cert_params` - (Optional) Select/Add one or more TLS Certificate objects to associate with this Load Balancer. See [Tls Certificates Choice Tls Cert Params ](#tls-certificates-choice-tls-cert-params) below for details. +`tls_inline_params` - (Optional) Upload a TLS certificate covering all domain names for this Load Balancer. See [Tls Certificates Choice Tls Inline Params ](#tls-certificates-choice-tls-inline-params) below for details. -`cache_rules` - (Optional) Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. See [Cache Rules ](#cache-rules) below for details. +### Https Tls Parameters +TLS parameters for the downstream connections.. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Tls Parameters Tls Certificates ](#tls-parameters-tls-certificates) below for details. +`tls_config` - (Optional) TLS Configuration Parameters. See [Tls Parameters Tls Config ](#tls-parameters-tls-config) below for details. - +### Https Auto Cert Tls Config +TLS Configuration Parameters. +###### One of the arguments from this list "tls_11_plus, tls_12_plus" must be set +`tls_11_plus` - (Optional) TLS v1.1+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - +`tls_12_plus` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +### Ip Allowed List Choice Bypass Rate Limiting Rules +This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. +`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Bypass Rate Limiting Rules Bypass Rate Limiting Rules ](#bypass-rate-limiting-rules-bypass-rate-limiting-rules) below for details. - +### Ip Allowed List Choice Custom Ip Allowed List +IP Allowed list using existing ip_prefix_set objects.. +`rate_limiter_allowed_prefixes` - (Required) Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.. See [ref](#ref) below for details. +### Ip Allowed List Choice Ip Allowed List +List of IP(s) for which rate limiting will be disabled.. +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +`prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). - +### Ip Allowed List Choice No Ip Allowed List +There is no ip allowed list for rate limiting, all clients go through rate limiting.. +### Ip Asn Choice Any Ip +Any Source IP. +### Ip Asn Choice Asn List +The predicate evaluates to true if the origin ASN is present in the ASN list.. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - +### Ip Asn Choice Asn Matcher +The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. +`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Ip Asn Choice Ip Matcher +The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - +### Ip Asn Choice Ip Prefix List +The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Choice Any Ip +any_ip. - +### Ip Choice Ip Matcher +ip_matcher. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Ip Choice Ip Prefix List +ip_prefix_list. +`invert_match` - (Optional) Invert the match result. (`Bool`). - +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Filtering Type Allow List +Allow list of ip prefixes. +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Filtering Type Block List +Block list of ip prefixes. - +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Reputation Choice Disable Ip Reputation - +No IP reputation configured this distribution. +### Ip Reputation Choice Enable Ip Reputation +Enable IP reputation for all requests in this distribution. - +`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). +### Ip Reputation Choice Ip Reputation On Cache Miss +Enable IP reputation only on cache miss in this distribution. +`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). +### Issuer Validation Issuer Disable +x-displayName: "Disable". +### Java Script Choice Disable Js Insert +Disable JavaScript insertion.. +### Java Script Choice Js Insert All Pages +Insert Client-Side Defense JavaScript in all pages.. +### Java Script Choice Js Insert All Pages +Insert Bot Defense JavaScript in all pages.. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - +### Java Script Choice Js Insert All Pages Except +Insert Client-Side Defense JavaScript in all pages with the exceptions.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. - +### Java Script Choice Js Insert All Pages Except +Insert Bot Defense JavaScript in all pages with the exceptions.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). +### Java Script Choice Js Insertion Rules +Specify custom JavaScript insertion rules.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. +`rules` - (Required) Required list of pages to insert Client-Side Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. +### Java Script Choice Js Insertion Rules +Specify custom JavaScript insertion rules.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. +`rules` - (Required) Required list of pages to insert Bot Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. +### Js Challenge Parameters Choice Default Js Challenge Parameters - +Use default parameters. +### Js Challenge Parameters Choice Js Challenge Parameters - +Configure JavaScript challenge parameters. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). +### Js Insert All Pages Except Exclude List +Optional JavaScript insertions exclude list of domain and path matchers.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. +`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. +### Js Insertion Rules Exclude List +Optional JavaScript insertions exclude list of domain and path matchers.. - +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. +`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. +### Js Insertion Rules Rules +Required list of pages to insert Client-Side Defense client JavaScript.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. +### Js Insertion Rules Rules +Required list of pages to insert Bot Defense client JavaScript.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. -`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. - +### Jwks Configuration Jwks Config +The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. +`cleartext` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`). +### Jwt Backup Key +Backup JWT Key - If specified is also checked in addition to the primary secret key. -`challenge_on_cache_miss` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. See [Challenge Type Challenge On Cache Miss ](#challenge-type-challenge-on-cache-miss) below for details.(Deprecated) - +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Backup Key Blindfold Secret Info Internal ](#backup-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Jwt Secret Key +Secret Key for JWT. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Key Blindfold Secret Info Internal ](#secret-key-blindfold-secret-info-internal) below for details.(Deprecated) - +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - +### Jwt Validation Action +x-required. +###### One of the arguments from this list "block, report" must be set +`block` - (Optional) Block the request and report the issue (`Bool`). - +`report` - (Optional) Allow the request and report the issue (`Bool`). +### Jwt Validation Mandatory Claims +If the claim does not exist JWT token validation will fail.. +`claim_names` - (Optional) x-displayName: "Claim Names" (`String`). +### Jwt Validation Reserved Claims +the token validation of these claims should be disabled.. +###### One of the arguments from this list "audience, audience_disable" must be set +`audience` - (Optional) x-displayName: "Exact Match". See [Audience Validation Audience ](#audience-validation-audience) below for details. +`audience_disable` - (Optional) x-displayName: "Disable" (`Bool`). - +###### One of the arguments from this list "issuer, issuer_disable" must be set +`issuer` - (Optional) x-displayName: "Exact Match" (`String`). +`issuer_disable` - (Optional) x-displayName: "Disable" (`Bool`). +###### One of the arguments from this list "validate_period_disable, validate_period_enable" must be set +`validate_period_disable` - (Optional) x-displayName: "Disable" (`Bool`). +`validate_period_enable` - (Optional) x-displayName: "Enable" (`Bool`). -`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. - +### Jwt Validation Target +Define endpoints for which JWT token validation will be performed. +###### One of the arguments from this list "all_endpoint, api_groups, base_paths" must be set +`all_endpoint` - (Optional) Validation will be performed for all requests on this LB (`Bool`). +`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Target Api Groups ](#target-api-groups) below for details. +`base_paths` - (Optional) Validation will be performed for selected path prefixes. See [Target Base Paths ](#target-base-paths) below for details. +### Jwt Validation Token Location +Define where in the HTTP request the JWT token will be extracted. +###### One of the arguments from this list "bearer_token, cookie, header, query_param" must be set +`bearer_token` - (Optional) Token is found in Authorization HTTP header with Bearer authentication scheme (`Bool`). +`cookie` - (Optional) Token is found in the cookie (`String`).(Deprecated) +`header` - (Optional) Token is found in the header (`String`).(Deprecated) +`query_param` - (Optional) Token is found in the query string parameter (`String`).(Deprecated) +### L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge +Serve JavaScript challenge to suspicious sources. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). +### Label Choice Apply +x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)". +### Label Choice Checkin +x-displayName: "Check into Flight". +### Label Choice Create +x-displayName: "Account Creation". +### Label Choice Flight Search -`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. - +x-displayName: "Flight Search". +### Label Choice Gift Card Make Purchase With Gift Card +x-displayName: "Purchase with Gift Card". +### Label Choice Gift Card Validation +x-displayName: "Gift Card Validation". +### Label Choice Login -`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). +x-displayName: "Login". +### Label Choice Login Mfa -`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. - +x-displayName: "Login MFA". +### Label Choice Login Partner +x-displayName: "Login for a Channel Partner". +### Label Choice Logout +x-displayName: "Logout". +### Label Choice Money Transfer +x-displayName: "Money Transfer". +### Label Choice Password Reset +x-displayName: "Password Reset". +### Label Choice Product Search +x-displayName: "Product Search". +### Label Choice Reservation Search - +x-displayName: "Reservation Search (e.g., sporting events, concerts)". +### Label Choice Room Search +x-displayName: "Room Search". +### Label Choice Shop Add To Cart - +x-displayName: "Add to Cart". +### Label Choice Shop Checkout +x-displayName: "Checkout". +### Label Choice Shop Choose Seat - +x-displayName: "Select Seat(s)". +### Label Choice Shop Enter Drawing Submission +x-displayName: "Enter Drawing Submission". +### Label Choice Shop Make Payment +x-displayName: "Payment / Billing". +### Label Choice Shop Order +x-displayName: "Order Submit". +### Label Choice Shop Price Inquiry +x-displayName: "Price Inquiry". +### Label Choice Shop Promo Code Validation +x-displayName: "Promo Code Validation". +### Label Choice Shop Purchase Gift Card +x-displayName: "Purchase a Gift Card". +### Label Choice Shop Update Quantity +x-displayName: "Update Quantity". +### Label Choice Token Refresh +x-displayName: "Token Refresh". +### Label Choice Update - +x-displayName: "Profile Update". +### Label Choice View - +x-displayName: "Profile View". +### Learn From Redirect Traffic Disable Learn From Redirect Traffic +Disable learning API patterns from traffic with redirect response codes 3xx. - +### Learn From Redirect Traffic Enable Learn From Redirect Traffic +Enable learning API patterns from traffic with redirect response codes 3xx. - +### Loadbalancer Type Http +CDN Distribution serving content over HTTP. +`dns_volterra_managed` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal. (`Bool`). +###### One of the arguments from this list "port, port_ranges" must be set +`port` - (Optional) HTTP port to Listen. (`Int`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). +### Loadbalancer Type Https +User is responsible for managing DNS.. +`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). +`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). +`tls_cert_options` - (Optional) TLS Certificate Options. See [Https Tls Cert Options ](#https-tls-cert-options) below for details. +`tls_parameters` - (Optional) TLS parameters for the downstream connections.. See [Https Tls Parameters ](#https-tls-parameters) below for details.(Deprecated) +### Loadbalancer Type Https Auto Cert +DNS records will be managed by Volterra.. +`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). +`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). +`tls_config` - (Optional) TLS Configuration Parameters. See [Https Auto Cert Tls Config ](#https-auto-cert-tls-config) below for details. +### Logging Options Client Log Options - +Client request headers to log. +`header_list` - (Optional) List of headers (`String`). +### Logging Options Origin Log Options +Origin response headers to log. - +`header_list` - (Optional) List of headers (`String`). +### Malicious User Detection Choice Disable Malicious User Detection +Disable malicious user detection for this distribution. +### Malicious User Detection Choice Enable Malicious User Detection +Enable malicious user detection for all requests in this distribution. - +### Malicious User Detection Choice Malicious User Detection On Cache Miss +Enable malicious user detection only on cache miss in this distribution. +### Malicious User Mitigation Choice Default Mitigation Settings +For high level, users will be temporarily blocked.. +### Match Check Not Present - +Check that the cookie is not present.. +### Match Check Present +Check that the cookie is present.. +### Match Item +Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Max Age Ignore Max Age +Ignore max age attribute. +### Max Session Keys Type Default Session Key Caching - +Default session key caching. Only one session key will be cached.. +### Max Session Keys Type Disable Session Key Caching +Disable session key caching. This will disable TLS session resumption.. +### Method Choice Method Get - +x-displayName: "GET". +### Method Choice Method Post +x-displayName: "POST". +### Mitigation Action Block +Block user for a duration determined by the expiration time. +### Mitigation Choice Ddos Client Source +Combination of Region, ASN and TLS Fingerprints. +`asn_list` - (Optional) The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. See [Ddos Client Source Asn List ](#ddos-client-source-asn-list) below for details. +`country_list` - (Optional) Sources that are located in one of the countries in the given list (`List of Strings`). +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Ddos Client Source Tls Fingerprint Matcher ](#ddos-client-source-tls-fingerprint-matcher) below for details. - +### Mitigation Choice Ip Prefix List +IPv4 prefix string.. +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Mobile Identifier Headers +Headers that can be used to identify mobile traffic.. +###### One of the arguments from this list "check_not_present, check_present, item" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). +`check_present` - (Optional) Check that the header is present. (`Bool`). - +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`name` - (Required) A case-insensitive HTTP header name. (`String`). +### Mobile Sdk Choice Disable Mobile Sdk +Disable Mobile SDK.. +### Mobile Sdk Choice Mobile Sdk Config +Enable Mobile SDK Configuration. +`mobile_identifier` - (Optional) Mobile Request Identifier Headers Type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. +### Mobile Sdk Choice Mobile Sdk Config +Mobile SDK configuration. +`mobile_identifier` - (Optional) Mobile traffic identifier type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. +`reload_header_name` - (Optional) Header that is used for SDK configuration sync. (`String`).(Deprecated) +### Mobile Sdk Config Mobile Identifier +Mobile traffic identifier type.. +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Mobile Identifier Headers ](#mobile-identifier-headers) below for details. +### More Option Cache Options +Cache Options. - +`cache_rules` - (Optional) Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. See [Cache Options Cache Rules ](#cache-options-cache-rules) below for details. +`default_cache_action` - (Required) Default value for Cache action.. See [Cache Options Default Cache Action ](#cache-options-default-cache-action) below for details. +### More Option Cache Ttl Options +Cache Options. +###### One of the arguments from this list "cache_disabled, cache_ttl_default, cache_ttl_override" can be set - +`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). +`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). +`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). +### More Option Header Options +Request/Response header related options. +`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Request Headers To Add ](#header-options-request-headers-to-add) below for details. +`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Response Headers To Add ](#header-options-response-headers-to-add) below for details. +`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +### More Option Logging Options +Logging related options. +`client_log_options` - (Optional) Client request headers to log. See [Logging Options Client Log Options ](#logging-options-client-log-options) below for details. +`origin_log_options` - (Optional) Origin response headers to log. See [Logging Options Origin Log Options ](#logging-options-origin-log-options) below for details. +### More Option Security Options +Security related options. +`api_protection` - (Optional) x-displayName: "API Protection". See [Security Options Api Protection ](#security-options-api-protection) below for details. - +`auth_options` - (Optional) Authentication Options. See [Security Options Auth Options ](#security-options-auth-options) below for details. +`common_security_controls` - (Optional) x-displayName: "Common Security Controls". See [Security Options Common Security Controls ](#security-options-common-security-controls) below for details. +`geo_filtering` - (Optional) Geo filtering options. See [Security Options Geo Filtering ](#security-options-geo-filtering) below for details. +`ip_filtering` - (Optional) IP filtering options. See [Security Options Ip Filtering ](#security-options-ip-filtering) below for details. +`web_app_firewall` - (Optional) Web Application Firewall. See [Security Options Web App Firewall ](#security-options-web-app-firewall) below for details. +### Mtls Choice No Mtls - +x-displayName: "Disable". +### Mtls Choice Use Mtls +x-displayName: "Enable". +`client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). - +###### One of the arguments from this list "crl, no_crl" can be set +`crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. +`no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. +`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). - +###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set +`xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). +`xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. +### Mtls Choice Use Mtls +x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". +`tls_certificates` - (Required) mTLS Client Certificate. See [Use Mtls Tls Certificates ](#use-mtls-tls-certificates) below for details. - +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Open Api Validation Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Open Api Validation Rules Validation Mode +When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). +###### One of the arguments from this list "response_validation_mode_active, skip_response_validation" must be set +`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. +`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). +###### One of the arguments from this list "skip_validation, validation_mode_active" must be set +`skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). +`validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. +### Origin Pool More Origin Options +x-displayName: "Advanced Configuration". +`disable_byte_range_request` - (Optional) Choice to enable/disable origin byte range requrests towards origin (`Bool`). +`websocket_proxy` - (Optional) Option to enable proxying of websocket connections to the origin server (`Bool`). - +### Origin Pool Origin Servers +List of original servers. +###### One of the arguments from this list "public_ip, public_name" must be set +`public_ip` - (Optional) Specify origin server with public IP. See [Choice Public Ip ](#choice-public-ip) below for details. +`public_name` - (Optional) Specify origin server with public DNS name. See [Choice Public Name ](#choice-public-name) below for details. +`port` - (Optional) Port the workload can be reached on (`Int`). +### Origin Pool Public Name - +The DNS name to be used as the host header for the request to the origin server. +`dns_name` - (Required) DNS Name (`String`). +`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). +### Other Settings Geo Filtering - +Geo filtering options. +###### One of the arguments from this list "allow_list, block_list" can be set +`allow_list` - (Optional) Allow list of countries. See [Geo Filtering Type Allow List ](#geo-filtering-type-allow-list) below for details. +`block_list` - (Optional) Block list of countries. See [Geo Filtering Type Block List ](#geo-filtering-type-block-list) below for details. +### Other Settings Header Options +Request/Response header related options. +`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Request Headers To Add ](#header-options-request-headers-to-add) below for details. +`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Response Headers To Add ](#header-options-response-headers-to-add) below for details. -`client_side_defense` - (Optional) Client-Side Defense configuration for JavaScript insertion. See [Client Side Defense Choice Client Side Defense ](#client-side-defense-choice-client-side-defense) below for details. - +`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +### Other Settings Ip Filtering - +IP filtering options. +###### One of the arguments from this list "allow_list, block_list" can be set +`allow_list` - (Optional) Allow list of ip prefixes. See [Ip Filtering Type Allow List ](#ip-filtering-type-allow-list) below for details. +`block_list` - (Optional) Block list of ip prefixes. See [Ip Filtering Type Block List ](#ip-filtering-type-block-list) below for details. +### Other Settings Logging Options +Logging related options. +`client_log_options` - (Optional) Client request headers to log. See [Logging Options Client Log Options ](#logging-options-client-log-options) below for details. - +`origin_log_options` - (Optional) Origin response headers to log. See [Logging Options Origin Log Options ](#logging-options-origin-log-options) below for details. +### Oversized Body Choice Oversized Body Fail Validation +Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb). +### Oversized Body Choice Oversized Body Skip Validation - +Skip body validation when the body length is too long to verify (default 64Kb). +### Path Choice Any Path +Match all paths. +### Path Match Operator +A specification of path match. - +###### One of the arguments from this list "Contains, DoesNotContain, DoesNotEndWith, DoesNotEqual, DoesNotStartWith, Endswith, Equals, MatchRegex, Startswith" can be set +`Contains` - (Optional) Field must contain (`String`). +`DoesNotContain` - (Optional) Field must not contain (`String`). - +`DoesNotEndWith` - (Optional) Field must not end with (`String`). +`DoesNotEqual` - (Optional) Field must not equal (`String`). +`DoesNotStartWith` - (Optional) Field must not start with (`String`). +`Endswith` - (Optional) Field must end with (`String`). +`Equals` - (Optional) Field must exactly match (`String`). +`MatchRegex` - (Optional) Field matches regular expression (`String`). +`Startswith` - (Optional) Field must start with (`String`). +### Policy Protected App Endpoints +List of protected application endpoints (max 128 items).. +###### One of the arguments from this list "mobile, web, web_mobile" must be set +`mobile` - (Optional) Mobile traffic channel. (`Bool`). +`web` - (Optional) Web traffic channel. (`Bool`). +`web_mobile` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile ](#app-traffic-type-choice-web-mobile) below for details. +###### One of the arguments from this list "any_domain, domain" can be set +`any_domain` - (Optional) Any Domain. (`Bool`). -`disable_client_side_defense` - (Optional) No Client-Side Defense configuration for this load balancer (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +###### One of the arguments from this list "flow_label, undefined_flow_label" must be set +`flow_label` - (Optional) x-displayName: "Specify Endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. +`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). -`cors_policy` - (Optional) resources from a server at a different origin. See [Cors Policy ](#cors-policy) below for details. +###### One of the arguments from this list "allow_good_bots, mitigate_good_bots" must be set +`allow_good_bots` - (Optional) System flags Good Bot traffic and allow it to continue to the origin (`Bool`). +`mitigate_good_bots` - (Optional) System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above (`Bool`). +`http_methods` - (Required) List of HTTP methods. (`List of Strings`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. +`mitigation` - (Required) Mitigation action.. See [Protected App Endpoints Mitigation ](#protected-app-endpoints-mitigation) below for details. +`path` - (Required) Matching URI path of the route.. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. +`protocol` - (Optional) Protocol. (`String`). +### Policy Protected App Endpoints +List of protected endpoints (max 128 items). +###### One of the arguments from this list "mobile_client, web_client, web_mobile_client" must be set +`mobile_client` - (Optional) Mobile traffic channel. (`Bool`). -`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Csrf Policy ](#csrf-policy) below for details. +`web_client` - (Optional) Web traffic channel. (`Bool`). +`web_mobile_client` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile Client ](#app-traffic-type-choice-web-mobile-client) below for details. +###### One of the arguments from this list "any_domain, domain" can be set +`any_domain` - (Optional) Any Domain (`Bool`). - +`domain` - (Optional) Select Domain matcher. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +###### One of the arguments from this list "flow_label, undefined_flow_label" can be set +`flow_label` - (Optional) x-displayName: "Specify endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. +`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). - +`http_methods` - (Required) List of HTTP methods. (`List of Strings`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. +`path` - (Required) Accepts wildcards * to match multiple characters or ? to match a single character. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. +`query` - (Optional) Enter a regular expression or exact value to match your query parameters of interest. See [Protected App Endpoints Query ](#protected-app-endpoints-query) below for details. +`request_body` - (Optional) Request Body. See [Protected App Endpoints Request Body ](#protected-app-endpoints-request-body) below for details. - +### Policy Based Challenge Rule List +list challenge rules to be used in policy based challenge. +`rules` - (Optional) these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. See [Rule List Rules ](#rule-list-rules) below for details. +### Policy Choice No Policies +Do not apply additional rate limiter policies.. -`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Data Guard Rules ](#data-guard-rules) below for details. +### Policy Choice Policies +to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. +`policies` - (Required) Ordered list of rate limiter policies.. See [ref](#ref) below for details. +### Private Key Blindfold Secret Info Internal - +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - +### Property Validation Settings Choice Property Validation Settings Custom +Use custom settings with Open API specification validation. +`headers` - (Optional) Custom settings for headers validation. See [Property Validation Settings Custom Headers ](#property-validation-settings-custom-headers) below for details.(Deprecated) +`queryParameters` - (Optional) Custom settings for query parameters validation. See [Property Validation Settings Custom QueryParameters ](#property-validation-settings-custom-queryParameters) below for details. +### Property Validation Settings Choice Property Validation Settings Default +Keep the default settings of OpenAPI specification validation. +### Property Validation Settings Custom Headers +Custom settings for headers validation. +###### One of the arguments from this list "allow_additional_headers, disallow_additional_headers" must be set +`allow_additional_headers` - (Optional) Allow extra headers (on top of what specified in the OAS documentation) (`Bool`). +`disallow_additional_headers` - (Optional) Disallow extra headers (on top of what specified in the OAS documentation) (`Bool`). - +### Property Validation Settings Custom QueryParameters +Custom settings for query parameters validation. +###### One of the arguments from this list "allow_additional_parameters, disallow_additional_parameters" must be set +`allow_additional_parameters` - (Optional) Allow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). +`disallow_additional_parameters` - (Optional) Disallow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - +### Protected App Endpoints Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Protected App Endpoints Mitigation +Mitigation action.. +###### One of the arguments from this list "block, flag, none, redirect" can be set -`ddos_mitigation_rules` - (Optional) Define manual mitigation rules to block L7 DDoS attacks.. See [Ddos Mitigation Rules ](#ddos-mitigation-rules) below for details. +`block` - (Optional) Block bot request and send response with custom content.. See [Action Type Block ](#action-type-block) below for details. +`flag` - (Optional) Flag the request while not taking any invasive actions.. See [Action Type Flag ](#action-type-flag) below for details. +`none` - (Optional) No mitigation actions. (`Bool`).(Deprecated) - +`redirect` - (Optional) Redirect bot request to a custom URI.. See [Action Type Redirect ](#action-type-redirect) below for details. +### Protected App Endpoints Path +Matching URI path of the route.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - +### Protected App Endpoints Query +Enter a regular expression or exact value to match your query parameters of interest. +`name` - (Optional) Enter query parameter name (`String`). +###### One of the arguments from this list "check_presence, exact_value, regex_value" must be set +`check_presence` - (Optional) Parameter name taken which is exist in the query parameter (`Bool`). +`exact_value` - (Optional) Exact query value to match (`String`). - +`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). +### Protected App Endpoints Request Body - +Request Body. +`name` - (Optional) Enter request body parameter name (`String`). +###### One of the arguments from this list "exact_value, regex_value" must be set +`exact_value` - (Optional) Exact query value to match (`String`). - +`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). +### Query Parameters Operator +. +###### One of the arguments from this list "Contains, DoesNotContain, DoesNotEndWith, DoesNotEqual, DoesNotStartWith, Endswith, Equals, MatchRegex, Startswith" can be set +`Contains` - (Optional) Field must contain (`String`). +`DoesNotContain` - (Optional) Field must not contain (`String`). +`DoesNotEndWith` - (Optional) Field must not end with (`String`). - +`DoesNotEqual` - (Optional) Field must not equal (`String`). +`DoesNotStartWith` - (Optional) Field must not start with (`String`). +`Endswith` - (Optional) Field must end with (`String`). +`Equals` - (Optional) Field must exactly match (`String`). +`MatchRegex` - (Optional) Field matches regular expression (`String`). +`Startswith` - (Optional) Field must start with (`String`). +### Rate Limit Rate Limiter -`default_cache_action` - (Optional) Default value for Cache action.. See [Default Cache Action ](#default-cache-action) below for details. +Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. +`burst_multiplier` - (Optional) The maximum burst of requests to accommodate, expressed as a multiple of the rate. (`Int`). +`total_number` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). +`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - +### Rate Limit Choice Api Rate Limit +Define rate limiting for one or more API endpoints. +`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Api Endpoint Rules ](#api-rate-limit-api-endpoint-rules) below for details. +###### One of the arguments from this list "bypass_rate_limiting_rules, custom_ip_allowed_list, ip_allowed_list, no_ip_allowed_list" must be set +`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. +`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - +`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. +`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). +`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Server Url Rules ](#api-rate-limit-server-url-rules) below for details. +### Rate Limit Choice Disable Rate Limit +Rate limiting is not currently enabled for this load balancer. +### Rate Limit Choice Rate Limit -`domains` - (Required) [This can be a domain or a sub-domain] (`List of String`). +Define custom rate limiting parameters for this load balancer. +###### One of the arguments from this list "custom_ip_allowed_list, ip_allowed_list, no_ip_allowed_list" must be set +`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. -`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Graphql Rules ](#graphql-rules) below for details. +`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. +`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). +###### One of the arguments from this list "no_policies, policies" must be set +`no_policies` - (Optional) Do not apply additional rate limiter policies. (`Bool`). +`policies` - (Optional) to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. See [Policy Choice Policies ](#policy-choice-policies) below for details. +`rate_limiter` - (Optional) Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. See [Rate Limit Rate Limiter ](#rate-limit-rate-limiter) below for details. +### Rate Limiter Choice Inline Rate Limiter +Specify rate values for the rule.. +###### One of the arguments from this list "ref_user_id, use_http_lb_user_id" must be set +`ref_user_id` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.. See [ref](#ref) below for details. - +`use_http_lb_user_id` - (Optional) Defined in HTTP-LB Security Configuration -> User Identifier. (`Bool`). +`threshold` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). +`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). +### Ref - +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - +### Request Matcher Cookie Matchers +Note that all specified cookie matcher predicates must evaluate to true.. +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). +`check_present` - (Optional) Check that the cookie is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive cookie name. (`String`). - +### Request Matcher Headers +Note that all specified header predicates must evaluate to true.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). +`check_present` - (Optional) Check that the header is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - +`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-insensitive HTTP header name. (`String`). +### Request Matcher Jwt Claims +Note that this feature only works on LBs with JWT Validation feature enabled.. - +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item" must be set +`check_not_present` - (Optional) Check that the JWT Claim is not present. (`Bool`). +`check_present` - (Optional) Check that the JWT Claim is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the JWT Claim. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`name` - (Required) JWT claim name. (`String`). -`disable_ip_reputation` - (Optional) No IP reputation configured this distribution (`Bool`). +### Request Matcher Query Params +Note that all specified query parameter predicates must evaluate to true.. -`enable_ip_reputation` - (Optional) Enable IP reputation for all requests in this distribution. See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. - +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). -`ip_reputation_on_cache_miss` - (Optional) Enable IP reputation only on cache miss in this distribution. See [Ip Reputation Choice Ip Reputation On Cache Miss ](#ip-reputation-choice-ip-reputation-on-cache-miss) below for details.(Deprecated) - +`check_present` - (Optional) Check that the query parameter is present. (`Bool`). +`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) +### Request Timeout Choice Disable Request Timeout +x-displayName: "No Timeout". +### Response Validation Mode Choice Response Validation Mode Active -`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Jwt Validation ](#jwt-validation) below for details. +Enforce OpenAPI validation processing for this event. +`response_validation_properties` - (Required) List of properties of the response to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). - +###### One of the arguments from this list "enforcement_block, enforcement_report" must be set +`enforcement_block` - (Optional) Block the response, trigger an API security event (`Bool`). +`enforcement_report` - (Optional) Allow the response, trigger an API security event (`Bool`). +### Response Validation Mode Choice Skip Response Validation - +Skip OpenAPI validation processing for this event. +### Rule Expression List Cache Rule Expression +The Cache Rule Expression Terms that are ANDed. +`cache_headers` - (Optional) Configure cache rule headers to match the criteria. See [Cache Rule Expression Cache Headers ](#cache-rule-expression-cache-headers) below for details. - +`cookie_matcher` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Cache Rule Expression Cookie Matcher ](#cache-rule-expression-cookie-matcher) below for details. +`path_match` - (Optional) URI path of route. See [Cache Rule Expression Path Match ](#cache-rule-expression-path-match) below for details. +`query_parameters` - (Optional) List of (key, value) query parameters. See [Cache Rule Expression Query Parameters ](#cache-rule-expression-query-parameters) below for details. +### Rule List Rules +these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`spec` - (Required) Specification for the rule including match predicates and actions.. See [Rules Spec ](#rules-spec) below for details. +### Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Rules Path - +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). - +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Rules Spec +Specification for the rule including match predicates and actions.. - +`arg_matchers` - (Optional)arg_matchers. See [Spec Arg Matchers ](#spec-arg-matchers) below for details. +###### One of the arguments from this list "any_asn, asn_list, asn_matcher" can be set +`any_asn` - (Optional)any_asn (`Bool`). +`asn_list` - (Optional)asn_list. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. +`asn_matcher` - (Optional)asn_matcher. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - +`body_matcher` - (Optional)body_matcher. See [Spec Body Matcher ](#spec-body-matcher) below for details. +###### One of the arguments from this list "disable_challenge, enable_captcha_challenge, enable_javascript_challenge" must be set +`disable_challenge` - (Optional) Disable the challenge type selected in PolicyBasedChallenge (`Bool`). +`enable_captcha_challenge` - (Optional) Enable captcha challenge (`Bool`). +`enable_javascript_challenge` - (Optional) Enable javascript challenge (`Bool`). +###### One of the arguments from this list "any_client, client_name, client_name_matcher, client_selector" can be set +`any_client` - (Optional)any_client (`Bool`). - +`client_name` - (Optional)client_name (`String`).(Deprecated) +`client_name_matcher` - (Optional)client_name_matcher. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details.(Deprecated) +`client_selector` - (Optional)client_selector. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`cookie_matchers` - (Optional)cookie_matchers. See [Spec Cookie Matchers ](#spec-cookie-matchers) below for details. +`domain_matcher` - (Optional)domain_matcher. See [Spec Domain Matcher ](#spec-domain-matcher) below for details. +`expiration_timestamp` - (Optional)expiration_timestamp (`String`). - +`headers` - (Optional)headers. See [Spec Headers ](#spec-headers) below for details. +`http_method` - (Optional)http_method. See [Spec Http Method ](#spec-http-method) below for details. +###### One of the arguments from this list "any_ip, ip_matcher, ip_prefix_list" can be set +`any_ip` - (Optional)any_ip (`Bool`). - +`ip_matcher` - (Optional)ip_matcher. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional)ip_prefix_list. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. +`path` - (Optional)path. See [Spec Path ](#spec-path) below for details. +`query_params` - (Optional)query_params. See [Spec Query Params ](#spec-query-params) below for details. - +###### One of the arguments from this list "ja4_tls_fingerprint, tls_fingerprint_matcher" can be set +`ja4_tls_fingerprint` - (Optional)ja4_tls_fingerprint. See [Tls Fingerprint Choice Ja4 Tls Fingerprint ](#tls-fingerprint-choice-ja4-tls-fingerprint) below for details.(Deprecated) +`tls_fingerprint_matcher` - (Optional)tls_fingerprint_matcher. See [Tls Fingerprint Choice Tls Fingerprint Matcher ](#tls-fingerprint-choice-tls-fingerprint-matcher) below for details. +### Samesite Ignore Samesite - +Ignore Samesite attribute. +### Samesite Samesite Lax +Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. +### Samesite Samesite None - +Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. +### Samesite Samesite Strict +Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info +Clear Secret is used for the secrets that are not encrypted. - +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info +Vault Secret is used for the secrets managed by Hashicorp Vault. - +`key` - (Optional) If not provided entire secret will be returned. (`String`). +`location` - (Required) Path to secret in Vault. (`String`). +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). +`version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info +Secret is given as bootstrap secret in F5XC Security Sidecar. +`name` - (Required) Name of the secret. (`String`). +### Secret Key Blindfold Secret Info Internal -`l7_ddos_action_block` - (Optional) Block suspicious sources (`Bool`). +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -`l7_ddos_action_default` - (Optional) Block suspicious sources (`Bool`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -`l7_ddos_action_js_challenge` - (Optional) Serve JavaScript challenge to suspicious sources. See [L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge ](#l7-ddos-auto-mitigation-action-l7-ddos-action-js-challenge) below for details. - +### Secret Value Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secure Add Secure -`l7_ddos_action_none` - (Optional) Disable auto mitigation (`Bool`).(Deprecated) +x-displayName: "Add". +### Secure Ignore Secure +x-displayName: "Ignore". +### Security Options Api Protection +x-displayName: "API Protection". -`http` - (Optional) CDN Distribution serving content over HTTP. See [Loadbalancer Type Http ](#loadbalancer-type-http) below for details. - +###### One of the arguments from this list "api_specification, api_specification_on_cache_miss, disable_api_definition" must be set +`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details. +`api_specification_on_cache_miss` - (Optional) Enable API definition and OpenAPI Validation only on cache miss in this distribution. See [Api Definition Choice Api Specification On Cache Miss ](#api-definition-choice-api-specification-on-cache-miss) below for details.(Deprecated) +`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`). +###### One of the arguments from this list "api_discovery_on_cache_miss, disable_api_discovery, enable_api_discovery" must be set +`api_discovery_on_cache_miss` - (Optional) Enable api discovery only on cache miss in this distribution. See [Api Discovery Choice Api Discovery On Cache Miss ](#api-discovery-choice-api-discovery-on-cache-miss) below for details.(Deprecated) +`disable_api_discovery` - (Optional) Disable api discovery for this distribution (`Bool`). +`enable_api_discovery` - (Optional) Enable api discovery for all requests in this distribution. See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details. -`https` - (Optional) User is responsible for managing DNS.. See [Loadbalancer Type Https ](#loadbalancer-type-https) below for details. - +`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Api Protection Rules ](#api-protection-api-protection-rules) below for details. +`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Api Protection Jwt Validation ](#api-protection-jwt-validation) below for details. +###### One of the arguments from this list "default_sensitive_data_policy, sensitive_data_policy" must be set +`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`). - +`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details. +### Security Options Auth Options - +Authentication Options. +###### One of the arguments from this list "custom, disable_auth, jwt" can be set +`custom` - (Optional) Enable Custom Authentication. See [Auth Options Custom ](#auth-options-custom) below for details. +`disable_auth` - (Optional) No Authentication (`Bool`). +`jwt` - (Optional) Enable JWT Authentication. See [Auth Options Jwt ](#auth-options-jwt) below for details. +### Security Options Common Security Controls - +x-displayName: "Common Security Controls". +`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Common Security Controls Blocked Clients ](#common-security-controls-blocked-clients) below for details. +###### One of the arguments from this list "captcha_challenge, challenge_on_cache_miss, enable_challenge, js_challenge, no_challenge, policy_based_challenge" must be set +`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. +`challenge_on_cache_miss` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. See [Challenge Type Challenge On Cache Miss ](#challenge-type-challenge-on-cache-miss) below for details.(Deprecated) - +`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. +`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. +`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). +`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. - +`cors_policy` - (Optional) resources from a server at a different origin. See [Common Security Controls Cors Policy ](#common-security-controls-cors-policy) below for details. +###### One of the arguments from this list "disable_ip_reputation, enable_ip_reputation, ip_reputation_on_cache_miss" can be set +`disable_ip_reputation` - (Optional) No IP reputation configured this distribution (`Bool`). +`enable_ip_reputation` - (Optional) Enable IP reputation for all requests in this distribution. See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. - +`ip_reputation_on_cache_miss` - (Optional) Enable IP reputation only on cache miss in this distribution. See [Ip Reputation Choice Ip Reputation On Cache Miss ](#ip-reputation-choice-ip-reputation-on-cache-miss) below for details.(Deprecated) +###### One of the arguments from this list "disable_malicious_user_detection, enable_malicious_user_detection, malicious_user_detection_on_cache_miss" must be set - +`disable_malicious_user_detection` - (Optional) Disable malicious user detection for this distribution (`Bool`). +`enable_malicious_user_detection` - (Optional) Enable malicious user detection for all requests in this distribution (`Bool`). +`malicious_user_detection_on_cache_miss` - (Optional) Enable malicious user detection only on cache miss in this distribution (`Bool`).(Deprecated) +###### One of the arguments from this list "api_rate_limit, disable_rate_limit, rate_limit" must be set +`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. +`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). +`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. +###### One of the arguments from this list "active_service_policies, no_service_policies, service_policies_from_namespace" must be set - +`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. +`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). +`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). +###### One of the arguments from this list "disable_threat_mesh, enable_threat_mesh" must be set +`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`). +`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Common Security Controls Trusted Clients ](#common-security-controls-trusted-clients) below for details. - +###### One of the arguments from this list "user_id_client_ip, user_identification" must be set +`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). +`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. +### Security Options Geo Filtering +Geo filtering options. +###### One of the arguments from this list "allow_list, block_list" can be set - +`allow_list` - (Optional) Allow list of countries. See [Geo Filtering Type Allow List ](#geo-filtering-type-allow-list) below for details. +`block_list` - (Optional) Block list of countries. See [Geo Filtering Type Block List ](#geo-filtering-type-block-list) below for details. +### Security Options Ip Filtering +IP filtering options. +###### One of the arguments from this list "allow_list, block_list" can be set +`allow_list` - (Optional) Allow list of ip prefixes. See [Ip Filtering Type Allow List ](#ip-filtering-type-allow-list) below for details. +`block_list` - (Optional) Block list of ip prefixes. See [Ip Filtering Type Block List ](#ip-filtering-type-block-list) below for details. +### Security Options Web App Firewall +Web Application Firewall. - +`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Web App Firewall Csrf Policy ](#web-app-firewall-csrf-policy) below for details. +`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Web App Firewall Data Guard Rules ](#web-app-firewall-data-guard-rules) below for details. +`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Web App Firewall Graphql Rules ](#web-app-firewall-graphql-rules) below for details. +`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Web App Firewall Protected Cookies ](#web-app-firewall-protected-cookies) below for details. +###### One of the arguments from this list "app_firewall, app_firewall_on_cache_miss, disable_waf" must be set - +`app_firewall` - (Optional) Enable WAF configuration for all requests in this distribution. See [ref](#ref) below for details. +`app_firewall_on_cache_miss` - (Optional) Enable WAF configuration only on cache miss in this distribution. See [ref](#ref) below for details.(Deprecated) +`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). +`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Web App Firewall Waf Exclusion Rules ](#web-app-firewall-waf-exclusion-rules) below for details. - +### Send Headers Choice Append Headers +Append mitigation headers.. +`auto_type_header_name` - (Required) A case-insensitive HTTP header name. (`String`). +`inference_header_name` - (Required) A case-insensitive HTTP header name. (`String`). - +### Send Headers Choice No Headers +No mitigation headers.. +### Sensitive Data Policy Choice Default Sensitive Data Policy +Apply system default sensitive data discovery. +### Sensitive Data Policy Choice Sensitive Data Policy -`https_auto_cert` - (Optional) DNS records will be managed by Volterra.. See [Loadbalancer Type Https Auto Cert ](#loadbalancer-type-https-auto-cert) below for details. - +Apply custom sensitive data discovery. +`sensitive_data_policy_ref` - (Required) Specify Sensitive Data Discovery. See [ref](#ref) below for details. +### Server Url Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Server Url Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. -`disable_malicious_user_detection` - (Optional) Disable malicious user detection for this distribution (`Bool`). +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. -`enable_malicious_user_detection` - (Optional) Enable malicious user detection for all requests in this distribution (`Bool`). +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Server Validation Choice Skip Server Verification -`malicious_user_detection_on_cache_miss` - (Optional) Enable malicious user detection only on cache miss in this distribution (`Bool`).(Deprecated) +Skip origin server verification. +### Server Validation Choice Use Server Verification +Perform origin server verification using the provided Root CA Certificate. +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set -`more_option` - (Optional) More options like header manipulation, compression etc.. See [More Option ](#more-option) below for details.(Deprecated) +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. +`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Origin Pool for verification of server's certificate (`String`). - +### Server Validation Choice Volterra Trusted Ca +Perform origin server verification using F5XC Default Root CA Certificate. - +### Service Policy Choice Active Service Policies +Apply the specified list of service policies and bypass the namespace service policy set. +`policies` - (Required) If all policies are evaluated and none match, then the request will be denied by default.. See [ref](#ref) below for details. +### Service Policy Choice No Service Policies +Do not apply any service policies i.e. bypass the namespace service policy set. +### Service Policy Choice Service Policies From Namespace +Apply the active service policies configured as part of the namespace service policy set. +### Slow Ddos Mitigation Choice Slow Ddos Mitigation +Custom Settings for Slow DDoS Mitigation. +`request_headers_timeout` - (Optional) provides protection against Slowloris attacks. (`Int`). +###### One of the arguments from this list "disable_request_timeout, request_timeout" must be set +`disable_request_timeout` - (Optional) x-displayName: "No Timeout" (`Bool`). - +`request_timeout` - (Optional) x-example: "60000" (`Int`). +### Sni Choice Disable Sni +Do not use SNI.. +### Sni Choice Use Host Header As Sni +Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. +### Spec Arg Matchers +arg_matchers. +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the argument is not present. (`Bool`). +`check_present` - (Optional) Check that the argument is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the Arg. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - +`presence` - (Optional) Check if the arg is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive JSON path in the HTTP request body. (`String`). +### Spec Body Matcher +body_matcher. - +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Spec Cookie Matchers +cookie_matchers. +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). - +`check_present` - (Optional) Check that the cookie is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive cookie name. (`String`). +### Spec Domain Matcher +domain_matcher. - +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - +### Spec Headers +headers. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). +`check_present` - (Optional) Check that the header is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-insensitive HTTP header name. (`String`). +### Spec Http Method +http_method. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). +### Spec Path +path. +`exact_values` - (Optional) A list of exact path values to match the input HTTP path against. (`String`). +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_values` - (Optional) A list of path prefix values to match the input HTTP path against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input HTTP path against. (`String`). +`suffix_values` - (Optional) A list of path suffix values to match the input HTTP path against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Spec Query Params +query_params. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). - +`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). +`check_present` - (Optional) Check that the query parameter is present. (`Bool`). +`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) +### Target All Endpoint +Validation will be performed for all requests on this LB. +### Target Api Groups +Validation will be performed for the endpoints mentioned in the API Groups. +`api_groups` - (Required) x-required (`String`). - +### Target Base Paths +Validation will be performed for selected path prefixes. - +`base_paths` - (Required) x-required (`String`). +### Temporary Blocking Parameters Choice Default Temporary Blocking Parameters +Use default parameters. - +### Temporary Blocking Parameters Choice Temporary User Blocking +Specifies configuration for temporary user blocking resulting from malicious user detection. +`custom_page` - (Optional) E.g. "

Blocked

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - +### Threat Mesh Choice Disable Threat Mesh +x-displayName: "Disable". - +### Threat Mesh Choice Enable Threat Mesh +x-displayName: "Enable". +### Tls Cert Params Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Tls Certificates Private Key - +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Certificates Choice Tls Cert Params - +Select/Add one or more TLS Certificate objects to associate with this Load Balancer. +`certificates` - (Required) Select one or more certificates with any domain names.. See [ref](#ref) below for details. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Cert Params Tls Config ](#tls-cert-params-tls-config) below for details. +### Tls Certificates Choice Tls Inline Params - +Upload a TLS certificate covering all domain names for this Load Balancer. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Tls Inline Params Tls Certificates ](#tls-inline-params-tls-certificates) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Inline Params Tls Config ](#tls-inline-params-tls-config) below for details. +### Tls Choice No Tls +Origin servers do not use TLS. +### Tls Choice Use Tls +Origin servers use TLS. +###### One of the arguments from this list "default_session_key_caching, disable_session_key_caching, max_session_keys" must be set +`default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). +`disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). +`max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). +###### One of the arguments from this list "no_mtls, use_mtls, use_mtls_obj" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`use_mtls_obj` - (Optional) x-displayName: "Select/add a TLS Certificate object for client authentication". See [ref](#ref) below for details. +###### One of the arguments from this list "skip_server_verification, use_server_verification, volterra_trusted_ca" must be set +`skip_server_verification` - (Optional) Skip origin server verification (`Bool`). - +`use_server_verification` - (Optional) Perform origin server verification using the provided Root CA Certificate. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. +`volterra_trusted_ca` - (Optional) Perform origin server verification using F5XC Default Root CA Certificate (`Bool`). +###### One of the arguments from this list "disable_sni, sni, use_host_header_as_sni" must be set +`disable_sni` - (Optional) Do not use SNI. (`Bool`). - +`sni` - (Optional) SNI value to be used. (`String`). +`use_host_header_as_sni` - (Optional) Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied. (`Bool`). +`tls_config` - (Required) TLS parameters such as min/max TLS version and ciphers. See [Use Tls Tls Config ](#use-tls-tls-config) below for details. +### Tls Fingerprint Choice Ja4 Tls Fingerprint +ja4_tls_fingerprint. - +`exact_values` - (Optional) A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against (`String`). +### Tls Fingerprint Choice Tls Fingerprint Matcher +tls_fingerprint_matcher. +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). +### Tls Inline Params Tls Certificates +for example, domain.com and *.domain.com - but use different signature algorithms. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - +### Tls Inline Params Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. - +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Tls Parameters Tls Certificates +for example, domain.com and *.domain.com - but use different signature algorithms. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Tls Parameters Tls Config +TLS Configuration Parameters. +###### One of the arguments from this list "tls_11_plus, tls_12_plus" must be set +`tls_11_plus` - (Optional) TLS v1.1+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +`tls_12_plus` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +### Token Location Bearer Token - +Token is found in Authorization HTTP header with Bearer authentication scheme. +### Token Source Bearer Token - +Token is found in the Bearer-Token. +### Token Source Cookie +Token is found in the cookie. +`name` - (Required) A case-insensitive cookie name. (`String`). +### Token Source Header +Token is found in the header. +`name` - (Required) A case-insensitive field header name. (`String`). +### Token Source Query Param +Token is found in the Query-Param. +`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). +### Transaction Result Failure Conditions +Failure Conditions. +`name` - (Optional) A case-insensitive HTTP header name. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`status` - (Required) HTTP Status code (`String`). +### Transaction Result Success Conditions +Success Conditions. +`name` - (Optional) A case-insensitive HTTP header name. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`status` - (Required) HTTP Status code (`String`). +### Transaction Result Choice Disable Transaction Result +Disable collection of transaction result.. - +### Transaction Result Choice Transaction Result +Collect transaction result.. +`failure_conditions` - (Optional) Failure Conditions. See [Transaction Result Failure Conditions ](#transaction-result-failure-conditions) below for details. +`success_conditions` - (Optional) Success Conditions. See [Transaction Result Success Conditions ](#transaction-result-success-conditions) below for details. - +### Trusted Clients Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - +### Ttl Options Cache Disabled +Disable Caching of content from the origin. +### Use Mtls Tls Certificates +mTLS Client Certificate. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - +`description` - (Optional) Description for the certificate (`String`). +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Use Tls Tls Config - +TLS parameters such as min/max TLS version and ciphers. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set - +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### User Id Choice User Id Client Ip +Use the Client IP address as the user identifier.. +### Validate Period Validate Period Disable +x-displayName: "Disable". +### Validate Period Validate Period Enable +x-displayName: "Enable". +### Validation All Spec Endpoints Fall Through Mode +Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). +###### One of the arguments from this list "fall_through_mode_allow, fall_through_mode_custom" must be set +`fall_through_mode_allow` - (Optional) Allow any unprotected end point (`Bool`). +`fall_through_mode_custom` - (Optional) Custom rules for any unprotected end point. See [Fall Through Mode Choice Fall Through Mode Custom ](#fall-through-mode-choice-fall-through-mode-custom) below for details. +### Validation All Spec Endpoints Settings +OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. +###### One of the arguments from this list "fail_close, fail_open" can be set +`fail_close` - (Optional) Handle the transaction as it failed the OpenAPI specification validation (Block or Report) (`Bool`).(Deprecated) +`fail_open` - (Optional) Continue to process the transaction without enforcing OpenAPI specification (Allow) (`Bool`).(Deprecated) +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set +`oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`). +`oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`). +###### One of the arguments from this list "property_validation_settings_custom, property_validation_settings_default" can be set +`property_validation_settings_custom` - (Optional) Use custom settings with Open API specification validation. See [Property Validation Settings Choice Property Validation Settings Custom ](#property-validation-settings-choice-property-validation-settings-custom) below for details. +`property_validation_settings_default` - (Optional) Keep the default settings of OpenAPI specification validation (`Bool`). +### Validation All Spec Endpoints Validation Mode +When a validation mismatch occurs on a request to one of the API Inventory endpoints. +###### One of the arguments from this list "response_validation_mode_active, skip_response_validation" must be set +`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. +`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`origin_pool` - (Required) x-required. See [Origin Pool ](#origin-pool) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`other_settings` - (Optional) x-displayName: "Other Settings". See [Other Settings ](#other-settings) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Protected Cookies ](#protected-cookies) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. - - -`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). - - -`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. - - - - - -`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`). - - -`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details. - - - - - -`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. - - -`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). - - -`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). - - - - - -`slow_ddos_mitigation` - (Optional) Custom Settings for Slow DDoS Mitigation. See [Slow Ddos Mitigation Choice Slow Ddos Mitigation ](#slow-ddos-mitigation-choice-slow-ddos-mitigation) below for details. - - - - - - - - - - - - - -`system_default_timeouts` - (Optional) Default Settings for Slow DDoS Mitigation (`Bool`). - - - - - -`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Trusted Clients ](#trusted-clients) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - -`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). - - -`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. - - - - - -`app_firewall` - (Optional) Enable WAF configuration for all requests in this distribution. See [ref](#ref) below for details. - - -`app_firewall_on_cache_miss` - (Optional) Enable WAF configuration only on cache miss in this distribution. See [ref](#ref) below for details.(Deprecated) - - -`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). - - - - -`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Waf Exclusion Rules ](#waf-exclusion-rules) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Api Protection Rules - - Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. - -`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. - -`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. - - - -### Blocked Clients - - Define rules to block IP Prefixes or AS numbers.. - - - - -###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "ip_prefix, as_number, http_header, user_identifier" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. - - - -### Cache Rules - - Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. - - - -###### One of the arguments from this list "cache_bypass, eligible_for_cache" must be set - -`cache_bypass` - (Optional) Bypass Caching of content from the origin (`Bool`). - - -`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details. - - -`rule_expression_list` - (Required) Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... See [Cache Rules Rule Expression List ](#cache-rules-rule-expression-list) below for details. - -`rule_name` - (Required) Name of the Cache Rule (`String`). - - - -### Cors Policy - - resources from a server at a different origin. - -`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). - -`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - -`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). - -`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). - -`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - -`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - - - -### Csrf Policy - - Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - - - -###### One of the arguments from this list "disabled, all_load_balancer_domains, custom_domain_list" must be set - -`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). - - -`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - - -`disabled` - (Optional) Allow all source origin domains. (`Bool`). - - - - -### Data Guard Rules - - Note: App Firewall should be enabled, to use Data Guard feature.. - - - -###### One of the arguments from this list "apply_data_guard, skip_data_guard" must be set - -`apply_data_guard` - (Optional) x-displayName: "Apply" (`Bool`). - - -`skip_data_guard` - (Optional) x-displayName: "Skip" (`Bool`). - - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Enable Data Guard for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Data Guard Rules Metadata ](#data-guard-rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Data Guard Rules Path ](#data-guard-rules-path) below for details. - - - -### Ddos Mitigation Rules - - Define manual mitigation rules to block L7 DDoS attacks.. - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Ddos Mitigation Rules Metadata ](#ddos-mitigation-rules-metadata) below for details. - - - -###### One of the arguments from this list "block" must be set - -`block` - (Optional) Block user for a duration determined by the expiration time (`Bool`). - - - - -###### One of the arguments from this list "ddos_client_source, ip_prefix_list" must be set - -`ddos_client_source` - (Optional) Combination of Region, ASN and TLS Fingerprints. See [Mitigation Choice Ddos Client Source ](#mitigation-choice-ddos-client-source) below for details. - - -`ip_prefix_list` - (Optional) IPv4 prefix string.. See [Mitigation Choice Ip Prefix List ](#mitigation-choice-ip-prefix-list) below for details. - - - - -### Default Cache Action - - Default value for Cache action.. - - - - -###### One of the arguments from this list "eligible_for_cache, cache_ttl_default, cache_ttl_override, cache_disabled" can be set - -`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). - - -`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). - - -`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). - - -`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details.(Deprecated) - - - - -### Graphql Rules - - queries and prevent GraphQL tailored attacks.. - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Enable GraphQL inspection for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`exact_path` - (Required) Specifies the exact path to GraphQL endpoint. Default value is /graphql. (`String`). - -`graphql_settings` - (Optional) GraphQL configuration.. See [Graphql Rules Graphql Settings ](#graphql-rules-graphql-settings) below for details. - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Graphql Rules Metadata ](#graphql-rules-metadata) below for details. - - - -###### One of the arguments from this list "method_get, method_post" must be set - -`method_get` - (Optional) x-displayName: "GET" (`Bool`). - - -`method_post` - (Optional) x-displayName: "POST" (`Bool`). - - - - -### Jwt Validation - - tokens or tokens that are not yet valid.. - -`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. - - - -###### One of the arguments from this list "jwks, jwks_config, auth_server_uri" must be set - -`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) - - -`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) - - -`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. - - -`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. - -`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. - -`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. - -`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. - - - -### More Option - - More options like header manipulation, compression etc.. - -`cache_options` - (Optional) Cache Options. See [More Option Cache Options ](#more-option-cache-options) below for details. - -`cache_ttl_options` - (Optional) Cache Options. See [More Option Cache Ttl Options ](#more-option-cache-ttl-options) below for details.(Deprecated) - -`header_options` - (Optional) Request/Response header related options. See [More Option Header Options ](#more-option-header-options) below for details. - -`logging_options` - (Optional) Logging related options. See [More Option Logging Options ](#more-option-logging-options) below for details. - -`security_options` - (Optional) Security related options. See [More Option Security Options ](#more-option-security-options) below for details. - - - -### Origin Pool - - x-required. - -`follow_origin_redirect` - (Optional) Instructs the CDN to follow redirects from the origin server(s) (`Bool`).(Deprecated) - -`more_origin_options` - (Optional) x-displayName: "Advanced Configuration". See [Origin Pool More Origin Options ](#origin-pool-more-origin-options) below for details. - -`origin_request_timeout` - (Optional) Configures the time after which a request to the origin will time out waiting for a response (`String`). - -`origin_servers` - (Required) List of original servers. See [Origin Pool Origin Servers ](#origin-pool-origin-servers) below for details. - -`public_name` - (Required) The DNS name to be used as the host header for the request to the origin server. See [Origin Pool Public Name ](#origin-pool-public-name) below for details. - - - -###### One of the arguments from this list "no_tls, use_tls" must be set - -`no_tls` - (Optional) Origin servers do not use TLS (`Bool`). - - -`use_tls` - (Optional) Origin servers use TLS. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. - - - - -### Other Settings - - x-displayName: "Other Settings". - -`add_location` - (Optional) Appends header x-volterra-location = in responses. (`Bool`). - -`geo_filtering` - (Optional) Geo filtering options. See [Other Settings Geo Filtering ](#other-settings-geo-filtering) below for details.(Deprecated) - -`header_options` - (Optional) Request/Response header related options. See [Other Settings Header Options ](#other-settings-header-options) below for details. - -`ip_filtering` - (Optional) IP filtering options. See [Other Settings Ip Filtering ](#other-settings-ip-filtering) below for details.(Deprecated) - -`logging_options` - (Optional) Logging related options. See [Other Settings Logging Options ](#other-settings-logging-options) below for details. - - - -### Protected Cookies - - Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. - - - -###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set - -`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). - - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - - -###### One of the arguments from this list "ignore_max_age, max_age_value" can be set - -`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - - -`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) - - -`name` - (Required) Name of the Cookie (`String`). - - - - -###### One of the arguments from this list "samesite_strict, samesite_lax, samesite_none, ignore_samesite" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set - -`add_secure` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - -### Trusted Clients - - Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. - - - - -###### One of the arguments from this list "skip_processing, waf_skip_processing, bot_skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "user_identifier, ip_prefix, as_number, http_header" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. - - - -### Waf Exclusion Rules - - When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Apply this WAF exclusion rule for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Waf Exclusion Rules Metadata ](#waf-exclusion-rules-metadata) below for details. - -`methods` - (Optional) methods to be matched (`List of Strings`). - - - -###### One of the arguments from this list "any_path, path_prefix, path_regex" must be set - -`any_path` - (Optional) Match all paths (`Bool`). - - -`path_prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`path_regex` - (Optional) Define the regex for the path. For example, the regex ^/.*$ will match on all paths (`String`). - - - - - -###### One of the arguments from this list "app_firewall_detection_control, waf_skip_processing" can be set - -`app_firewall_detection_control` - (Optional) Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. See [Waf Advanced Configuration App Firewall Detection Control ](#waf-advanced-configuration-app-firewall-detection-control) below for details. - - -`waf_skip_processing` - (Optional) Skip all App Firewall processing for this request (`Bool`). - - - - -### Action Allow - - Allow the request to proceed.. - - - -### Action Deny - - Deny the request.. - - - -### Action Choice Action Block - - Block the request and issue an API security event. - - - -### Action Choice Action Report - - Continue processing the request and issue an API security event. - - - -### Action Choice Action Skip - - Continue processing the request. - - - -### Action Choice Apply Data Guard - - x-displayName: "Apply". - - - -### Action Choice Block - - Block the request and report the issue. - - - -### Action Choice Bot Skip Processing - - Skip Bot Defense processing for clients matching this rule.. - - - -### Action Choice Report - - Allow the request and report the issue. - - - -### Action Choice Skip Data Guard - - x-displayName: "Skip". - - - -### Action Choice Skip Processing - - Skip both WAF and Bot Defense processing for clients matching this rule.. - - - -### Action Choice Waf Skip Processing - - Skip WAF processing for clients matching this rule.. - - - -### Action Type Block - - Block bot request and send response with custom content.. - -`body` - (Optional) E.g. "

Your request was blocked

". Base64 encoded string for this html is "LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==" (`String`). - -`body_hash` - (Optional) Represents the corresponding MD5 Hash for the body message. (`String`).(Deprecated) - -`status` - (Optional) HTTP Status code to respond with (`String`). - - - -### Action Type Flag - - Flag the request while not taking any invasive actions.. - - - - -###### One of the arguments from this list "no_headers, append_headers" can be set - -`append_headers` - (Optional) Append mitigation headers.. See [Send Headers Choice Append Headers ](#send-headers-choice-append-headers) below for details. - - -`no_headers` - (Optional) No mitigation headers. (`Bool`). - - - - -### Action Type None - - No mitigation actions.. - - - -### Action Type Redirect - - Redirect bot request to a custom URI.. - -`uri` - (Required) URI location for redirect may be relative or absolute. (`String`). - - - -### Additional Headers Choice Allow Additional Headers - - Allow extra headers (on top of what specified in the OAS documentation). - - - -### Additional Headers Choice Disallow Additional Headers - - Disallow extra headers (on top of what specified in the OAS documentation). - - - -### Additional Parameters Choice Allow Additional Parameters - - Allow extra query parameters (on top of what specified in the OAS documentation). - - - -### Additional Parameters Choice Disallow Additional Parameters - - Disallow extra query parameters (on top of what specified in the OAS documentation). - - - -### Allow Introspection Queries Choice Disable Introspection - - Disable introspection queries for the load balancer.. - - - -### Allow Introspection Queries Choice Enable Introspection - - Enable introspection queries for the load balancer.. - - - -### Allowed Domains All Load Balancer Domains - - Add All load balancer domains to source origin (allow) list.. - - - -### Allowed Domains Custom Domain List - - Add one or more domains to source origin (allow) list.. - -`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - - - -### Allowed Domains Disabled - - Allow all source origin domains.. - - - -### Api Definition Choice Api Specification - - Specify API definition and OpenAPI Validation. - -`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "validation_all_spec_endpoints, validation_custom_list, validation_disabled" must be set - -`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. - - -`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. - - -`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). - - - - -### Api Definition Choice Api Specification On Cache Miss - - Enable API definition and OpenAPI Validation only on cache miss in this distribution. - -`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "validation_all_spec_endpoints, validation_custom_list, validation_disabled" must be set - -`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. - - -`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. - - -`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). - - - - -### Api Definition Choice Disable Api Definition - - API Definition is not currently used for this load balancer. - - - -### Api Discovery Choice Api Discovery On Cache Miss - - Enable api discovery only on cache miss in this distribution. - -`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Api Discovery On Cache Miss Discovered Api Settings ](#api-discovery-on-cache-miss-discovered-api-settings) below for details. - - - -###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set - -`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Api Discovery On Cache Miss Sensitive Data Detection Rules ](#api-discovery-on-cache-miss-sensitive-data-detection-rules) below for details.(Deprecated) - - - -### Api Discovery Choice Disable Api Discovery - - Disable api discovery for this distribution. - - - -### Api Discovery Choice Enable Api Discovery - - Enable api discovery for all requests in this distribution. - -`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Api Discovery Discovered Api Settings ](#enable-api-discovery-discovered-api-settings) below for details. - - - -###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set - -`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Api Discovery Sensitive Data Detection Rules ](#enable-api-discovery-sensitive-data-detection-rules) below for details.(Deprecated) - - - -### Api Discovery On Cache Miss Discovered Api Settings - - Configure Discovered API Settings.. - - - -### Api Discovery On Cache Miss Sensitive Data Detection Rules - - Manage rules to detect sensitive data in requests and/or response sections.. - - - -### Api Endpoint Rules Action - - The action to take if the input request matches the rule.. - - - -###### One of the arguments from this list "allow, deny" must be set - -`allow` - (Optional) Allow the request to proceed. (`Bool`). - - -`deny` - (Optional) Deny the request. (`Bool`). - - - - -### Api Endpoint Rules Api Endpoint Method - - The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - - -### Api Endpoint Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "any_client, ip_threat_category_list, client_selector" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "asn_list, asn_matcher, any_ip, ip_prefix_list, ip_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Api Endpoint Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Api Endpoint Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Api Groups Rules Action - - The action to take if the input request matches the rule.. - - - -###### One of the arguments from this list "deny, allow" must be set - -`allow` - (Optional) Allow the request to proceed. (`Bool`). - - -`deny` - (Optional) Deny the request. (`Bool`). - - - - -### Api Groups Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "any_client, ip_threat_category_list, client_selector" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "asn_matcher, any_ip, ip_prefix_list, ip_matcher, asn_list" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Api Groups Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Api Groups Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Api Protection Api Protection Rules - - Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. - -`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. - -`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. - - - -### Api Protection Jwt Validation - - tokens or tokens that are not yet valid.. - -`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. - - - -###### One of the arguments from this list "jwks_config, auth_server_uri, jwks" must be set - -`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) - - -`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) - - -`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. - - -`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. - -`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. - -`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. - -`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. - - - -### Api Protection Rules Api Endpoint Rules - - If request matches any of these rules, skipping second category rules.. - -`action` - (Required) The action to take if the input request matches the rule.. See [Api Endpoint Rules Action ](#api-endpoint-rules-action) below for details. - -`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. - -`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Endpoint Rules Metadata ](#api-endpoint-rules-metadata) below for details. - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - - - -### Api Protection Rules Api Groups Rules - - For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. - -`action` - (Required) The action to take if the input request matches the rule.. See [Api Groups Rules Action ](#api-groups-rules-action) below for details. - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - -`base_path` - (Required) For example: /v1 (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Groups Rules Client Matcher ](#api-groups-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Groups Rules Metadata ](#api-groups-rules-metadata) below for details. - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Groups Rules Request Matcher ](#api-groups-rules-request-matcher) below for details. - - - -### Api Rate Limit Api Endpoint Rules - - For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. - -`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. - -`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - -`base_path` - (Optional) The request base path. (`String`).(Deprecated) - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "ref_rate_limiter, inline_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - - - -### Api Rate Limit Server Url Rules - - For matching also specific endpoints you can use the API endpoint rules set bellow.. - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - -`base_path` - (Required) Prefix of the request path. (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "specific_domain, any_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. - - - -### App Firewall Detection Control Exclude Attack Type Contexts - - Attack Types to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`exclude_attack_type` - (Required) x-required (`String`). - - - -### App Firewall Detection Control Exclude Bot Name Contexts - - Bot Names to be excluded for the defined match criteria. - -`bot_name` - (Required) x-example: "Hydra" (`String`). - - - -### App Firewall Detection Control Exclude Signature Contexts - - Signature IDs to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`signature_id` - (Required) 0 implies that all signatures will be excluded for the specified context. (`Int`). - - - -### App Firewall Detection Control Exclude Violation Contexts - - Violations to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`exclude_violation` - (Required) x-required (`String`). - - - -### App Traffic Type Choice Mobile - - Mobile traffic channel.. - - - -### App Traffic Type Choice Mobile Client - - Mobile traffic channel.. - - - -### App Traffic Type Choice Web - - Web traffic channel.. - - - -### App Traffic Type Choice Web Client - - Web traffic channel.. - - - -### App Traffic Type Choice Web Mobile - - Web and mobile traffic channel.. - -`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Header ](#web-mobile-header) below for details.(Deprecated) - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Headers ](#web-mobile-headers) below for details.(Deprecated) - -`mobile_identifier` - (Optional) Mobile identifier type (`String`). - - - -### App Traffic Type Choice Web Mobile Client - - Web and mobile traffic channel.. - -`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Client Header ](#web-mobile-client-header) below for details.(Deprecated) - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Client Headers ](#web-mobile-client-headers) below for details.(Deprecated) - -`mobile_identifier` - (Optional) Mobile identifier type (`String`). - - - -### Asn Choice Any Asn - -any_asn. - - - -### Asn Choice Asn List - -asn_list. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Asn Choice Asn Matcher - -asn_matcher. - -`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. - - - -### Audience Validation Audience - - x-displayName: "Exact Match". - -`audiences` - (Required) x-required (`String`). - - - -### Audience Validation Audience Disable - - x-displayName: "Disable". - - - -### Auth Options Custom - - Enable Custom Authentication. - -`custom_auth_config` - (Optional) This is custom authentication configuration parameters. Please reach out to the support for custom authentication details. (`String`). - - - -### Auth Options Disable Auth - - No Authentication. - - - -### Auth Options Jwt - - Enable JWT Authentication. - -`backup_key` - (Optional) Backup JWT Key - If specified is also checked in addition to the primary secret key. See [Jwt Backup Key ](#jwt-backup-key) below for details. - -`secret_key` - (Required) Secret Key for JWT. See [Jwt Secret Key ](#jwt-secret-key) below for details. - - - - -###### One of the arguments from this list "header, cookie, query_param, bearer_token" can be set - -`bearer_token` - (Optional) Token is found in the Bearer-Token (`Bool`). - - -`cookie` - (Optional) Token is found in the cookie. See [Token Source Cookie ](#token-source-cookie) below for details. - - -`header` - (Optional) Token is found in the header. See [Token Source Header ](#token-source-header) below for details. - - -`query_param` - (Optional) Token is found in the Query-Param. See [Token Source Query Param ](#token-source-query-param) below for details. - - - - -### Backup Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Blocked Clients Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Bot Defense Policy - - Bot Defense Policy.. - - - -###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set - -`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). - - -`js_insert_all_pages` - (Optional) Insert Bot Defense JavaScript in all pages.. See [Java Script Choice Js Insert All Pages ](#java-script-choice-js-insert-all-pages) below for details. - - -`js_insert_all_pages_except` - (Optional) Insert Bot Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. - - -`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. - - -`javascript_mode` - (Required) The larger chunk can be loaded asynchronously or synchronously. It can also be cacheable or non-cacheable on the browser. (`String`). - -`js_download_path` - (Optional) Customize Bot Defense Client JavaScript path. If not specified, default `/common.js` (`String`). - - - -###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set - -`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). - - -`mobile_sdk_config` - (Optional) Mobile SDK configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. - - -`protected_app_endpoints` - (Required) List of protected application endpoints (max 128 items).. See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. - - - -### Bot Defense Advanced Policy - - Bot Defense Advanced Policy.. - -`js_download_path` - (Required) Customize Bot Defense Web Client JavaScript path (`String`). - - - -###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set - -`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). - - -`mobile_sdk_config` - (Optional) Enable Mobile SDK Configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. - - -`protected_app_endpoints` - (Required) List of protected endpoints (max 128 items). See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. - - - -### Bot Defense Choice Bot Defense - - Select Bot Defense Standard. - - - -###### One of the arguments from this list "enable_cors_support, disable_cors_support" must be set - -`disable_cors_support` - (Optional) protect against Bot Attacks. (`Bool`).(Deprecated) - - -`enable_cors_support` - (Optional) Allows Bot Defense to work with your existing CORS policies. (`Bool`).(Deprecated) - - -`policy` - (Required) Bot Defense Policy.. See [Bot Defense Policy ](#bot-defense-policy) below for details. - -`regional_endpoint` - (Required) x-required (`String`). - -`timeout` - (Optional) The timeout for the inference check, in milliseconds. (`Int`). - - - -### Bot Defense Choice Bot Defense Advanced - - Select Bot Defense Advanced. - -`mobile` - (Optional) Select infrastructure for mobile.. See [ref](#ref) below for details. - -`policy` - (Required) Bot Defense Advanced Policy.. See [Bot Defense Advanced Policy ](#bot-defense-advanced-policy) below for details. - -`web` - (Optional) Select infrastructure for web.. See [ref](#ref) below for details. - - - -### Bypass Rate Limiting Rules Bypass Rate Limiting Rules - - This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Bypass Rate Limiting Rules Client Matcher ](#bypass-rate-limiting-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_url, base_path, api_endpoint, api_groups" must be set - -`any_url` - (Optional) Any URL (`Bool`). - - -`api_endpoint` - (Required) The endpoint (path) of the request.. See [Destination Type Api Endpoint ](#destination-type-api-endpoint) below for details. - - -`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Destination Type Api Groups ](#destination-type-api-groups) below for details. - - -`base_path` - (Optional) The base path which this validation applies to (`String`). - - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Bypass Rate Limiting Rules Request Matcher ](#bypass-rate-limiting-rules-request-matcher) below for details. - - - -### Bypass Rate Limiting Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "client_selector, any_client, ip_threat_category_list" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "ip_matcher, asn_list, asn_matcher, any_ip, ip_prefix_list" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Bypass Rate Limiting Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Cache Actions Cache Bypass - - Bypass Caching of content from the origin. - - - -### Cache Actions Cache Disabled - - Disable Caching of content from the origin. - - - -### Cache Actions Eligible For Cache - - Eligible for caching the content. - - - -###### One of the arguments from this list "scheme_hostname_request_uri, hostname_uri, scheme_hostname_uri_query, scheme_proxy_host_uri, scheme_proxy_host_request_uri, scheme_hostname_uri" must be set - -`hostname_uri` - (Optional) . See [Eligible For Cache Hostname Uri ](#eligible-for-cache-hostname-uri) below for details.(Deprecated) - - -`scheme_hostname_request_uri` - (Optional) . See [Eligible For Cache Scheme Hostname Request Uri ](#eligible-for-cache-scheme-hostname-request-uri) below for details.(Deprecated) - - -`scheme_hostname_uri` - (Optional) . See [Eligible For Cache Scheme Hostname Uri ](#eligible-for-cache-scheme-hostname-uri) below for details.(Deprecated) - - -`scheme_hostname_uri_query` - (Optional) . See [Eligible For Cache Scheme Hostname Uri Query ](#eligible-for-cache-scheme-hostname-uri-query) below for details.(Deprecated) - - -`scheme_proxy_host_request_uri` - (Optional) . See [Eligible For Cache Scheme Proxy Host Request Uri ](#eligible-for-cache-scheme-proxy-host-request-uri) below for details. - - -`scheme_proxy_host_uri` - (Optional) . See [Eligible For Cache Scheme Proxy Host Uri ](#eligible-for-cache-scheme-proxy-host-uri) below for details. - - - - -### Cache Actions Eligible For Cache - - Eligible for caching the content. - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - - - -### Cache Headers Operator - - Available operators. - - - - -###### One of the arguments from this list "Equals, DoesNotEqual, DoesNotContain, Startswith, MatchRegex, Contains, DoesNotStartWith, Endswith, DoesNotEndWith" can be set - -`Contains` - (Optional) Field must contain (`String`). - - -`DoesNotContain` - (Optional) Field must not contain (`String`). - - -`DoesNotEndWith` - (Optional) Field must not end with (`String`). - - -`DoesNotEqual` - (Optional) Field must not equal (`String`). - - -`DoesNotStartWith` - (Optional) Field must not start with (`String`). - - -`Endswith` - (Optional) Field must end with (`String`). - - -`Equals` - (Optional) Field must exactly match (`String`). - - -`MatchRegex` - (Optional) Field matches regular expression (`String`). - - -`Startswith` - (Optional) Field must start with (`String`). - - - - -### Cache Options Cache Rules - - Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. - - - -###### One of the arguments from this list "cache_bypass, eligible_for_cache" must be set - -`cache_bypass` - (Optional) Bypass Caching of content from the origin (`Bool`). - - -`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details. - - -`rule_expression_list` - (Required) Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... See [Cache Rules Rule Expression List ](#cache-rules-rule-expression-list) below for details. - -`rule_name` - (Required) Name of the Cache Rule (`String`). - - - -### Cache Options Default Cache Action - - Default value for Cache action.. - - - - -###### One of the arguments from this list "cache_disabled, eligible_for_cache, cache_ttl_default, cache_ttl_override" can be set - -`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). - - -`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). - - -`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). - - -`eligible_for_cache` - (Optional) Eligible for caching the content. See [Cache Actions Eligible For Cache ](#cache-actions-eligible-for-cache) below for details.(Deprecated) - - - - -### Cache Rule Expression Cache Headers - - Configure cache rule headers to match the criteria. - -`name` - (Optional) Name of the header (`String`). - -`operator` - (Optional) Available operators. See [Cache Headers Operator ](#cache-headers-operator) below for details. - - - -### Cache Rule Expression Cookie Matcher - - Note that all specified cookie matcher predicates must evaluate to true.. - -`name` - (Required) A case-sensitive cookie name. (`String`). - -`operator` - (Optional) . See [Cookie Matcher Operator ](#cookie-matcher-operator) below for details. - - - -### Cache Rule Expression Path Match - - URI path of route. - -`operator` - (Optional) A specification of path match. See [Path Match Operator ](#path-match-operator) below for details. - - - -### Cache Rule Expression Query Parameters - - List of (key, value) query parameters. - -`key` - (Required) In the above example, assignee_username is the key (`String`). - -`operator` - (Optional) . See [Query Parameters Operator ](#query-parameters-operator) below for details. - - - -### Cache Rules Rule Expression List - - Expressions are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs... - -`cache_rule_expression` - (Required) The Cache Rule Expression Terms that are ANDed. See [Rule Expression List Cache Rule Expression ](#rule-expression-list-cache-rule-expression) below for details. - -`expression_name` - (Required) Name of the Expressions items that are ANDed (`String`). - - - -### Captcha Challenge Parameters Choice Captcha Challenge Parameters - - Configure captcha challenge parameters. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Captcha Challenge Parameters Choice Default Captcha Challenge Parameters - - Use default parameters. - - - -### Challenge Action Disable Challenge - - Disable the challenge type selected in PolicyBasedChallenge. - - - -### Challenge Action Enable Captcha Challenge - - Enable captcha challenge. - - - -### Challenge Action Enable Javascript Challenge - - Enable javascript challenge. - - - -### Challenge Choice Always Enable Captcha Challenge - - Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests.. - - - -### Challenge Choice Always Enable Js Challenge - - Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests.. - - - -### Challenge Choice No Challenge - - Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests.. - - - -### Challenge Type Captcha Challenge - - Configure Captcha challenge on this load balancer. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Challenge Type Challenge On Cache Miss - - Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. - - - - -###### One of the arguments from this list "default_captcha_challenge_parameters, captcha_challenge_parameters" can be set - -`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - - -`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - - - - -###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set - -`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - -`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. - - - - - -###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set - -`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). - - -`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. - - - - -### Challenge Type Enable Challenge - - Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. - - - - -###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set - -`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - - -`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - - - - -###### One of the arguments from this list "js_challenge_parameters, default_js_challenge_parameters" can be set - -`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - -`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. - - - - - -###### One of the arguments from this list "malicious_user_mitigation, default_mitigation_settings" can be set - -`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). - - -`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. - - - - -### Challenge Type Js Challenge - - Configure JavaScript challenge on this load balancer. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Challenge Type No Challenge - - No challenge is enabled for this load balancer. - - - -### Challenge Type Policy Based Challenge - - Specifies the settings for policy rule based challenge. - - - - -###### One of the arguments from this list "default_captcha_challenge_parameters, captcha_challenge_parameters" can be set - -`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - - -`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - - - -###### One of the arguments from this list "no_challenge, always_enable_js_challenge, always_enable_captcha_challenge" must be set - -`always_enable_captcha_challenge` - (Optional) Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests. (`Bool`). - - -`always_enable_js_challenge` - (Optional) Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests. (`Bool`). - - -`no_challenge` - (Optional) Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests. (`Bool`). - - - - - -###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set - -`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - -`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. - - - - - -###### One of the arguments from this list "malicious_user_mitigation, default_mitigation_settings" can be set - -`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). - - -`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. - - -`rule_list` - (Optional) list challenge rules to be used in policy based challenge. See [Policy Based Challenge Rule List ](#policy-based-challenge-rule-list) below for details. - - - - -###### One of the arguments from this list "default_temporary_blocking_parameters, temporary_user_blocking" can be set - -`default_temporary_blocking_parameters` - (Optional) Use default parameters (`Bool`).(Deprecated) - - -`temporary_user_blocking` - (Optional) Specifies configuration for temporary user blocking resulting from malicious user detection. See [Temporary Blocking Parameters Choice Temporary User Blocking ](#temporary-blocking-parameters-choice-temporary-user-blocking) below for details.(Deprecated) - - - - -### Choice Custom Security - - Custom selection of TLS versions and cipher suites. - -`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - -`max_version` - (Optional) Maximum TLS protocol version. (`String`). - -`min_version` - (Optional) Minimum TLS protocol version. (`String`). - - - -### Choice Default Security - - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - - - -### Choice Low Security - - TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. - - - -### Choice Medium Security - - TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. - - - -### Choice Public Ip - - Specify origin server with public IP. - - - -###### One of the arguments from this list "ip, ipv6" must be set - -`ip` - (Optional) Public IPV4 address (`String`). - - -`ipv6` - (Optional) Public IPV6 address (`String`). - - - - -### Choice Public Name - - Specify origin server with public DNS name. - -`dns_name` - (Required) DNS Name (`String`). - -`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). - - - -### Choice Tls 11 Plus - - TLS v1.1+ with PFS ciphers and medium strength crypto algorithms.. - - - -### Choice Tls 12 Plus - - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - - - -### Client Choice Any Client - - Any Client. - - - -### Client Choice Client Name Matcher - -client_name_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Client Choice Client Selector - - The predicate evaluates to true if the expressions in the label selector are true for the client labels.. - -`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - - -### Client Choice Ip Threat Category List - - IP threat categories to choose from. - -`ip_threat_categories` - (Required) The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions (`List of Strings`). - - - -### Client Matcher Tls Fingerprint Matcher - - The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Client Side Defense Policy - - Please ensure that the same domains are configured in the Client-Side Defense configuration.. - - - -###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set - -`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). - - -`js_insert_all_pages` - (Optional) Insert Client-Side Defense JavaScript in all pages. (`Bool`). - - -`js_insert_all_pages_except` - (Optional) Insert Client-Side Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. - - -`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. - - - - -### Client Side Defense Choice Client Side Defense - - Client-Side Defense configuration for JavaScript insertion. - -`policy` - (Required) Please ensure that the same domains are configured in the Client-Side Defense configuration.. See [Client Side Defense Policy ](#client-side-defense-policy) below for details. - - - -### Client Source Choice Http Header - - Request header name and value pairs. - -`headers` - (Required) List of HTTP header name and value pairs. See [Http Header Headers ](#http-header-headers) below for details. - - - -### Common Security Controls Blocked Clients - - Define rules to block IP Prefixes or AS numbers.. - - - - -###### One of the arguments from this list "skip_processing, waf_skip_processing, bot_skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "ip_prefix, as_number, http_header, user_identifier" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. - - - -### Common Security Controls Cors Policy - - resources from a server at a different origin. - -`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). - -`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - -`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). - -`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). - -`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - -`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - - - -### Common Security Controls Trusted Clients - - Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. - - - - -###### One of the arguments from this list "skip_processing, waf_skip_processing, bot_skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "user_identifier, ip_prefix, as_number, http_header" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. - - - -### Condition Type Choice Api Endpoint - - The API endpoint (Path + Method) which this validation applies to. - -`methods` - (Optional) Methods to be matched (`List of Strings`). - -`path` - (Required) Path to be matched (`String`). - - - -### Cookie Matcher Operator - - . - - - - -###### One of the arguments from this list "Contains, DoesNotStartWith, Endswith, DoesNotEndWith, Equals, DoesNotEqual, DoesNotContain, Startswith, MatchRegex" can be set - -`Contains` - (Optional) Field must contain (`String`). - - -`DoesNotContain` - (Optional) Field must not contain (`String`). - - -`DoesNotEndWith` - (Optional) Field must not end with (`String`). - - -`DoesNotEqual` - (Optional) Field must not equal (`String`). - - -`DoesNotStartWith` - (Optional) Field must not start with (`String`). - - -`Endswith` - (Optional) Field must end with (`String`). - - -`Equals` - (Optional) Field must exactly match (`String`). - - -`MatchRegex` - (Optional) Field matches regular expression (`String`). - - -`Startswith` - (Optional) Field must start with (`String`). - - - - -### Cookie Tampering Disable Tampering Protection - - x-displayName: "Disable". - - - -### Cookie Tampering Enable Tampering Protection - - x-displayName: "Enable". - - - -### Cors Support Choice Disable Cors Support - - protect against Bot Attacks.. - - - -### Cors Support Choice Enable Cors Support - - Allows Bot Defense to work with your existing CORS policies.. - - - -### Count By Choice Use Http Lb User Id - - Defined in HTTP-LB Security Configuration -> User Identifier.. - - - -### Data Guard Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Data Guard Rules Path - - URI path matcher.. - - - -###### One of the arguments from this list "regex, prefix, path" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Ddos Client Source Asn List - - The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Ddos Client Source Tls Fingerprint Matcher - - The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Ddos Mitigation Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Destination Type Any Url - - Any URL . - - - -### Destination Type Api Endpoint - - The endpoint (path) of the request.. - -`methods` - (Optional) Methods to be matched (`List of Strings`). - -`path` - (Required) Path to be matched (`String`). - - - -### Destination Type Api Groups - - Validation will be performed for the endpoints mentioned in the API Groups. - -`api_groups` - (Required) x-required (`String`). - - - -### Domain Choice Any Domain - - The rule will apply for all domains.. - - - -### Domain Matcher Choice Any Domain - - Any Domain.. - - - -### Domain Matcher Choice Domain - - Domain matcher.. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### Eligible For Cache Hostname Uri - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Eligible For Cache Scheme Hostname Request Uri - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Eligible For Cache Scheme Hostname Uri - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Eligible For Cache Scheme Hostname Uri Query - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Eligible For Cache Scheme Proxy Host Request Uri - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Eligible For Cache Scheme Proxy Host Uri - - . - -`cache_override` - (Optional) Honour Cache Override (`Bool`). - -`cache_ttl` - (Required) Format: [0-9][smhd], where s - seconds, m - minutes, h - hours, d - days (`String`). - -`ignore_response_cookie` - (Optional) By default, response will not be cached if set-cookie header is present. This option will override the behavior and cache response even with set-cookie header present. (`Bool`). - - - -### Enable Api Discovery Discovered Api Settings - - Configure Discovered API Settings.. - - - -### Enable Api Discovery Sensitive Data Detection Rules - - Manage rules to detect sensitive data in requests and/or response sections.. - - - -### Exclude List Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Exclude List Path - - URI path matcher.. - - - -###### One of the arguments from this list "path, regex, prefix" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Fail Configuration Fail Close - - Handle the transaction as it failed the OpenAPI specification validation (Block or Report). - - - -### Fail Configuration Fail Open - - Continue to process the transaction without enforcing OpenAPI specification (Allow). - - - -### Fall Through Mode Choice Fall Through Mode Allow - - Allow any unprotected end point. - - - -### Fall Through Mode Choice Fall Through Mode Custom - - Custom rules for any unprotected end point. - -`open_api_validation_rules` - (Required) x-displayName: "Custom Fall Through Rule List". See [Fall Through Mode Custom Open Api Validation Rules ](#fall-through-mode-custom-open-api-validation-rules) below for details. - - - -### Fall Through Mode Custom Open Api Validation Rules - - x-displayName: "Custom Fall Through Rule List". - - - -###### One of the arguments from this list "action_block, action_skip, action_report" must be set - -`action_block` - (Optional) Block the request and issue an API security event (`Bool`). - - -`action_report` - (Optional) Continue processing the request and issue an API security event (`Bool`). - - -`action_skip` - (Optional) Continue processing the request (`Bool`). - - - - -###### One of the arguments from this list "api_endpoint, base_path, api_group" must be set - -`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. - - -`api_group` - (Optional) The API group which this validation applies to (`String`). - - -`base_path` - (Optional) The base path which this validation applies to (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. - - - -### Flow Label Choice Account Management - - x-displayName: "Account Management". - - - -###### One of the arguments from this list "create, password_reset" must be set - -`create` - (Optional) x-displayName: "Account Creation" (`Bool`). - - -`password_reset` - (Optional) x-displayName: "Password Reset" (`Bool`). - - - - -### Flow Label Choice Authentication - - x-displayName: "Authentication". - - - -###### One of the arguments from this list "logout, token_refresh, login, login_mfa, login_partner" must be set - -`login` - (Optional) x-displayName: "Login". See [Label Choice Login ](#label-choice-login) below for details. - - -`login_mfa` - (Optional) x-displayName: "Login MFA" (`Bool`). - - -`login_partner` - (Optional) x-displayName: "Login for a Channel Partner" (`Bool`). - - -`logout` - (Optional) x-displayName: "Logout" (`Bool`). - - -`token_refresh` - (Optional) x-displayName: "Token Refresh" (`Bool`). - - - - -### Flow Label Choice Financial Services - - x-displayName: "Financial Services". - - - -###### One of the arguments from this list "apply, money_transfer" must be set - -`apply` - (Optional) x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)" (`Bool`). - - -`money_transfer` - (Optional) x-displayName: "Money Transfer" (`Bool`). - - - - -### Flow Label Choice Flight - - x-displayName: "Flight". - - - -###### One of the arguments from this list "checkin" must be set - -`checkin` - (Optional) x-displayName: "Check into Flight" (`Bool`). - - - - -### Flow Label Choice Flow Label - - x-displayName: "Specify Endpoint label category". - - - -###### One of the arguments from this list "flight, authentication, account_management, profile_management, shopping_gift_cards, financial_services, search" must be set - -`account_management` - (Optional) x-displayName: "Account Management". See [Flow Label Choice Account Management ](#flow-label-choice-account-management) below for details. - - -`authentication` - (Optional) x-displayName: "Authentication". See [Flow Label Choice Authentication ](#flow-label-choice-authentication) below for details. - - -`financial_services` - (Optional) x-displayName: "Financial Services". See [Flow Label Choice Financial Services ](#flow-label-choice-financial-services) below for details. - - -`flight` - (Optional) x-displayName: "Flight". See [Flow Label Choice Flight ](#flow-label-choice-flight) below for details. - - -`profile_management` - (Optional) x-displayName: "Profile Management". See [Flow Label Choice Profile Management ](#flow-label-choice-profile-management) below for details. - - -`search` - (Optional) x-displayName: "Search". See [Flow Label Choice Search ](#flow-label-choice-search) below for details. - - -`shopping_gift_cards` - (Optional) x-displayName: "Shopping & Gift Cards". See [Flow Label Choice Shopping Gift Cards ](#flow-label-choice-shopping-gift-cards) below for details. - - - - -### Flow Label Choice Profile Management - - x-displayName: "Profile Management". - - - -###### One of the arguments from this list "create, update, view" must be set - -`create` - (Optional) x-displayName: "Profile Creation" (`Bool`). - - -`update` - (Optional) x-displayName: "Profile Update" (`Bool`). - - -`view` - (Optional) x-displayName: "Profile View" (`Bool`). - - - - -### Flow Label Choice Search - - x-displayName: "Search". - - - - -###### One of the arguments from this list "room_search, reservation_search, flight_search, product_search" can be set - -`flight_search` - (Optional) x-displayName: "Flight Search" (`Bool`). - - -`product_search` - (Optional) x-displayName: "Product Search" (`Bool`). - - -`reservation_search` - (Optional) x-displayName: "Reservation Search (e.g., sporting events, concerts)" (`Bool`). - - -`room_search` - (Optional) x-displayName: "Room Search" (`Bool`). - - - - -### Flow Label Choice Shopping Gift Cards - - x-displayName: "Shopping & Gift Cards". - - - - -###### One of the arguments from this list "shop_choose_seat, shop_enter_drawing_submission, gift_card_validation, gift_card_make_purchase_with_gift_card, shop_checkout, shop_order, shop_price_inquiry, shop_update_quantity, shop_add_to_cart, shop_promo_code_validation, shop_make_payment, shop_purchase_gift_card" can be set - -`gift_card_make_purchase_with_gift_card` - (Optional) x-displayName: "Purchase with Gift Card" (`Bool`). - - -`gift_card_validation` - (Optional) x-displayName: "Gift Card Validation" (`Bool`). - - -`shop_add_to_cart` - (Optional) x-displayName: "Add to Cart" (`Bool`). - - -`shop_checkout` - (Optional) x-displayName: "Checkout" (`Bool`). - - -`shop_choose_seat` - (Optional) x-displayName: "Select Seat(s)" (`Bool`). - - -`shop_enter_drawing_submission` - (Optional) x-displayName: "Enter Drawing Submission" (`Bool`). - - -`shop_make_payment` - (Optional) x-displayName: "Payment / Billing" (`Bool`). - - -`shop_order` - (Optional) x-displayName: "Order Submit" (`Bool`). - - -`shop_price_inquiry` - (Optional) x-displayName: "Price Inquiry" (`Bool`). - - -`shop_promo_code_validation` - (Optional) x-displayName: "Promo Code Validation" (`Bool`). - - -`shop_purchase_gift_card` - (Optional) x-displayName: "Purchase a Gift Card" (`Bool`). - - -`shop_update_quantity` - (Optional) x-displayName: "Update Quantity" (`Bool`). - - - - -### Flow Label Choice Undefined Flow Label - - x-displayName: "Undefined". - - - -### Geo Filtering Type Allow List - - Allow list of countries. - -`country_codes` - (Required) List of Country Codes (`List of Strings`). - -`invert_match` - (Optional) Invert the match result. (`Bool`). - - - -### Geo Filtering Type Block List - - Block list of countries. - -`country_codes` - (Required) List of Country Codes (`List of Strings`). - -`invert_match` - (Optional) Invert the match result. (`Bool`). - - - -### Goodbot Choice Allow Good Bots - - System flags Good Bot traffic and allow it to continue to the origin. - - - -### Goodbot Choice Mitigate Good Bots - - System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above. - - - -### Graphql Rules Graphql Settings - - GraphQL configuration.. - - - -###### One of the arguments from this list "disable_introspection, enable_introspection" must be set - -`disable_introspection` - (Optional) Disable introspection queries for the load balancer. (`Bool`). - - -`enable_introspection` - (Optional) Enable introspection queries for the load balancer. (`Bool`). - - -`max_batched_queries` - (Required) Specify maximum number of queries in a single batched request. (`Int`). - -`max_depth` - (Required) Specify maximum depth for the GraphQL query. (`Int`). - -`max_total_length` - (Required) Specify maximum length in bytes for the GraphQL query. (`Int`). - -`max_value_length` - (Required) Specify maximum value length in bytes for the GraphQL query. (`Int`).(Deprecated) - -`policy_name` - (Optional) Sets the BD Policy to use (`String`).(Deprecated) - - - -### Graphql Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Header Options Request Headers To Add - - Headers specified at this level are applied after headers from matched Route are applied. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Header Options Response Headers To Add - - Headers specified at this level are applied after headers from matched Route are applied. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "secret_value, value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Http Header Headers - - List of HTTP header name and value pairs. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "presence, exact, regex" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Httponly Add Httponly - - x-displayName: "Add". - - - -### Httponly Ignore Httponly - - x-displayName: "Ignore". - - - -### Https Tls Parameters - - TLS parameters for the downstream connections.. - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Tls Parameters Tls Certificates ](#tls-parameters-tls-certificates) below for details. - -`tls_config` - (Optional) TLS Configuration Parameters. See [Tls Parameters Tls Config ](#tls-parameters-tls-config) below for details. - - - -### Https Auto Cert Tls Config - - TLS Configuration Parameters. - - - -###### One of the arguments from this list "tls_12_plus, tls_11_plus" must be set - -`tls_11_plus` - (Optional) TLS v1.1+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - -`tls_12_plus` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - - - -### Ip Allowed List Choice Bypass Rate Limiting Rules - - This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. - -`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Bypass Rate Limiting Rules Bypass Rate Limiting Rules ](#bypass-rate-limiting-rules-bypass-rate-limiting-rules) below for details. - - - -### Ip Allowed List Choice Custom Ip Allowed List - - IP Allowed list using existing ip_prefix_set objects.. - -`rate_limiter_allowed_prefixes` - (Required) Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.. See [ref](#ref) below for details. - - - -### Ip Allowed List Choice Ip Allowed List - - List of IP(s) for which rate limiting will be disabled.. - -`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). - -`prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). - - - -### Ip Allowed List Choice No Ip Allowed List - - There is no ip allowed list for rate limiting, all clients go through rate limiting.. - - - -### Ip Asn Choice Any Ip - - Any Source IP. - - - -### Ip Asn Choice Asn List - - The predicate evaluates to true if the origin ASN is present in the ASN list.. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Ip Asn Choice Asn Matcher - - The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. - -`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. - - - -### Ip Asn Choice Ip Matcher - - The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - - -### Ip Asn Choice Ip Prefix List - - The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Choice Any Ip - -any_ip. - - - -### Ip Choice Ip Matcher - -ip_matcher. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - - -### Ip Choice Ip Prefix List - -ip_prefix_list. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Filtering Type Allow List - - Allow list of ip prefixes. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Filtering Type Block List - - Block list of ip prefixes. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Reputation Choice Disable Ip Reputation - - No IP reputation configured this distribution. - - - -### Ip Reputation Choice Enable Ip Reputation - - Enable IP reputation for all requests in this distribution. - -`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). - - - -### Ip Reputation Choice Ip Reputation On Cache Miss - - Enable IP reputation only on cache miss in this distribution. - -`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). - - - -### Issuer Validation Issuer Disable - - x-displayName: "Disable". - - - -### Java Script Choice Disable Js Insert - - Disable JavaScript insertion.. - - - -### Java Script Choice Js Insert All Pages - - Insert Client-Side Defense JavaScript in all pages.. - - - -### Java Script Choice Js Insert All Pages - - Insert Bot Defense JavaScript in all pages.. - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - - - -### Java Script Choice Js Insert All Pages Except - - Insert Client-Side Defense JavaScript in all pages with the exceptions.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. - - - -### Java Script Choice Js Insert All Pages Except - - Insert Bot Defense JavaScript in all pages with the exceptions.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - - - -### Java Script Choice Js Insertion Rules - - Specify custom JavaScript insertion rules.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. - -`rules` - (Required) Required list of pages to insert Client-Side Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. - - - -### Java Script Choice Js Insertion Rules - - Specify custom JavaScript insertion rules.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. - -`rules` - (Required) Required list of pages to insert Bot Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. - - - -### Js Challenge Parameters Choice Default Js Challenge Parameters - - Use default parameters. - - - -### Js Challenge Parameters Choice Js Challenge Parameters - - Configure JavaScript challenge parameters. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Js Insert All Pages Except Exclude List - - Optional JavaScript insertions exclude list of domain and path matchers.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. - - - -### Js Insertion Rules Exclude List - - Optional JavaScript insertions exclude list of domain and path matchers.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. - - - -### Js Insertion Rules Rules - - Required list of pages to insert Client-Side Defense client JavaScript.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. - - - -### Js Insertion Rules Rules - - Required list of pages to insert Bot Defense client JavaScript.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. - - - -### Jwks Configuration Jwks Config - - The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. - -`cleartext` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`). - - - -### Jwt Backup Key - - Backup JWT Key - If specified is also checked in addition to the primary secret key. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Backup Key Blindfold Secret Info Internal ](#backup-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Jwt Secret Key - - Secret Key for JWT. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Key Blindfold Secret Info Internal ](#secret-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Jwt Validation Action - - x-required. - - - -###### One of the arguments from this list "block, report" must be set - -`block` - (Optional) Block the request and report the issue (`Bool`). - - -`report` - (Optional) Allow the request and report the issue (`Bool`). - - - - -### Jwt Validation Mandatory Claims - - If the claim does not exist JWT token validation will fail.. - -`claim_names` - (Optional) x-displayName: "Claim Names" (`String`). - - - -### Jwt Validation Reserved Claims - - the token validation of these claims should be disabled.. - - - -###### One of the arguments from this list "audience_disable, audience" must be set - -`audience` - (Optional) x-displayName: "Exact Match". See [Audience Validation Audience ](#audience-validation-audience) below for details. - - -`audience_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - - - -###### One of the arguments from this list "issuer_disable, issuer" must be set - -`issuer` - (Optional) x-displayName: "Exact Match" (`String`). - - -`issuer_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - - - -###### One of the arguments from this list "validate_period_disable, validate_period_enable" must be set - -`validate_period_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - -`validate_period_enable` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -### Jwt Validation Target - - Define endpoints for which JWT token validation will be performed. - - - -###### One of the arguments from this list "all_endpoint, api_groups, base_paths" must be set - -`all_endpoint` - (Optional) Validation will be performed for all requests on this LB (`Bool`). - - -`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Target Api Groups ](#target-api-groups) below for details. - - -`base_paths` - (Optional) Validation will be performed for selected path prefixes. See [Target Base Paths ](#target-base-paths) below for details. - - - - -### Jwt Validation Token Location - - Define where in the HTTP request the JWT token will be extracted. - - - -###### One of the arguments from this list "bearer_token, cookie, header, query_param" must be set - -`bearer_token` - (Optional) Token is found in Authorization HTTP header with Bearer authentication scheme (`Bool`). - - -`cookie` - (Optional) Token is found in the cookie (`String`).(Deprecated) - - -`header` - (Optional) Token is found in the header (`String`).(Deprecated) - - -`query_param` - (Optional) Token is found in the query string parameter (`String`).(Deprecated) - - - - -### L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge - - Serve JavaScript challenge to suspicious sources. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Label Choice Apply - - x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)". - - - -### Label Choice Checkin - - x-displayName: "Check into Flight". - - - -### Label Choice Create - - x-displayName: "Account Creation". - - - -### Label Choice Flight Search - - x-displayName: "Flight Search". - - - -### Label Choice Gift Card Make Purchase With Gift Card - - x-displayName: "Purchase with Gift Card". - - - -### Label Choice Gift Card Validation - - x-displayName: "Gift Card Validation". - - - -### Label Choice Login - - x-displayName: "Login". - - - - -### Label Choice Login Mfa - - x-displayName: "Login MFA". - - - -### Label Choice Login Partner - - x-displayName: "Login for a Channel Partner". - - - -### Label Choice Logout - - x-displayName: "Logout". - - - -### Label Choice Money Transfer - - x-displayName: "Money Transfer". - - - -### Label Choice Password Reset - - x-displayName: "Password Reset". - - - -### Label Choice Product Search - - x-displayName: "Product Search". - - - -### Label Choice Reservation Search - - x-displayName: "Reservation Search (e.g., sporting events, concerts)". - - - -### Label Choice Room Search - - x-displayName: "Room Search". - - - -### Label Choice Shop Add To Cart - - x-displayName: "Add to Cart". - - - -### Label Choice Shop Checkout - - x-displayName: "Checkout". - - - -### Label Choice Shop Choose Seat - - x-displayName: "Select Seat(s)". - - - -### Label Choice Shop Enter Drawing Submission - - x-displayName: "Enter Drawing Submission". - - - -### Label Choice Shop Make Payment - - x-displayName: "Payment / Billing". - - - -### Label Choice Shop Order - - x-displayName: "Order Submit". - - - -### Label Choice Shop Price Inquiry - - x-displayName: "Price Inquiry". - - - -### Label Choice Shop Promo Code Validation - - x-displayName: "Promo Code Validation". - - - -### Label Choice Shop Purchase Gift Card - - x-displayName: "Purchase a Gift Card". - - - -### Label Choice Shop Update Quantity - - x-displayName: "Update Quantity". - - - -### Label Choice Token Refresh - - x-displayName: "Token Refresh". - - - -### Label Choice Update - - x-displayName: "Profile Update". - - - -### Label Choice View - - x-displayName: "Profile View". - - - -### Learn From Redirect Traffic Disable Learn From Redirect Traffic - - Disable learning API patterns from traffic with redirect response codes 3xx. - - - -### Learn From Redirect Traffic Enable Learn From Redirect Traffic - - Enable learning API patterns from traffic with redirect response codes 3xx. - - - -### Loadbalancer Type Http - - CDN Distribution serving content over HTTP. - -`dns_volterra_managed` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal. (`Bool`). - - - -###### One of the arguments from this list "port, port_ranges" must be set - -`port` - (Optional) HTTP port to Listen. (`Int`). - - -`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - - - -### Loadbalancer Type Https - - User is responsible for managing DNS.. - -`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). - -`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). - -`tls_parameters` - (Optional) TLS parameters for the downstream connections.. See [Https Tls Parameters ](#https-tls-parameters) below for details. - - - -### Loadbalancer Type Https Auto Cert - - DNS records will be managed by Volterra.. - -`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). - -`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). - -`tls_config` - (Optional) TLS Configuration Parameters. See [Https Auto Cert Tls Config ](#https-auto-cert-tls-config) below for details. - - - -### Logging Options Client Log Options - - Client request headers to log. - -`header_list` - (Optional) List of headers (`String`). - - - -### Logging Options Origin Log Options - - Origin response headers to log. - -`header_list` - (Optional) List of headers (`String`). - - - -### Malicious User Detection Choice Disable Malicious User Detection - - Disable malicious user detection for this distribution. - - - -### Malicious User Detection Choice Enable Malicious User Detection - - Enable malicious user detection for all requests in this distribution. - - - -### Malicious User Detection Choice Malicious User Detection On Cache Miss - - Enable malicious user detection only on cache miss in this distribution. - - - -### Malicious User Mitigation Choice Default Mitigation Settings - - For high level, users will be temporarily blocked.. - - - -### Match Check Not Present - - Check that the cookie is not present.. - - - -### Match Check Present - - Check that the cookie is present.. - - - -### Match Item - - Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Max Age Ignore Max Age - - Ignore max age attribute. - - - -### Max Session Keys Type Default Session Key Caching - - Default session key caching. Only one session key will be cached.. - - - -### Max Session Keys Type Disable Session Key Caching - - Disable session key caching. This will disable TLS session resumption.. - - - -### Method Choice Method Get - - x-displayName: "GET". - - - -### Method Choice Method Post - - x-displayName: "POST". - - - -### Mitigation Action Block - - Block user for a duration determined by the expiration time. - - - -### Mitigation Choice Ddos Client Source - - Combination of Region, ASN and TLS Fingerprints. - -`asn_list` - (Optional) The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. See [Ddos Client Source Asn List ](#ddos-client-source-asn-list) below for details. - -`country_list` - (Optional) Sources that are located in one of the countries in the given list (`List of Strings`). - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Ddos Client Source Tls Fingerprint Matcher ](#ddos-client-source-tls-fingerprint-matcher) below for details. - - - -### Mitigation Choice Ip Prefix List - - IPv4 prefix string.. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Mobile Identifier Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Mobile Sdk Choice Disable Mobile Sdk - - Disable Mobile SDK.. - - - -### Mobile Sdk Choice Mobile Sdk Config - - Enable Mobile SDK Configuration. - -`mobile_identifier` - (Optional) Mobile Request Identifier Headers Type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. - - - -### Mobile Sdk Choice Mobile Sdk Config - - Mobile SDK configuration. - -`mobile_identifier` - (Optional) Mobile traffic identifier type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. - -`reload_header_name` - (Optional) Header that is used for SDK configuration sync. (`String`).(Deprecated) - - - -### Mobile Sdk Config Mobile Identifier - - Mobile traffic identifier type.. - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Mobile Identifier Headers ](#mobile-identifier-headers) below for details. - - - -### More Option Cache Options - - Cache Options. - -`cache_rules` - (Optional) Rules are evaluated in the order in which they are specified. The evaluation stops when the first rule match occurs.. See [Cache Options Cache Rules ](#cache-options-cache-rules) below for details. - -`default_cache_action` - (Required) Default value for Cache action.. See [Cache Options Default Cache Action ](#cache-options-default-cache-action) below for details. - - - -### More Option Cache Ttl Options - - Cache Options. - - - - -###### One of the arguments from this list "cache_ttl_default, cache_ttl_override, cache_disabled" can be set - -`cache_disabled` - (Optional) Disable Caching of content from the origin (`Bool`). - - -`cache_ttl_default` - (Optional) Cache TTL value to use when the origin does not provide one (`String`). - - -`cache_ttl_override` - (Optional) Override the Cache TTL directive in the response from the origin (`String`). - - - - -### More Option Header Options - - Request/Response header related options. - -`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Request Headers To Add ](#header-options-request-headers-to-add) below for details. - -`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). - -`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Response Headers To Add ](#header-options-response-headers-to-add) below for details. - -`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). - - - -### More Option Logging Options - - Logging related options. - -`client_log_options` - (Optional) Client request headers to log. See [Logging Options Client Log Options ](#logging-options-client-log-options) below for details. - -`origin_log_options` - (Optional) Origin response headers to log. See [Logging Options Origin Log Options ](#logging-options-origin-log-options) below for details. - - - -### More Option Security Options - - Security related options. - -`api_protection` - (Optional) x-displayName: "API Protection". See [Security Options Api Protection ](#security-options-api-protection) below for details. - -`auth_options` - (Optional) Authentication Options. See [Security Options Auth Options ](#security-options-auth-options) below for details. - -`common_security_controls` - (Optional) x-displayName: "Common Security Controls". See [Security Options Common Security Controls ](#security-options-common-security-controls) below for details. - -`geo_filtering` - (Optional) Geo filtering options. See [Security Options Geo Filtering ](#security-options-geo-filtering) below for details. - -`ip_filtering` - (Optional) IP filtering options. See [Security Options Ip Filtering ](#security-options-ip-filtering) below for details. - -`web_app_firewall` - (Optional) Web Application Firewall. See [Security Options Web App Firewall ](#security-options-web-app-firewall) below for details. - - - -### Mtls Choice No Mtls - - x-displayName: "Disable". - - - -### Mtls Choice Use Mtls - - x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". - -`tls_certificates` - (Required) mTLS Client Certificate. See [Use Mtls Tls Certificates ](#use-mtls-tls-certificates) below for details. - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. - -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). - - - -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Open Api Validation Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Open Api Validation Rules Validation Mode - - When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). - - - -###### One of the arguments from this list "skip_response_validation, response_validation_mode_active" must be set - -`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. - - -`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - - - -###### One of the arguments from this list "validation_mode_active, skip_validation" must be set - -`skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - -`validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. - - - - -### Origin Pool More Origin Options - - x-displayName: "Advanced Configuration". - -`disable_byte_range_request` - (Optional) Choice to enable/disable origin byte range requrests towards origin (`Bool`). - -`websocket_proxy` - (Optional) Option to enable proxying of websocket connections to the origin server (`Bool`). - - - -### Origin Pool Origin Servers - - List of original servers. - - - -###### One of the arguments from this list "public_ip, public_name" must be set - -`public_ip` - (Optional) Specify origin server with public IP. See [Choice Public Ip ](#choice-public-ip) below for details. - - -`public_name` - (Optional) Specify origin server with public DNS name. See [Choice Public Name ](#choice-public-name) below for details. - - -`port` - (Optional) Port the workload can be reached on (`Int`). - - - -### Origin Pool Public Name - - The DNS name to be used as the host header for the request to the origin server. - -`dns_name` - (Required) DNS Name (`String`). - -`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). - - - -### Other Settings Geo Filtering - - Geo filtering options. - - - - -###### One of the arguments from this list "allow_list, block_list" can be set - -`allow_list` - (Optional) Allow list of countries. See [Geo Filtering Type Allow List ](#geo-filtering-type-allow-list) below for details. - - -`block_list` - (Optional) Block list of countries. See [Geo Filtering Type Block List ](#geo-filtering-type-block-list) below for details. - - - - -### Other Settings Header Options - - Request/Response header related options. - -`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Request Headers To Add ](#header-options-request-headers-to-add) below for details. - -`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). - -`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [Header Options Response Headers To Add ](#header-options-response-headers-to-add) below for details. - -`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). - - - -### Other Settings Ip Filtering - - IP filtering options. - - - - -###### One of the arguments from this list "allow_list, block_list" can be set - -`allow_list` - (Optional) Allow list of ip prefixes. See [Ip Filtering Type Allow List ](#ip-filtering-type-allow-list) below for details. - - -`block_list` - (Optional) Block list of ip prefixes. See [Ip Filtering Type Block List ](#ip-filtering-type-block-list) below for details. - - - - -### Other Settings Logging Options - - Logging related options. - -`client_log_options` - (Optional) Client request headers to log. See [Logging Options Client Log Options ](#logging-options-client-log-options) below for details. - -`origin_log_options` - (Optional) Origin response headers to log. See [Logging Options Origin Log Options ](#logging-options-origin-log-options) below for details. - - - -### Oversized Body Choice Oversized Body Fail Validation - - Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb). - - - -### Oversized Body Choice Oversized Body Skip Validation - - Skip body validation when the body length is too long to verify (default 64Kb). - - - -### Path Choice Any Path - - Match all paths. - - - -### Path Match Operator - - A specification of path match. - - - - -###### One of the arguments from this list "MatchRegex, Equals, DoesNotEqual, DoesNotContain, Startswith, Contains, DoesNotStartWith, Endswith, DoesNotEndWith" can be set - -`Contains` - (Optional) Field must contain (`String`). - - -`DoesNotContain` - (Optional) Field must not contain (`String`). - - -`DoesNotEndWith` - (Optional) Field must not end with (`String`). - - -`DoesNotEqual` - (Optional) Field must not equal (`String`). - - -`DoesNotStartWith` - (Optional) Field must not start with (`String`). - - -`Endswith` - (Optional) Field must end with (`String`). - - -`Equals` - (Optional) Field must exactly match (`String`). - - -`MatchRegex` - (Optional) Field matches regular expression (`String`). - - -`Startswith` - (Optional) Field must start with (`String`). - - - - -### Policy Protected App Endpoints - - List of protected application endpoints (max 128 items).. - - - -###### One of the arguments from this list "web_mobile, web, mobile" must be set - -`mobile` - (Optional) Mobile traffic channel. (`Bool`). - - -`web` - (Optional) Web traffic channel. (`Bool`). - - -`web_mobile` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile ](#app-traffic-type-choice-web-mobile) below for details. - - - - - -###### One of the arguments from this list "any_domain, domain" can be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - - - -###### One of the arguments from this list "undefined_flow_label, flow_label" must be set - -`flow_label` - (Optional) x-displayName: "Specify Endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. - - -`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). - - - - -###### One of the arguments from this list "allow_good_bots, mitigate_good_bots" must be set - -`allow_good_bots` - (Optional) System flags Good Bot traffic and allow it to continue to the origin (`Bool`). - - -`mitigate_good_bots` - (Optional) System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above (`Bool`). - - -`http_methods` - (Required) List of HTTP methods. (`List of Strings`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. - -`mitigation` - (Required) Mitigation action.. See [Protected App Endpoints Mitigation ](#protected-app-endpoints-mitigation) below for details. - -`path` - (Required) Matching URI path of the route.. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. - -`protocol` - (Optional) Protocol. (`String`). - - - -### Policy Protected App Endpoints - - List of protected endpoints (max 128 items). - - - -###### One of the arguments from this list "web_client, mobile_client, web_mobile_client" must be set - -`mobile_client` - (Optional) Mobile traffic channel. (`Bool`). - - -`web_client` - (Optional) Web traffic channel. (`Bool`). - - -`web_mobile_client` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile Client ](#app-traffic-type-choice-web-mobile-client) below for details. - - - - - -###### One of the arguments from this list "domain, any_domain" can be set - -`any_domain` - (Optional) Any Domain (`Bool`). - - -`domain` - (Optional) Select Domain matcher. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - - - - -###### One of the arguments from this list "undefined_flow_label, flow_label" can be set - -`flow_label` - (Optional) x-displayName: "Specify endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. - - -`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). - - -`http_methods` - (Required) List of HTTP methods. (`List of Strings`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. - -`path` - (Required) Accepts wildcards * to match multiple characters or ? to match a single character. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. - -`query` - (Optional) Enter a regular expression or exact value to match your query parameters of interest. See [Protected App Endpoints Query ](#protected-app-endpoints-query) below for details. - -`request_body` - (Optional) Request Body. See [Protected App Endpoints Request Body ](#protected-app-endpoints-request-body) below for details. - - - -### Policy Based Challenge Rule List - - list challenge rules to be used in policy based challenge. - -`rules` - (Optional) these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. See [Rule List Rules ](#rule-list-rules) below for details. - - - -### Policy Choice No Policies - - Do not apply additional rate limiter policies.. - - - -### Policy Choice Policies - - to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. - -`policies` - (Required) Ordered list of rate limiter policies.. See [ref](#ref) below for details. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Property Validation Settings Choice Property Validation Settings Custom - - Use custom settings with Open API specification validation. - -`headers` - (Optional) Custom settings for headers validation. See [Property Validation Settings Custom Headers ](#property-validation-settings-custom-headers) below for details.(Deprecated) - -`queryParameters` - (Optional) Custom settings for query parameters validation. See [Property Validation Settings Custom QueryParameters ](#property-validation-settings-custom-queryParameters) below for details. - - - -### Property Validation Settings Choice Property Validation Settings Default - - Keep the default settings of OpenAPI specification validation. - - - -### Property Validation Settings Custom Headers - - Custom settings for headers validation. - - - -###### One of the arguments from this list "allow_additional_headers, disallow_additional_headers" must be set - -`allow_additional_headers` - (Optional) Allow extra headers (on top of what specified in the OAS documentation) (`Bool`). - - -`disallow_additional_headers` - (Optional) Disallow extra headers (on top of what specified in the OAS documentation) (`Bool`). - - - - -### Property Validation Settings Custom QueryParameters - - Custom settings for query parameters validation. - - - -###### One of the arguments from this list "allow_additional_parameters, disallow_additional_parameters" must be set - -`allow_additional_parameters` - (Optional) Allow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - - -`disallow_additional_parameters` - (Optional) Disallow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - - - - -### Protected App Endpoints Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Protected App Endpoints Mitigation - - Mitigation action.. - - - - -###### One of the arguments from this list "redirect, flag, none, block" can be set - -`block` - (Optional) Block bot request and send response with custom content.. See [Action Type Block ](#action-type-block) below for details. - - -`flag` - (Optional) Flag the request while not taking any invasive actions.. See [Action Type Flag ](#action-type-flag) below for details. - - -`none` - (Optional) No mitigation actions. (`Bool`).(Deprecated) - - -`redirect` - (Optional) Redirect bot request to a custom URI.. See [Action Type Redirect ](#action-type-redirect) below for details. - - - - -### Protected App Endpoints Path - - Matching URI path of the route.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Protected App Endpoints Query - - Enter a regular expression or exact value to match your query parameters of interest. - -`name` - (Optional) Enter query parameter name (`String`). - - - -###### One of the arguments from this list "exact_value, regex_value, check_presence" must be set - -`check_presence` - (Optional) Parameter name taken which is exist in the query parameter (`Bool`). - - -`exact_value` - (Optional) Exact query value to match (`String`). - - -`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). - - - - -### Protected App Endpoints Request Body - - Request Body. - -`name` - (Optional) Enter request body parameter name (`String`). - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Exact query value to match (`String`). - - -`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). - - - - -### Query Parameters Operator - - . - - - - -###### One of the arguments from this list "Startswith, MatchRegex, Equals, DoesNotEqual, DoesNotContain, DoesNotEndWith, Contains, DoesNotStartWith, Endswith" can be set - -`Contains` - (Optional) Field must contain (`String`). - - -`DoesNotContain` - (Optional) Field must not contain (`String`). - - -`DoesNotEndWith` - (Optional) Field must not end with (`String`). - - -`DoesNotEqual` - (Optional) Field must not equal (`String`). - - -`DoesNotStartWith` - (Optional) Field must not start with (`String`). - - -`Endswith` - (Optional) Field must end with (`String`). - - -`Equals` - (Optional) Field must exactly match (`String`). - - -`MatchRegex` - (Optional) Field matches regular expression (`String`). - - -`Startswith` - (Optional) Field must start with (`String`). - - - - -### Rate Limit Rate Limiter - - Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. - -`burst_multiplier` - (Optional) The maximum burst of requests to accommodate, expressed as a multiple of the rate. (`Int`). - -`total_number` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). - -`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - - - -### Rate Limit Choice Api Rate Limit - - Define rate limiting for one or more API endpoints. - -`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Api Endpoint Rules ](#api-rate-limit-api-endpoint-rules) below for details. - - - -###### One of the arguments from this list "no_ip_allowed_list, ip_allowed_list, custom_ip_allowed_list, bypass_rate_limiting_rules" must be set - -`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. - - -`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - - -`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - - -`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). - - -`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Server Url Rules ](#api-rate-limit-server-url-rules) below for details. - - - -### Rate Limit Choice Disable Rate Limit - - Rate limiting is not currently enabled for this load balancer. - - - -### Rate Limit Choice Rate Limit - - Define custom rate limiting parameters for this load balancer. - - - -###### One of the arguments from this list "custom_ip_allowed_list, no_ip_allowed_list, ip_allowed_list" must be set - -`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - - -`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - - -`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). - - - - -###### One of the arguments from this list "no_policies, policies" must be set - -`no_policies` - (Optional) Do not apply additional rate limiter policies. (`Bool`). - - -`policies` - (Optional) to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. See [Policy Choice Policies ](#policy-choice-policies) below for details. - - -`rate_limiter` - (Optional) Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. See [Rate Limit Rate Limiter ](#rate-limit-rate-limiter) below for details. - - - -### Rate Limiter Choice Inline Rate Limiter - - Specify rate values for the rule.. - - - -###### One of the arguments from this list "use_http_lb_user_id, ref_user_id" must be set - -`ref_user_id` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.. See [ref](#ref) below for details. - - -`use_http_lb_user_id` - (Optional) Defined in HTTP-LB Security Configuration -> User Identifier. (`Bool`). - - -`threshold` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). - -`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Request Matcher Cookie Matchers - - Note that all specified cookie matcher predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "check_present, check_not_present, item, presence" must be set - -`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). - - -`check_present` - (Optional) Check that the cookie is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive cookie name. (`String`). - - - -### Request Matcher Headers - - Note that all specified header predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "check_not_present, item, presence, check_present" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Request Matcher Jwt Claims - - Note that this feature only works on LBs with JWT Validation feature enabled.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "check_not_present, item, check_present" must be set - -`check_not_present` - (Optional) Check that the JWT Claim is not present. (`Bool`). - - -`check_present` - (Optional) Check that the JWT Claim is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the JWT Claim. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`name` - (Required) JWT claim name. (`String`). - - - -### Request Matcher Query Params - - Note that all specified query parameter predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). - - -`check_present` - (Optional) Check that the query parameter is present. (`Bool`). - - -`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) - - - - -### Request Timeout Choice Disable Request Timeout - - x-displayName: "No Timeout". - - - -### Response Validation Mode Choice Response Validation Mode Active - - Enforce OpenAPI validation processing for this event. - -`response_validation_properties` - (Required) List of properties of the response to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). - - - -###### One of the arguments from this list "enforcement_report, enforcement_block" must be set - -`enforcement_block` - (Optional) Block the response, trigger an API security event (`Bool`). - - -`enforcement_report` - (Optional) Allow the response, trigger an API security event (`Bool`). - - - - -### Response Validation Mode Choice Skip Response Validation - - Skip OpenAPI validation processing for this event. - - - -### Rule Expression List Cache Rule Expression - - The Cache Rule Expression Terms that are ANDed. - -`cache_headers` - (Optional) Configure cache rule headers to match the criteria. See [Cache Rule Expression Cache Headers ](#cache-rule-expression-cache-headers) below for details. - -`cookie_matcher` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Cache Rule Expression Cookie Matcher ](#cache-rule-expression-cookie-matcher) below for details. - -`path_match` - (Optional) URI path of route. See [Cache Rule Expression Path Match ](#cache-rule-expression-path-match) below for details. - -`query_parameters` - (Optional) List of (key, value) query parameters. See [Cache Rule Expression Query Parameters ](#cache-rule-expression-query-parameters) below for details. - - - -### Rule List Rules - - these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`spec` - (Required) Specification for the rule including match predicates and actions.. See [Rules Spec ](#rules-spec) below for details. - - - -### Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Rules Path - - URI path matcher.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Rules Spec - - Specification for the rule including match predicates and actions.. - -`arg_matchers` - (Optional)arg_matchers. See [Spec Arg Matchers ](#spec-arg-matchers) below for details. - - - - -###### One of the arguments from this list "asn_list, asn_matcher, any_asn" can be set - -`any_asn` - (Optional)any_asn (`Bool`). - - -`asn_list` - (Optional)asn_list. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional)asn_matcher. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - - -`body_matcher` - (Optional)body_matcher. See [Spec Body Matcher ](#spec-body-matcher) below for details. - - - -###### One of the arguments from this list "disable_challenge, enable_javascript_challenge, enable_captcha_challenge" must be set - -`disable_challenge` - (Optional) Disable the challenge type selected in PolicyBasedChallenge (`Bool`). - - -`enable_captcha_challenge` - (Optional) Enable captcha challenge (`Bool`). - - -`enable_javascript_challenge` - (Optional) Enable javascript challenge (`Bool`). - - - - - -###### One of the arguments from this list "any_client, client_name, client_selector, client_name_matcher" can be set - -`any_client` - (Optional)any_client (`Bool`). - - -`client_name` - (Optional)client_name (`String`).(Deprecated) - - -`client_name_matcher` - (Optional)client_name_matcher. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details.(Deprecated) - - -`client_selector` - (Optional)client_selector. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`cookie_matchers` - (Optional)cookie_matchers. See [Spec Cookie Matchers ](#spec-cookie-matchers) below for details. - -`domain_matcher` - (Optional)domain_matcher. See [Spec Domain Matcher ](#spec-domain-matcher) below for details. - -`expiration_timestamp` - (Optional)expiration_timestamp (`String`). - -`headers` - (Optional)headers. See [Spec Headers ](#spec-headers) below for details. - -`http_method` - (Optional)http_method. See [Spec Http Method ](#spec-http-method) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher" can be set - -`any_ip` - (Optional)any_ip (`Bool`). - - -`ip_matcher` - (Optional)ip_matcher. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional)ip_prefix_list. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - - -`path` - (Optional)path. See [Spec Path ](#spec-path) below for details. - -`query_params` - (Optional)query_params. See [Spec Query Params ](#spec-query-params) below for details. - -`tls_fingerprint_matcher` - (Optional)tls_fingerprint_matcher. See [Spec Tls Fingerprint Matcher ](#spec-tls-fingerprint-matcher) below for details. - - - -### Samesite Ignore Samesite - - Ignore Samesite attribute. - - - -### Samesite Samesite Lax - - Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. - - - -### Samesite Samesite None - - Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. - - - -### Samesite Samesite Strict - - Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. - -`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - -`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). - - - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. - -`key` - (Optional) If not provided entire secret will be returned. (`String`). - -`location` - (Required) Path to secret in Vault. (`String`). - -`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - -`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). - -`version` - (Optional) If not provided latest version will be returned. (`Int`). - - - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. - -`name` - (Required) Name of the secret. (`String`). - - - -### Secret Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Value Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secure Add Secure - - x-displayName: "Add". - - - -### Secure Ignore Secure - - x-displayName: "Ignore". - - - -### Security Options Api Protection - - x-displayName: "API Protection". - - - -###### One of the arguments from this list "disable_api_definition, api_specification, api_specification_on_cache_miss" must be set - -`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details. - - -`api_specification_on_cache_miss` - (Optional) Enable API definition and OpenAPI Validation only on cache miss in this distribution. See [Api Definition Choice Api Specification On Cache Miss ](#api-definition-choice-api-specification-on-cache-miss) below for details.(Deprecated) - - -`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`). - - - - -###### One of the arguments from this list "enable_api_discovery, disable_api_discovery, api_discovery_on_cache_miss" must be set - -`api_discovery_on_cache_miss` - (Optional) Enable api discovery only on cache miss in this distribution. See [Api Discovery Choice Api Discovery On Cache Miss ](#api-discovery-choice-api-discovery-on-cache-miss) below for details.(Deprecated) - - -`disable_api_discovery` - (Optional) Disable api discovery for this distribution (`Bool`). - - -`enable_api_discovery` - (Optional) Enable api discovery for all requests in this distribution. See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details. - - -`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Api Protection Rules ](#api-protection-api-protection-rules) below for details. - -`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Api Protection Jwt Validation ](#api-protection-jwt-validation) below for details. - - - -###### One of the arguments from this list "default_sensitive_data_policy, sensitive_data_policy" must be set - -`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`). - - -`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details. - - - - -### Security Options Auth Options - - Authentication Options. - - - - -###### One of the arguments from this list "disable_auth, jwt, custom" can be set - -`custom` - (Optional) Enable Custom Authentication. See [Auth Options Custom ](#auth-options-custom) below for details. - - -`disable_auth` - (Optional) No Authentication (`Bool`). - - -`jwt` - (Optional) Enable JWT Authentication. See [Auth Options Jwt ](#auth-options-jwt) below for details. - - - - -### Security Options Common Security Controls - - x-displayName: "Common Security Controls". - -`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Common Security Controls Blocked Clients ](#common-security-controls-blocked-clients) below for details. - - - -###### One of the arguments from this list "no_challenge, enable_challenge, challenge_on_cache_miss, js_challenge, captcha_challenge, policy_based_challenge" must be set - -`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. - - -`challenge_on_cache_miss` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users only on cache miss in this load balancer. See [Challenge Type Challenge On Cache Miss ](#challenge-type-challenge-on-cache-miss) below for details.(Deprecated) - - -`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users for this load balancer. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. - - -`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. - - -`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). - - -`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. - - -`cors_policy` - (Optional) resources from a server at a different origin. See [Common Security Controls Cors Policy ](#common-security-controls-cors-policy) below for details. - - - - -###### One of the arguments from this list "disable_ip_reputation, enable_ip_reputation, ip_reputation_on_cache_miss" can be set - -`disable_ip_reputation` - (Optional) No IP reputation configured this distribution (`Bool`). - - -`enable_ip_reputation` - (Optional) Enable IP reputation for all requests in this distribution. See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. - - -`ip_reputation_on_cache_miss` - (Optional) Enable IP reputation only on cache miss in this distribution. See [Ip Reputation Choice Ip Reputation On Cache Miss ](#ip-reputation-choice-ip-reputation-on-cache-miss) below for details.(Deprecated) - - - - -###### One of the arguments from this list "disable_malicious_user_detection, enable_malicious_user_detection, malicious_user_detection_on_cache_miss" must be set - -`disable_malicious_user_detection` - (Optional) Disable malicious user detection for this distribution (`Bool`). - - -`enable_malicious_user_detection` - (Optional) Enable malicious user detection for all requests in this distribution (`Bool`). - - -`malicious_user_detection_on_cache_miss` - (Optional) Enable malicious user detection only on cache miss in this distribution (`Bool`).(Deprecated) - - - - -###### One of the arguments from this list "disable_rate_limit, api_rate_limit, rate_limit" must be set - -`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. - - -`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). - - -`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. - - - - -###### One of the arguments from this list "service_policies_from_namespace, no_service_policies, active_service_policies" must be set - -`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. - - -`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). - - -`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). - - - - -###### One of the arguments from this list "disable_threat_mesh, enable_threat_mesh" must be set - -`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`). - - -`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Common Security Controls Trusted Clients ](#common-security-controls-trusted-clients) below for details. - - - -###### One of the arguments from this list "user_id_client_ip, user_identification" must be set - -`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). - - -`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. - - - - -### Security Options Geo Filtering - - Geo filtering options. - - - - -###### One of the arguments from this list "allow_list, block_list" can be set - -`allow_list` - (Optional) Allow list of countries. See [Geo Filtering Type Allow List ](#geo-filtering-type-allow-list) below for details. - - -`block_list` - (Optional) Block list of countries. See [Geo Filtering Type Block List ](#geo-filtering-type-block-list) below for details. - - - - -### Security Options Ip Filtering - - IP filtering options. - - - - -###### One of the arguments from this list "allow_list, block_list" can be set - -`allow_list` - (Optional) Allow list of ip prefixes. See [Ip Filtering Type Allow List ](#ip-filtering-type-allow-list) below for details. - - -`block_list` - (Optional) Block list of ip prefixes. See [Ip Filtering Type Block List ](#ip-filtering-type-block-list) below for details. - - - - -### Security Options Web App Firewall - - Web Application Firewall. - -`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Web App Firewall Csrf Policy ](#web-app-firewall-csrf-policy) below for details. - -`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Web App Firewall Data Guard Rules ](#web-app-firewall-data-guard-rules) below for details. - -`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Web App Firewall Graphql Rules ](#web-app-firewall-graphql-rules) below for details. - -`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Web App Firewall Protected Cookies ](#web-app-firewall-protected-cookies) below for details. - - - -###### One of the arguments from this list "disable_waf, app_firewall, app_firewall_on_cache_miss" must be set - -`app_firewall` - (Optional) Enable WAF configuration for all requests in this distribution. See [ref](#ref) below for details. - - -`app_firewall_on_cache_miss` - (Optional) Enable WAF configuration only on cache miss in this distribution. See [ref](#ref) below for details.(Deprecated) - - -`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). - - -`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Web App Firewall Waf Exclusion Rules ](#web-app-firewall-waf-exclusion-rules) below for details. - - - -### Send Headers Choice Append Headers - - Append mitigation headers.. - -`auto_type_header_name` - (Required) A case-insensitive HTTP header name. (`String`). - -`inference_header_name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Send Headers Choice No Headers - - No mitigation headers.. - - - -### Sensitive Data Policy Choice Default Sensitive Data Policy - - Apply system default sensitive data discovery. - - - -### Sensitive Data Policy Choice Sensitive Data Policy - - Apply custom sensitive data discovery. - -`sensitive_data_policy_ref` - (Required) Specify Sensitive Data Discovery. See [ref](#ref) below for details. - - - -### Server Url Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "any_client, ip_threat_category_list, client_selector" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "ip_prefix_list, ip_matcher, asn_list, asn_matcher, any_ip" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Server Url Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Server Validation Choice Skip Server Verification - - Skip origin server verification. - - - -### Server Validation Choice Use Server Verification - - Perform origin server verification using the provided Root CA Certificate. - - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set - -`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. - - -`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Origin Pool for verification of server's certificate (`String`). - - - - -### Server Validation Choice Volterra Trusted Ca - - Perform origin server verification using F5XC Default Root CA Certificate. - - - -### Service Policy Choice Active Service Policies - - Apply the specified list of service policies and bypass the namespace service policy set. - -`policies` - (Required) If all policies are evaluated and none match, then the request will be denied by default.. See [ref](#ref) below for details. - - - -### Service Policy Choice No Service Policies - - Do not apply any service policies i.e. bypass the namespace service policy set. - - - -### Service Policy Choice Service Policies From Namespace - - Apply the active service policies configured as part of the namespace service policy set. - - - -### Slow Ddos Mitigation Choice Slow Ddos Mitigation - - Custom Settings for Slow DDoS Mitigation. - -`request_headers_timeout` - (Optional) provides protection against Slowloris attacks. (`Int`). - - - -###### One of the arguments from this list "request_timeout, disable_request_timeout" must be set - -`disable_request_timeout` - (Optional) x-displayName: "No Timeout" (`Bool`). - - -`request_timeout` - (Optional) x-example: "60000" (`Int`). - - - - -### Sni Choice Disable Sni - - Do not use SNI.. - - - -### Sni Choice Use Host Header As Sni - - Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. - - - -### Spec Arg Matchers - -arg_matchers. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the argument is not present. (`Bool`). - - -`check_present` - (Optional) Check that the argument is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the Arg. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the arg is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive JSON path in the HTTP request body. (`String`). - - - -### Spec Body Matcher - -body_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Spec Cookie Matchers - -cookie_matchers. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). - - -`check_present` - (Optional) Check that the cookie is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive cookie name. (`String`). - - - -### Spec Domain Matcher - -domain_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - - - -### Spec Headers - -headers. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "check_not_present, item, presence, check_present" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Spec Http Method - -http_method. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - - -### Spec Path - -path. - -`exact_values` - (Optional) A list of exact path values to match the input HTTP path against. (`String`). - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_values` - (Optional) A list of path prefix values to match the input HTTP path against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input HTTP path against. (`String`). - -`suffix_values` - (Optional) A list of path suffix values to match the input HTTP path against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Spec Query Params - -query_params. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). - - - -###### One of the arguments from this list "item, presence, check_present, check_not_present" must be set - -`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). - - -`check_present` - (Optional) Check that the query parameter is present. (`Bool`). - - -`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) - - - - -### Spec Tls Fingerprint Matcher - -tls_fingerprint_matcher. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Target All Endpoint - - Validation will be performed for all requests on this LB. - - - -### Target Api Groups - - Validation will be performed for the endpoints mentioned in the API Groups. - -`api_groups` - (Required) x-required (`String`). - - - -### Target Base Paths - - Validation will be performed for selected path prefixes. - -`base_paths` - (Required) x-required (`String`). - - - -### Temporary Blocking Parameters Choice Default Temporary Blocking Parameters - - Use default parameters. - - - -### Temporary Blocking Parameters Choice Temporary User Blocking - - Specifies configuration for temporary user blocking resulting from malicious user detection. - -`custom_page` - (Optional) E.g. "

Blocked

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Threat Mesh Choice Disable Threat Mesh - - x-displayName: "Disable". - - - -### Threat Mesh Choice Enable Threat Mesh - - x-displayName: "Enable". - - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Tls Choice No Tls - - Origin servers do not use TLS. - - - -### Tls Choice Use Tls - - Origin servers use TLS. - - - -###### One of the arguments from this list "default_session_key_caching, disable_session_key_caching, max_session_keys" must be set - -`default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). - - -`disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). - - -`max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). - - - - -###### One of the arguments from this list "no_mtls, use_mtls, use_mtls_obj" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`use_mtls_obj` - (Optional) x-displayName: "Select/add a TLS Certificate object for client authentication". See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "skip_server_verification, volterra_trusted_ca, use_server_verification" must be set - -`skip_server_verification` - (Optional) Skip origin server verification (`Bool`). - - -`use_server_verification` - (Optional) Perform origin server verification using the provided Root CA Certificate. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. - - -`volterra_trusted_ca` - (Optional) Perform origin server verification using F5XC Default Root CA Certificate (`Bool`). - - - - -###### One of the arguments from this list "sni, use_host_header_as_sni, disable_sni" must be set - -`disable_sni` - (Optional) Do not use SNI. (`Bool`). - - -`sni` - (Optional) SNI value to be used. (`String`). - - -`use_host_header_as_sni` - (Optional) Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied. (`Bool`). - - -`tls_config` - (Required) TLS parameters such as min/max TLS version and ciphers. See [Use Tls Tls Config ](#use-tls-tls-config) below for details. - - - -### Tls Parameters Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Tls Parameters Tls Config - - TLS Configuration Parameters. - - - -###### One of the arguments from this list "tls_12_plus, tls_11_plus" must be set - -`tls_11_plus` - (Optional) TLS v1.1+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - -`tls_12_plus` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - - - -### Token Location Bearer Token - - Token is found in Authorization HTTP header with Bearer authentication scheme. - - - -### Token Source Bearer Token - - Token is found in the Bearer-Token. - - - -### Token Source Cookie - - Token is found in the cookie. - -`name` - (Required) A case-insensitive cookie name. (`String`). - - - -### Token Source Header - - Token is found in the header. - -`name` - (Required) A case-insensitive field header name. (`String`). - - - -### Token Source Query Param - - Token is found in the Query-Param. - -`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). - - - -### Transaction Result Failure Conditions - - Failure Conditions. - -`name` - (Optional) A case-insensitive HTTP header name. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`status` - (Required) HTTP Status code (`String`). - - - -### Transaction Result Success Conditions - - Success Conditions. - -`name` - (Optional) A case-insensitive HTTP header name. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`status` - (Required) HTTP Status code (`String`). - - - -### Transaction Result Choice Disable Transaction Result - - Disable collection of transaction result.. - - - -### Transaction Result Choice Transaction Result - - Collect transaction result.. - -`failure_conditions` - (Optional) Failure Conditions. See [Transaction Result Failure Conditions ](#transaction-result-failure-conditions) below for details. - -`success_conditions` - (Optional) Success Conditions. See [Transaction Result Success Conditions ](#transaction-result-success-conditions) below for details. - - - -### Trusted Clients Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Ttl Options Cache Disabled - - Disable Caching of content from the origin. - - - -### Use Mtls Tls Certificates - - mTLS Client Certificate. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. - - - -### Use Tls Tls Config - - TLS parameters such as min/max TLS version and ciphers. - - - -###### One of the arguments from this list "medium_security, low_security, custom_security, default_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### User Id Choice User Id Client Ip - - Use the Client IP address as the user identifier.. - - - -### Validate Period Validate Period Disable - - x-displayName: "Disable". - - - -### Validate Period Validate Period Enable - - x-displayName: "Enable". - - - -### Validation All Spec Endpoints Fall Through Mode - - Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). - - - -###### One of the arguments from this list "fall_through_mode_allow, fall_through_mode_custom" must be set - -`fall_through_mode_allow` - (Optional) Allow any unprotected end point (`Bool`). - - -`fall_through_mode_custom` - (Optional) Custom rules for any unprotected end point. See [Fall Through Mode Choice Fall Through Mode Custom ](#fall-through-mode-choice-fall-through-mode-custom) below for details. - - - - -### Validation All Spec Endpoints Settings - - OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. - - - - -###### One of the arguments from this list "fail_open, fail_close" can be set - -`fail_close` - (Optional) Handle the transaction as it failed the OpenAPI specification validation (Block or Report) (`Bool`).(Deprecated) - - -`fail_open` - (Optional) Continue to process the transaction without enforcing OpenAPI specification (Allow) (`Bool`).(Deprecated) - - - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set - -`oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`). - - -`oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`). - - - - - -###### One of the arguments from this list "property_validation_settings_default, property_validation_settings_custom" can be set - -`property_validation_settings_custom` - (Optional) Use custom settings with Open API specification validation. See [Property Validation Settings Choice Property Validation Settings Custom ](#property-validation-settings-choice-property-validation-settings-custom) below for details. - - -`property_validation_settings_default` - (Optional) Keep the default settings of OpenAPI specification validation (`Bool`). - - - - -### Validation All Spec Endpoints Validation Mode - - When a validation mismatch occurs on a request to one of the API Inventory endpoints. - - - -###### One of the arguments from this list "skip_response_validation, response_validation_mode_active" must be set - -`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. - - -`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - - - -###### One of the arguments from this list "validation_mode_active, skip_validation" must be set +###### One of the arguments from this list "skip_validation, validation_mode_active" must be set `skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - `validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. +### Validation Custom List Fall Through Mode - - -### Validation Custom List Fall Through Mode - - Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). - - +Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). ###### One of the arguments from this list "fall_through_mode_allow, fall_through_mode_custom" must be set `fall_through_mode_allow` - (Optional) Allow any unprotected end point (`Bool`). - `fall_through_mode_custom` - (Optional) Custom rules for any unprotected end point. See [Fall Through Mode Choice Fall Through Mode Custom ](#fall-through-mode-choice-fall-through-mode-custom) below for details. +### Validation Custom List Open Api Validation Rules +x-displayName: "Validation List". - -### Validation Custom List Open Api Validation Rules - - x-displayName: "Validation List". - - - -###### One of the arguments from this list "api_endpoint, base_path, api_group" must be set +###### One of the arguments from this list "api_endpoint, api_group, base_path" must be set `api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. - `api_group` - (Optional) The API group which this validation applies to (`String`). - `base_path` - (Optional) The base path which this validation applies to (`String`). - - - ###### One of the arguments from this list "any_domain, specific_domain" must be set `any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - `specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - `metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. -`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). See [Open Api Validation Rules Validation Mode ](#open-api-validation-rules-validation-mode) below for details. +`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). See [Open Api Validation Rules Validation Mode ](#open-api-validation-rules-validation-mode) below for details. +### Validation Custom List Settings +OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. -### Validation Custom List Settings - - OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. - - - - -###### One of the arguments from this list "fail_open, fail_close" can be set +###### One of the arguments from this list "fail_close, fail_open" can be set `fail_close` - (Optional) Handle the transaction as it failed the OpenAPI specification validation (Block or Report) (`Bool`).(Deprecated) - `fail_open` - (Optional) Continue to process the transaction without enforcing OpenAPI specification (Allow) (`Bool`).(Deprecated) - - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`). - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`). - - - - -###### One of the arguments from this list "property_validation_settings_default, property_validation_settings_custom" can be set +###### One of the arguments from this list "property_validation_settings_custom, property_validation_settings_default" can be set `property_validation_settings_custom` - (Optional) Use custom settings with Open API specification validation. See [Property Validation Settings Choice Property Validation Settings Custom ](#property-validation-settings-choice-property-validation-settings-custom) below for details. - `property_validation_settings_default` - (Optional) Keep the default settings of OpenAPI specification validation (`Bool`). +### Validation Enforcement Type Enforcement Block +Block the response, trigger an API security event. +### Validation Enforcement Type Enforcement Report -### Validation Enforcement Type Enforcement Block - - Block the response, trigger an API security event. - - - -### Validation Enforcement Type Enforcement Report - - Allow the response, trigger an API security event. - - - -### Validation Mode Choice Skip Validation +Allow the response, trigger an API security event. - Skip OpenAPI validation processing for this event. +### Validation Mode Choice Skip Validation +Skip OpenAPI validation processing for this event. +### Validation Mode Choice Validation Mode Active -### Validation Mode Choice Validation Mode Active - - Enforce OpenAPI validation processing for this event. +Enforce OpenAPI validation processing for this event. `request_validation_properties` - (Required) List of properties of the request to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). - - ###### One of the arguments from this list "enforcement_block, enforcement_report" must be set `enforcement_block` - (Optional) Block the request, trigger an API security event (`Bool`). - `enforcement_report` - (Optional) Allow the request, trigger an API security event (`Bool`). +### Validation Target Choice Validation All Spec Endpoints - - -### Validation Target Choice Validation All Spec Endpoints - - All other API endpoints would proceed according to "Fall Through Mode". +All other API endpoints would proceed according to "Fall Through Mode". `fall_through_mode` - (Required) Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). See [Validation All Spec Endpoints Fall Through Mode ](#validation-all-spec-endpoints-fall-through-mode) below for details. - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `settings` - (Optional) OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. See [Validation All Spec Endpoints Settings ](#validation-all-spec-endpoints-settings) below for details. -`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the API Inventory endpoints. See [Validation All Spec Endpoints Validation Mode ](#validation-all-spec-endpoints-validation-mode) below for details. +`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the API Inventory endpoints. See [Validation All Spec Endpoints Validation Mode ](#validation-all-spec-endpoints-validation-mode) below for details. +### Validation Target Choice Validation Custom List - -### Validation Target Choice Validation Custom List - - Any other end-points not listed will act according to "Fall Through Mode". +Any other end-points not listed will act according to "Fall Through Mode". `fall_through_mode` - (Required) Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). See [Validation Custom List Fall Through Mode ](#validation-custom-list-fall-through-mode) below for details. `open_api_validation_rules` - (Required) x-displayName: "Validation List". See [Validation Custom List Open Api Validation Rules ](#validation-custom-list-open-api-validation-rules) below for details. - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `settings` - (Optional) OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. See [Validation Custom List Settings ](#validation-custom-list-settings) below for details. +### Validation Target Choice Validation Disabled +Don't run OpenAPI validation. -### Validation Target Choice Validation Disabled - - Don't run OpenAPI validation. +### Value Choice Secret Value - - -### Value Choice Secret Value - - Secret Value of the HTTP header.. +Secret Value of the HTTP header.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Value Blindfold Secret Info Internal ](#secret-value-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Value Type Check Presence +Parameter name taken which is exist in the query parameter. +### Waf Advanced Configuration App Firewall Detection Control -### Value Type Check Presence - - Parameter name taken which is exist in the query parameter. - - - -### Waf Advanced Configuration App Firewall Detection Control - - Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. +Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. `exclude_attack_type_contexts` - (Optional) Attack Types to be excluded for the defined match criteria. See [App Firewall Detection Control Exclude Attack Type Contexts ](#app-firewall-detection-control-exclude-attack-type-contexts) below for details. @@ -9804,23 +4726,17 @@ tls_fingerprint_matcher. `exclude_violation_contexts` - (Optional) Violations to be excluded for the defined match criteria. See [App Firewall Detection Control Exclude Violation Contexts ](#app-firewall-detection-control-exclude-violation-contexts) below for details. +### Waf Advanced Configuration Waf Skip Processing +Skip all App Firewall processing for this request. -### Waf Advanced Configuration Waf Skip Processing - - Skip all App Firewall processing for this request. - - +### Waf Choice Disable Waf -### Waf Choice Disable Waf +No WAF configuration for this load balancer. - No WAF configuration for this load balancer. +### Waf Exclusion Rules Metadata - - -### Waf Exclusion Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -9828,297 +4744,203 @@ tls_fingerprint_matcher. `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Web App Firewall Csrf Policy - -### Web App Firewall Csrf Policy - - Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - - +Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. ###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set `all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). - `custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - `disabled` - (Optional) Allow all source origin domains. (`Bool`). +### Web App Firewall Data Guard Rules - - -### Web App Firewall Data Guard Rules - - Note: App Firewall should be enabled, to use Data Guard feature.. - - +Note: App Firewall should be enabled, to use Data Guard feature.. ###### One of the arguments from this list "apply_data_guard, skip_data_guard" must be set `apply_data_guard` - (Optional) x-displayName: "Apply" (`Bool`). - `skip_data_guard` - (Optional) x-displayName: "Skip" (`Bool`). - - - ###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set `any_domain` - (Optional) Enable Data Guard for any domain (`Bool`). - `exact_value` - (Optional) Exact domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - `metadata` - (Required) Common attributes for the rule including name and description.. See [Data Guard Rules Metadata ](#data-guard-rules-metadata) below for details. `path` - (Required) URI path matcher.. See [Data Guard Rules Path ](#data-guard-rules-path) below for details. +### Web App Firewall Graphql Rules - -### Web App Firewall Graphql Rules - - queries and prevent GraphQL tailored attacks.. - - +queries and prevent GraphQL tailored attacks.. ###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set `any_domain` - (Optional) Enable GraphQL inspection for any domain (`Bool`). - `exact_value` - (Optional) Exact domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - `exact_path` - (Required) Specifies the exact path to GraphQL endpoint. Default value is /graphql. (`String`). `graphql_settings` - (Optional) GraphQL configuration.. See [Graphql Rules Graphql Settings ](#graphql-rules-graphql-settings) below for details. `metadata` - (Required) Common attributes for the rule including name and description.. See [Graphql Rules Metadata ](#graphql-rules-metadata) below for details. - - ###### One of the arguments from this list "method_get, method_post" must be set `method_get` - (Optional) x-displayName: "GET" (`Bool`). - `method_post` - (Optional) x-displayName: "POST" (`Bool`). +### Web App Firewall Protected Cookies +Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. - -### Web App Firewall Protected Cookies - - Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. - - - -###### One of the arguments from this list "enable_tampering_protection, disable_tampering_protection" must be set +###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set `disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). - `enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set `add_httponly` - (Optional) x-displayName: "Add" (`Bool`). - `ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - ###### One of the arguments from this list "ignore_max_age, max_age_value" can be set `ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - `max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) - `name` - (Required) Name of the Cookie (`String`). - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set `ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - `samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - `samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - `samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set +###### One of the arguments from this list "add_secure, ignore_secure" can be set `add_secure` - (Optional) x-displayName: "Add" (`Bool`). - `ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). +### Web App Firewall Waf Exclusion Rules - - -### Web App Firewall Waf Exclusion Rules - - When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. - - +When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. ###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set `any_domain` - (Optional) Apply this WAF exclusion rule for any domain (`Bool`). - `exact_value` - (Optional) Exact domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - `expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). `metadata` - (Required) Common attributes for the rule including name and description.. See [Waf Exclusion Rules Metadata ](#waf-exclusion-rules-metadata) below for details. `methods` - (Optional) methods to be matched (`List of Strings`). - - ###### One of the arguments from this list "any_path, path_prefix, path_regex" must be set `any_path` - (Optional) Match all paths (`Bool`). - `path_prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - `path_regex` - (Optional) Define the regex for the path. For example, the regex ^/.*$ will match on all paths (`String`). - - - - ###### One of the arguments from this list "app_firewall_detection_control, waf_skip_processing" can be set `app_firewall_detection_control` - (Optional) Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. See [Waf Advanced Configuration App Firewall Detection Control ](#waf-advanced-configuration-app-firewall-detection-control) below for details. - `waf_skip_processing` - (Optional) Skip all App Firewall processing for this request (`Bool`). +### Web Mobile Header +Header that is used by mobile traffic.. - -### Web Mobile Header - - Header that is used by mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Headers +Headers that can be used to identify mobile traffic.. -### Web Mobile Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Client Header +Header that is used by mobile traffic.. -### Web Mobile Client Header - - Header that is used by mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Client Headers +Headers that can be used to identify mobile traffic.. -### Web Mobile Client Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "item, check_present, check_not_present" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Xfcc Header Xfcc Disabled + +No X-Forwarded-Client-Cert header will be added. + +### Xfcc Header Xfcc Options +X-Forwarded-Client-Cert header will be added with the configured fields. -## Attribute Reference +`xfcc_header_elements` - (Required) X-Forwarded-Client-Cert header elements to be added to requests (`List of Strings`). -* `id` - This is the id of the configured cdn_loadbalancer. +Attribute Reference +------------------- +- `id` - This is the id of the configured cdn_loadbalancer. diff --git a/docs/resources/volterra_certificate.md b/docs/resources/volterra_certificate.md index b83852a2c..1beaafd74 100644 --- a/docs/resources/volterra_certificate.md +++ b/docs/resources/volterra_certificate.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: certificate" -description: "The certificate allows CRUD of Certificate resource on Volterra SaaS" +description: "The certificate allows CRUD of Certificate resource on Volterra SaaS" + --- -# Resource volterra_certificate -The Certificate allows CRUD of Certificate resource on Volterra SaaS +Resource volterra_certificate +============================= + +The Certificate allows CRUD of Certificate resource on Volterra SaaS -~> **Note:** Please refer to [Certificate API docs](https://docs.cloud.f5.com/docs-v2/api/certificate) to learn more +~> **Note:** Please refer to [Certificate API docs](https://docs.cloud.f5.com/docs-v2/api/certificate) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_certificate" "example" { @@ -39,7 +32,7 @@ resource "volterra_certificate" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set blindfold_secret_info { decryption_provider = "value" @@ -53,133 +46,66 @@ resource "volterra_certificate" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `certificate_chain` - (Optional) Intermediate Certificate Chain is used to establish the chain of trust. Intermediate Certificate Chain contains the list of intermediate certificates, excluding the end-entity certificate.. See [ref](#ref) below for details. - `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - - +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - - - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected. (`Bool`). - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order. (`Bool`). - - - `private_key` - (Required) Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. Key has to match the accompanying certificate.. See [Private Key ](#private-key) below for details. +### Private Key - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Private Key - - Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. Key has to match the accompanying certificate.. +Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. Key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Ocsp Stapling Choice Custom Hash Algorithms - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Private Key Blindfold Secret Info Internal - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -187,10 +113,7 @@ resource "volterra_certificate" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -200,11 +123,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -212,21 +133,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -238,17 +155,13 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured certificate. - +- `id` - This is the id of the configured certificate. diff --git a/docs/resources/volterra_certificate_chain.md b/docs/resources/volterra_certificate_chain.md index 07d6a0a44..64cd8d350 100644 --- a/docs/resources/volterra_certificate_chain.md +++ b/docs/resources/volterra_certificate_chain.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: certificate_chain" -description: "The certificate_chain allows CRUD of Certificate Chain resource on Volterra SaaS" +description: "The certificate_chain allows CRUD of Certificate Chain resource on Volterra SaaS" + --- -# Resource volterra_certificate_chain -The Certificate Chain allows CRUD of Certificate Chain resource on Volterra SaaS +Resource volterra_certificate_chain +=================================== + +The Certificate Chain allows CRUD of Certificate Chain resource on Volterra SaaS -~> **Note:** Please refer to [Certificate Chain API docs](https://docs.cloud.f5.com/docs-v2/api/certificate-chain) to learn more +~> **Note:** Please refer to [Certificate Chain API docs](https://docs.cloud.f5.com/docs-v2/api/certificate-chain) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_certificate_chain" "example" { @@ -31,35 +24,28 @@ resource "volterra_certificate_chain" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `certificate_url` - (Required) Certificate chain is the list of intermediate certificates in PEM format including the PEM headers. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured certificate_chain. - +- `id` - This is the id of the configured certificate_chain. diff --git a/docs/resources/volterra_cloud_credentials.md b/docs/resources/volterra_cloud_credentials.md index 3b03a0e07..1cf456ffc 100644 --- a/docs/resources/volterra_cloud_credentials.md +++ b/docs/resources/volterra_cloud_credentials.md @@ -1,334 +1,135 @@ - - - - - - - - - - - - --- + page_title: "Volterra: cloud_credentials" -description: "The cloud_credentials allows CRUD of Cloud Credentials resource on Volterra SaaS" +description: "The cloud_credentials allows CRUD of Cloud Credentials resource on Volterra SaaS" + --- -# Resource volterra_cloud_credentials -The Cloud Credentials allows CRUD of Cloud Credentials resource on Volterra SaaS +Resource volterra_cloud_credentials +=================================== + +The Cloud Credentials allows CRUD of Cloud Credentials resource on Volterra SaaS -~> **Note:** Please refer to [Cloud Credentials API docs](https://docs.cloud.f5.com/docs-v2/api/cloud-credentials) to learn more +~> **Note:** Please refer to [Cloud Credentials API docs](https://docs.cloud.f5.com/docs-v2/api/cloud-credentials) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_cloud_credentials" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "aws_secret_key aws_assume_role azure_pfx_certificate azure_client_secret gcp_cred_file" must be set + // One of the arguments from this list "aws_assume_role aws_secret_key azure_client_secret azure_pfx_certificate gcp_cred_file" must be set - aws_secret_key { - access_key = "value" + gcp_cred_file { + credential_file { - secret_key { - blindfold_secret_info_internal { + secret_encoding_type = "secret_encoding_type" + + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set + + blindfold_secret_info { decryption_provider = "value" location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" store_provider = "value" } - - secret_encoding_type = "secret_encoding_type" - - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set - - clear_secret_info { - provider = "box-provider" - - url = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - } } } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "aws_assume_role, aws_secret_key, azure_client_secret, azure_pfx_certificate, gcp_cred_file" must be set `aws_assume_role` - (Optional) F5XC will assume role designated by customer. See [Cloud Aws Assume Role ](#cloud-aws-assume-role) below for details. - - - - - - - - - - - - - - - - - - - - `aws_secret_key` - (Optional) AWS authentication using access keys. See [Cloud Aws Secret Key ](#cloud-aws-secret-key) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `azure_client_secret` - (Optional) Azure authentication using a service principal account with client secret. See [Cloud Azure Client Secret ](#cloud-azure-client-secret) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `azure_pfx_certificate` - (Optional) Azure authentication using a service principal account with client certificate. See [Cloud Azure Pfx Certificate ](#cloud-azure-pfx-certificate) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `gcp_cred_file` - (Optional) Google authentication using content of Google Credentials File. See [Cloud Gcp Cred File ](#cloud-gcp-cred-file) below for details. - - - - - - - - +### Aws Secret Key Secret Key - - - - - - - - - - - - - - - - - - - - -### Aws Secret Key Secret Key - - Secret Access Key for your AWS account. +Secret Access Key for your AWS account. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Key Blindfold Secret Info Internal ](#secret-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Azure Client Secret Client Secret - - -### Azure Client Secret Client Secret - - Client Secret (alias password) for your Azure service principal. +Client Secret (alias password) for your Azure service principal. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Client Secret Blindfold Secret Info Internal ](#client-secret-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Azure Pfx Certificate Password - - -### Azure Pfx Certificate Password - - Password for your '.p12' or '.pfx' file whose certificate is linked to service principal object. +Password for your '.p12' or '.pfx' file whose certificate is linked to service principal object. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Client Secret Blindfold Secret Info Internal - - -### Client Secret Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -336,48 +137,37 @@ resource "volterra_cloud_credentials" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Cloud Aws Assume Role - -### Cloud Aws Assume Role - - F5XC will assume role designated by customer. +F5XC will assume role designated by customer. `duration_seconds` - (Optional) The duration, in seconds of the role session. (`Int`). - - -###### One of the arguments from this list "external_id_is_optional, external_id_is_tenant_id, custom_external_id" must be set +###### One of the arguments from this list "custom_external_id, external_id_is_optional, external_id_is_tenant_id" must be set `custom_external_id` - (Optional) External ID is Custom ID (`String`).(Deprecated) - `external_id_is_optional` - (Optional) External ID is Optional (`Bool`).(Deprecated) - `external_id_is_tenant_id` - (Optional) External ID is Tenant ID (`Bool`).(Deprecated) - `role_arn` - (Required) IAM Role ARN to assume the role (`String`). `session_name` - (Required) be used for deploy, monitor from F5XC console (`String`). `session_tags` - (Optional) Session tags are key-value pair attributes that you pass when you assume an IAM role (`String`). +### Cloud Aws Secret Key - -### Cloud Aws Secret Key - - AWS authentication using access keys. +AWS authentication using access keys. `access_key` - (Required) Access key ID for your AWS account (`String`). `secret_key` - (Required) Secret Access Key for your AWS account. See [Aws Secret Key Secret Key ](#aws-secret-key-secret-key) below for details. +### Cloud Azure Client Secret - -### Cloud Azure Client Secret - - Azure authentication using a service principal account with client secret. +Azure authentication using a service principal account with client secret. `client_id` - (Required) Client ID for your Azure service principal (`String`). @@ -387,11 +177,9 @@ resource "volterra_cloud_credentials" "example" { `tenant_id` - (Required) Tenant ID for your Azure service principal (`String`). +### Cloud Azure Pfx Certificate - -### Cloud Azure Pfx Certificate - - Azure authentication using a service principal account with client certificate. +Azure authentication using a service principal account with client certificate. `certificate_url` - (Required) Here is base64 of '.pfx' or '.p12' binary file (`String`). @@ -403,19 +191,15 @@ resource "volterra_cloud_credentials" "example" { `tenant_id` - (Required) Tenant ID for your Azure service principal (`String`). +### Cloud Gcp Cred File - -### Cloud Gcp Cred File - - Google authentication using content of Google Credentials File. +Google authentication using content of Google Credentials File. `credential_file` - (Required) Content of Credential File for your GCP account. See [Gcp Cred File Credential File ](#gcp-cred-file-credential-file) below for details. +### Credential File Blindfold Secret Info Internal - -### Credential File Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -423,49 +207,35 @@ resource "volterra_cloud_credentials" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### External Id External Id Is Optional +External ID is Optional. -### External Id External Id Is Optional - - External ID is Optional. - - - -### External Id External Id Is Tenant Id - - External ID is Tenant ID. - +### External Id External Id Is Tenant Id +External ID is Tenant ID. -### Gcp Cred File Credential File +### Gcp Cred File Credential File - Content of Credential File for your GCP account. +Content of Credential File for your GCP account. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Credential File Blindfold Secret Info Internal ](#credential-file-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -473,11 +243,9 @@ resource "volterra_cloud_credentials" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -485,21 +253,17 @@ resource "volterra_cloud_credentials" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -511,19 +275,15 @@ resource "volterra_cloud_credentials" "example" { `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Secret Key Blindfold Secret Info Internal - -### Secret Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -531,9 +291,7 @@ resource "volterra_cloud_credentials" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured cloud_credentials. - +- `id` - This is the id of the configured cloud_credentials. diff --git a/docs/resources/volterra_cloud_link.md b/docs/resources/volterra_cloud_link.md index 7d14aab22..9428d436b 100644 --- a/docs/resources/volterra_cloud_link.md +++ b/docs/resources/volterra_cloud_link.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: cloud_link" -description: "The cloud_link allows CRUD of Cloud Link resource on Volterra SaaS" +description: "The cloud_link allows CRUD of Cloud Link resource on Volterra SaaS" + --- -# Resource volterra_cloud_link -The Cloud Link allows CRUD of Cloud Link resource on Volterra SaaS +Resource volterra_cloud_link +============================ + +The Cloud Link allows CRUD of Cloud Link resource on Volterra SaaS -~> **Note:** Please refer to [Cloud Link API docs](https://docs.cloud.f5.com/docs-v2/api/cloud-link) to learn more +~> **Note:** Please refer to [Cloud Link API docs](https://docs.cloud.f5.com/docs-v2/api/cloud-link) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_cloud_link" "example" { @@ -51,7 +44,7 @@ resource "volterra_cloud_link" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set blindfold_secret_info { decryption_provider = "value" @@ -114,194 +107,42 @@ resource "volterra_cloud_link" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "aws, azure, gcp" must be set `aws` - (Optional) CloudLink for AWS Cloud. See [Cloud Provider Aws ](#cloud-provider-aws) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `azure` - (Optional) CloudLink for Azure Cloud. See [Cloud Provider Azure ](#cloud-provider-azure) below for details.(Deprecated) - - - `gcp` - (Optional) CloudLink for Google Cloud Platform. See [Cloud Provider Gcp ](#cloud-provider-gcp) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "disabled, enabled" must be set `disabled` - (Optional) CloudLink connection to RE Site is disabled (`Bool`). - `enabled` - (Optional) CloudLink connection to RE Site is enabled. See [Enable Connection To Re Choice Enabled ](#enable-connection-to-re-choice-enabled) below for details. - - - - - - -### Auth Key Blindfold Secret Info Internal +### Auth Key Blindfold Secret Info Internal - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -309,11 +150,9 @@ resource "volterra_cloud_link" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Byoc Connections - -### Byoc Connections - - List of Bring You Own Connections. These AWS Direct Connect connections are not managed by F5XC but will be used for connecting sites and REs.. +List of Bring You Own Connections. These AWS Direct Connect connections are not managed by F5XC but will be used for connecting sites and REs.. `auth_key` - (Required) This string has a minimum length of 6 characters and and a maximum length of 80 characters.. See [Connections Auth Key ](#connections-auth-key) below for details. @@ -325,42 +164,31 @@ resource "volterra_cloud_link" "example" { `enable_sitelink` - (Optional) Enable direct connectivity between Direct Connect points of presence. The Virtual Interface will be created with SiteLink enabled. (`Bool`).(Deprecated) - - ###### One of the arguments from this list "ipv4, ipv6" must be set `ipv4` - (Optional) Configure BGP IPv4 peering for endpoints. See [Ip Type Ipv4 ](#ip-type-ipv4) below for details. - `ipv6` - (Optional) Configure BGP IPv6 peering for endpoints. See [Ip Type Ipv6 ](#ip-type-ipv6) below for details.(Deprecated) - `jumbo_mtu` - (Optional) The Virtual Interface will be created with option to use jumbo frames enabled (`Bool`).(Deprecated) `metadata` - (Required) Specify attributes for the connection including name and description.. See [Connections Metadata ](#connections-metadata) below for details. `region` - (Required) Region where the connection is setup (`String`). - - - -###### One of the arguments from this list "user_assigned_name, system_generated_name" can be set +###### One of the arguments from this list "system_generated_name, user_assigned_name" can be set `system_generated_name` - (Optional) F5XC will automatically assign a AWS resource name (`Bool`).(Deprecated) - `user_assigned_name` - (Optional) User is managing the AWS resource name (`String`).(Deprecated) - `tags` - (Optional) Specified tags will be added to Virtual interface along with any F5XC specific tags (`String`). `virtual_interface_type` - (Optional) Specifies the virtual interface type that needs to be configured on AWS (`String`). `vlan` - (Required) This tag is required for any traffic traversing the AWS Direct Connect connection (`Int`). - - -### Byoc Connections +### Byoc Connections Each 'Bring Your Own Connection' represents a virtual connection that the customer has provisioned in the Cloud (example: AWS Direct Connect). F5XC will orchestrate networking resources in the cloud to facilitate seamless private connectivity. . @@ -370,130 +198,91 @@ Each 'Bring Your Own Connection' represents a virtual connection that the custom `metadata` - (Required) Specify attributes for the connection including name and description.. See [Connections Metadata ](#connections-metadata) below for details. - - -###### One of the arguments from this list "same_as_credential, project" must be set +###### One of the arguments from this list "project, same_as_credential" must be set `project` - (Optional) Specify a GCP Project for the interconnect attachment (`String`). - `same_as_credential` - (Optional) GCP Project for the interconnect is the same as the project specified in the credential (`Bool`). - `region` - (Required) GCP Region in which the GCP Cloud Interconnect attachment is configured (`String`). +### Cloud Link Type Byoc - -### Cloud Link Type Byoc - - Assumption is that this given AWS account already has direct connect connection provisioned. +Assumption is that this given AWS account already has direct connect connection provisioned. `connections` - (Required) List of Bring You Own Connections. These AWS Direct Connect connections are not managed by F5XC but will be used for connecting sites and REs.. See [Byoc Connections ](#byoc-connections) below for details. +### Cloud Link Type Byoc - -### Cloud Link Type Byoc - - Assumption is that this given GCP account already has Cloud Interconnect provisioned.. +Assumption is that this given GCP account already has Cloud Interconnect provisioned.. `connections` - (Required)Each 'Bring Your Own Connection' represents a virtual connection that the customer has provisioned in the Cloud (example: AWS Direct Connect). F5XC will orchestrate networking resources in the cloud to facilitate seamless private connectivity. . See [Byoc Connections ](#byoc-connections) below for details. +### Cloud Link Type F5xc Managed +F5 XC will manage end to end AWS Direct Connect Connection and making it ready to be consumed by the site.. -### Cloud Link Type F5xc Managed +### Cloud Provider Aws - F5 XC will manage end to end AWS Direct Connect Connection and making it ready to be consumed by the site.. - - - -### Cloud Provider Aws - - CloudLink for AWS Cloud. +CloudLink for AWS Cloud. `aws_cred` - (Required) Reference to AWS cloud account credential object used to deploy CloudLink specific object. See [ref](#ref) below for details. - - -###### One of the arguments from this list "f5xc_managed, byoc" must be set +###### One of the arguments from this list "byoc, f5xc_managed" must be set `byoc` - (Optional) Assumption is that this given AWS account already has direct connect connection provisioned. See [Cloud Link Type Byoc ](#cloud-link-type-byoc) below for details. - `f5xc_managed` - (Optional) F5 XC will manage end to end AWS Direct Connect Connection and making it ready to be consumed by the site.. See [Cloud Link Type F5xc Managed ](#cloud-link-type-f5xc-managed) below for details.(Deprecated) - - - ###### One of the arguments from this list "auto, custom_asn" must be set `auto` - (Optional) F5XC will automatically generate an ASN to create a Direct Connect Gateway (`Bool`).(Deprecated) - `custom_asn` - (Optional) F5XC will use custom ASN to create a Direct Connect Gateway (`Int`). +### Cloud Provider Azure +CloudLink for Azure Cloud. +### Cloud Provider Gcp -### Cloud Provider Azure - - CloudLink for Azure Cloud. - - - -### Cloud Provider Gcp - - CloudLink for Google Cloud Platform. - - +CloudLink for Google Cloud Platform. ###### One of the arguments from this list "byoc" must be set `byoc` - (Optional) Assumption is that this given GCP account already has Cloud Interconnect provisioned.. See [Cloud Link Type Byoc ](#cloud-link-type-byoc) below for details. - `gcp_cred` - (Required) Reference to GCP cloud account credential object used to deploy CloudLink specific object. See [ref](#ref) below for details. +### Connections Auth Key - -### Connections Auth Key - - This string has a minimum length of 6 characters and and a maximum length of 80 characters.. +This string has a minimum length of 6 characters and and a maximum length of 80 characters.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Auth Key Blindfold Secret Info Internal ](#auth-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Connections Coordinates - - -### Connections Coordinates - - Coordinates of the CloudLink Connection based on connection's physical location. +Coordinates of the CloudLink Connection based on connection's physical location. `latitude` - (Optional) Latitude of the site location (`Float`). `longitude` - (Optional) longitude of site location (`Float`). +### Connections Metadata - -### Connections Metadata - - Specify attributes for the connection including name and description.. +Specify attributes for the connection including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -501,46 +290,33 @@ Each 'Bring Your Own Connection' represents a virtual connection that the custom `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Direct Connect Gateway Asn Choice Auto +F5XC will automatically generate an ASN to create a Direct Connect Gateway. -### Direct Connect Gateway Asn Choice Auto - - F5XC will automatically generate an ASN to create a Direct Connect Gateway. - +### Enable Connection To Re Choice Enabled - -### Enable Connection To Re Choice Enabled - - CloudLink connection to RE Site is enabled. +CloudLink connection to RE Site is enabled. `cloudlink_network_name` - (Required) Establish private connectivity with the F5 Distributed Cloud Global Network using a Private ADN network. To provision a Private ADN network, please contact F5 Distributed Cloud support. (`String`). +### Ip Type Ipv4 - -### Ip Type Ipv4 - - Configure BGP IPv4 peering for endpoints. +Configure BGP IPv4 peering for endpoints. `aws_router_peer_address` - (Required) The BGP peer IP configured on the AWS endpoint (`String`). `router_peer_address` - (Required) The BGP peer IP configured on your (customer) endpoint (`String`). +### Ip Type Ipv6 +Configure BGP IPv6 peering for endpoints. -### Ip Type Ipv6 - - Configure BGP IPv6 peering for endpoints. - - - -### Project Choice Same As Credential - - GCP Project for the interconnect is the same as the project specified in the credential. - +### Project Choice Same As Credential +GCP Project for the interconnect is the same as the project specified in the credential. -### Ref - +### Ref Reference to another volterra object is shown like below @@ -550,17 +326,13 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Resource Name Choice System Generated Name +F5XC will automatically assign a AWS resource name. -### Resource Name Choice System Generated Name - - F5XC will automatically assign a AWS resource name. - - +### Secret Info Oneof Blindfold Secret Info -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -568,21 +340,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -594,17 +362,13 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured cloud_link. - +- `id` - This is the id of the configured cloud_link. diff --git a/docs/resources/volterra_cloud_site_labels.md b/docs/resources/volterra_cloud_site_labels.md index 6008cb970..4ceecf624 100644 --- a/docs/resources/volterra_cloud_site_labels.md +++ b/docs/resources/volterra_cloud_site_labels.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_cloud_site_labels" - description: "The volterra_cloud_site_labels helps to update the site labels for cloud sites" ---------------------------------------------------------------------------------------------- + +--- Resource volterra_cloud_site_labels =================================== diff --git a/docs/resources/volterra_cluster.md b/docs/resources/volterra_cluster.md index 3d2207885..234de7bdf 100644 --- a/docs/resources/volterra_cluster.md +++ b/docs/resources/volterra_cluster.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: cluster" -description: "The cluster allows CRUD of Cluster resource on Volterra SaaS" +description: "The cluster allows CRUD of Cluster resource on Volterra SaaS" + --- -# Resource volterra_cluster -The Cluster allows CRUD of Cluster resource on Volterra SaaS +Resource volterra_cluster +========================= -~> **Note:** Please refer to [Cluster API docs](https://docs.cloud.f5.com/docs-v2/api/cluster) to learn more +The Cluster allows CRUD of Cluster resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Cluster API docs](https://docs.cloud.f5.com/docs-v2/api/cluster) to learn more + +Example Usage +------------- ```hcl resource "volterra_cluster" "example" { @@ -30,353 +23,110 @@ resource "volterra_cluster" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `circuit_breaker` - (Optional) allows to apply back pressure on downstream quickly.. See [Circuit Breaker ](#circuit-breaker) below for details. - - - - - - - `connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2 seconds (`Int`). - - `default_subset` - (Optional) which gets used when route specifies no metadata or no subset matching the metadata exists. (`String`). - `endpoint_selection` - (Optional) Policy for selection of endpoints from local site or remote site or both (`String`). - - `endpoint_subsets` - (Optional). See [Endpoint Subsets ](#endpoint-subsets) below for details. - - - `endpoints` - (Optional) List of references to all endpoint objects that belong to this cluster.. See [ref](#ref) below for details. `fallback_policy` - (Optional) metadata defined as default_set (`String`). - - `header_transformation_type` - (Optional) Settings to normalize the headers of upstream requests.. See [Header Transformation Type ](#header-transformation-type) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - `health_checks` - (Optional) List of references to healthcheck object for this cluster.. See [ref](#ref) below for details. - `http_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 5 minutes. (`Int`). - - +###### One of the arguments from this list "auto_http_config, http1_config, http2_options" can be set `auto_http_config` - (Optional) and will use whichever protocol is negotiated by ALPN with the upstream. (`Bool`). - `http1_config` - (Optional) Enable HTTP/1.1 for upstream connections. See [Http Protocol Type Http1 Config ](#http-protocol-type-http1-config) below for details. - - - - - - - - - - - - - - - - - - - - `http2_options` - (Optional) Enable HTTP/2 for upstream connections. See [Http Protocol Type Http2 Options ](#http-protocol-type-http2-options) below for details. - - - - - `loadbalancer_algorithm` - (Optional) loadbalancer_algorithm to determine which host is selected. (`String`). - - `outlier_detection` - (Optional) healthy load balancing set. Outlier detection is a form of passive health checking.. See [Outlier Detection ](#outlier-detection) below for details. - - - - - - - +###### One of the arguments from this list "no_panic_threshold, panic_threshold" can be set `no_panic_threshold` - (Optional) Disable panic threshold. Only healthy endpoints are considered for loadbalancing. (`Bool`). - `panic_threshold` - (Optional) all endpoints will be considered for loadbalancing ignoring its health status. (`Int`). - - - +###### One of the arguments from this list "disable_proxy_protocol, proxy_protocol_v1, proxy_protocol_v2" can be set `disable_proxy_protocol` - (Optional) Disable Proxy Protocol for upstream connections (`Bool`). - `proxy_protocol_v1` - (Optional) Enable Proxy Protocol V1 for upstream connections (`Bool`). - `proxy_protocol_v2` - (Optional) Enable Proxy Protocol V2 for upstream connections (`Bool`). - - - `tls_parameters` - (Optional) TLS parameters to access upstream endpoints for this cluster. See [Tls Parameters ](#tls-parameters) below for details. +### Circuit Breaker - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Circuit Breaker - - allows to apply back pressure on downstream quickly.. +allows to apply back pressure on downstream quickly.. `connection_limit` - (Optional) Remove endpoint out of load balancing decision, if number of connections reach connection limit. (`Int`). `max_requests` - (Optional) Remove endpoint out of load balancing decision, if requests exceed this count. (`Int`). -`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). +`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). `priority` - (Optional) matched with priority of CircuitBreaker to select the CircuitBreaker (`String`). `retries` - (Optional) Remove endpoint out of load balancing decision, if retries for request exceed this count. (`Int`). - - -### Endpoint Subsets +### Endpoint Subsets . `keys` - (Required) List of keys that define a cluster subset class. (`String`). +### Header Transformation Type +Settings to normalize the headers of upstream requests.. -### Header Transformation Type - - Settings to normalize the headers of upstream requests.. - - - -###### One of the arguments from this list "default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation, legacy_header_transformation" must be set +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set `default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - `legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - `preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - `proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Outlier Detection - - -### Outlier Detection - - healthy load balancing set. Outlier detection is a form of passive health checking.. +healthy load balancing set. Outlier detection is a form of passive health checking.. `base_ejection_time` - (Optional) Defaults to 30000ms or 30s. Specified in milliseconds. (`Int`). @@ -388,217 +138,149 @@ resource "volterra_cluster" "example" { `max_ejection_percent` - (Optional) detection. Defaults to 10% but will eject at least one host regardless of the value. (`Int`). +### Tls Parameters - -### Tls Parameters - - TLS parameters to access upstream endpoints for this cluster. - - +TLS parameters to access upstream endpoints for this cluster. ###### One of the arguments from this list "default_session_key_caching, disable_session_key_caching, max_session_keys" must be set `default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). - `disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). - `max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). - - - -###### One of the arguments from this list "use_host_header_as_sni, disable_sni, sni" must be set +###### One of the arguments from this list "disable_sni, sni, use_host_header_as_sni" must be set `disable_sni` - (Optional) Do not use SNI.. See [Sni Choice Disable Sni ](#sni-choice-disable-sni) below for details. - `sni` - (Optional) SNI value to be used. (`String`). - `use_host_header_as_sni` - (Optional) Use the host header as SNI. See [Sni Choice Use Host Header As Sni ](#sni-choice-use-host-header-as-sni) below for details. - - - -###### One of the arguments from this list "common_params, cert_params" must be set +###### One of the arguments from this list "cert_params, common_params" must be set `cert_params` - (Optional) TLS certificate parameters for upstream connections. See [Tls Params Choice Cert Params ](#tls-params-choice-cert-params) below for details. - `common_params` - (Optional) Common TLS parameters used in upstream connections. See [Tls Params Choice Common Params ](#tls-params-choice-common-params) below for details. +### Cert Params Validation Params - - -### Cert Params Validation Params - - and list of Subject Alt Names for verification. +and list of Subject Alt Names for verification. `skip_hostname_verification` - (Optional) is not matched to the connecting hostname (`Bool`). - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set `trusted_ca` - (Optional) Root CA Certificate. See [Trusted Ca Choice Trusted Ca ](#trusted-ca-choice-trusted-ca) below for details. - `trusted_ca_url` - (Optional) Inline Root CA Certificate (`String`). - `use_volterra_trusted_ca_url` - (Optional) Use the F5XC default Root CA URL from the global config for hostname verification. (`Bool`).(Deprecated) `verify_subject_alt_names` - (Optional) the hostname of the peer will be used for matching against SAN/CN of peer's certificate (`String`). +### Common Params Tls Certificates - -### Common Params Tls Certificates - - Set of TLS certificates. +Set of TLS certificates. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "disable_ocsp_stapling, custom_hash_algorithms, use_system_defaults" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Common Params Validation Params - -### Common Params Validation Params - - and list of Subject Alt Names for verification. +and list of Subject Alt Names for verification. `skip_hostname_verification` - (Optional) is not matched to the connecting hostname (`Bool`). - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set `trusted_ca` - (Optional) Root CA Certificate. See [Trusted Ca Choice Trusted Ca ](#trusted-ca-choice-trusted-ca) below for details. - `trusted_ca_url` - (Optional) Inline Root CA Certificate (`String`). - `use_volterra_trusted_ca_url` - (Optional) Use the F5XC default Root CA URL from the global config for hostname verification. (`Bool`).(Deprecated) `verify_subject_alt_names` - (Optional) the hostname of the peer will be used for matching against SAN/CN of peer's certificate (`String`). +### Header Transformation Choice Default Header Transformation +Normalize the headers to lower case. -### Header Transformation Choice Default Header Transformation - - Normalize the headers to lower case. +### Header Transformation Choice Legacy Header Transformation +Use old header transformation if configured earlier. +### Header Transformation Choice Preserve Case Header Transformation -### Header Transformation Choice Legacy Header Transformation +Preserves the original case of headers without any modifications.. - Use old header transformation if configured earlier. +### Header Transformation Choice Proper Case Header Transformation +For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. +### Http1 Config Header Transformation -### Header Transformation Choice Preserve Case Header Transformation +the stateful formatter will take effect, and the stateless formatter will be disregarded.. - Preserves the original case of headers without any modifications.. - - - -### Header Transformation Choice Proper Case Header Transformation - - For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. - - - -### Http1 Config Header Transformation - - the stateful formatter will take effect, and the stateless formatter will be disregarded.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set `default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - `legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - `preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - `proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Http Protocol Type Http1 Config - - -### Http Protocol Type Http1 Config - - Enable HTTP/1.1 for upstream connections. +Enable HTTP/1.1 for upstream connections. `header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http1 Config Header Transformation ](#http1-config-header-transformation) below for details. +### Http Protocol Type Http2 Options - -### Http Protocol Type Http2 Options - - Enable HTTP/2 for upstream connections. +Enable HTTP/2 for upstream connections. `enabled` - (Optional) Enable/disable HTTP2 Protocol for upstream connections (`Bool`). +### Max Session Keys Type Default Session Key Caching +Default session key caching. Only one session key will be cached.. -### Max Session Keys Type Default Session Key Caching - - Default session key caching. Only one session key will be cached.. - +### Max Session Keys Type Disable Session Key Caching +Disable session key caching. This will disable TLS session resumption.. -### Max Session Keys Type Disable Session Key Caching +### Ocsp Stapling Choice Custom Hash Algorithms - Disable session key caching. This will disable TLS session resumption.. - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. -### Ocsp Stapling Choice Use System Defaults +### Private Key Blindfold Secret Info Internal - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -606,10 +288,7 @@ resource "volterra_cluster" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -619,11 +298,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -631,21 +308,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -657,57 +330,41 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Sni Choice Disable Sni +Do not use SNI.. -### Sni Choice Disable Sni +### Sni Choice Use Host Header As Sni - Do not use SNI.. +Use the host header as SNI. +### Tls Certificates Private Key - -### Sni Choice Use Host Header As Sni - - Use the host header as SNI. - - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Params Choice Cert Params - - -### Tls Params Choice Cert Params - - TLS certificate parameters for upstream connections. +TLS certificate parameters for upstream connections. `certificates` - (Required) Client TLS Certificate required for mTLS authentication. See [ref](#ref) below for details. @@ -719,11 +376,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `validation_params` - (Optional) and list of Subject Alt Names for verification. See [Cert Params Validation Params ](#cert-params-validation-params) below for details. +### Tls Params Choice Common Params - -### Tls Params Choice Common Params - - Common TLS parameters used in upstream connections. +Common TLS parameters used in upstream connections. `cipher_suites` - (Optional) will be used. (`String`). @@ -737,17 +392,13 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `validation_params` - (Optional) and list of Subject Alt Names for verification. See [Common Params Validation Params ](#common-params-validation-params) below for details. +### Trusted Ca Choice Trusted Ca - -### Trusted Ca Choice Trusted Ca - - Root CA Certificate. +Root CA Certificate. `trusted_ca_list` - (Optional) Reference to Root CA Certificate. See [ref](#ref) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured cluster. - +- `id` - This is the id of the configured cluster. diff --git a/docs/resources/volterra_code_base_integration.md b/docs/resources/volterra_code_base_integration.md new file mode 100644 index 000000000..1aa9de3d9 --- /dev/null +++ b/docs/resources/volterra_code_base_integration.md @@ -0,0 +1,314 @@ +--- + +page_title: "Volterra: code_base_integration" +description: "The code_base_integration allows CRUD of Code Base Integration resource on Volterra SaaS" + +--- + +Resource volterra_code_base_integration +======================================= + +The Code Base Integration allows CRUD of Code Base Integration resource on Volterra SaaS + +~> **Note:** Please refer to [Code Base Integration API docs](https://docs.cloud.f5.com/docs-v2/api/code-base-integration) to learn more + +Example Usage +------------- + +```hcl +resource "volterra_code_base_integration" "example" { + name = "acmecorp-web" + namespace = "staging" +} + +``` + +Argument Reference +------------------ + +### Metadata Argument Reference + +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). + +`description` - (Optional) Human readable description for the object (`String`). + +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). + +`labels` - (Optional) by selector expression (`String`). + +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). + +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). + +### Spec Argument Reference + +`code_base_integration` - (Optional) Choose your code base (e.g. GitHub, GitLab, Bitbucket, Azure) and provide credentials and connection details. See [Code Base Integration ](#code-base-integration) below for details. + +### Code Base Integration + +Choose your code base (e.g. GitHub, GitLab, Bitbucket, Azure) and provide credentials and connection details. + +###### One of the arguments from this list "azure_repos, bitbucket, bitbucket_server, github, github_enterprise, gitlab, gitlab_enterprise" must be set + +`azure_repos` - (Optional) x-displayName: "Azure Repos Integration". See [Type Azure Repos ](#type-azure-repos) below for details. + +`bitbucket` - (Optional) x-displayName: "BitBucket Cloud Integration". See [Type Bitbucket ](#type-bitbucket) below for details. + +`bitbucket_server` - (Optional) x-displayName: "BitBucket Server Integration". See [Type Bitbucket Server ](#type-bitbucket-server) below for details. + +`github` - (Optional) x-displayName: "Github Integration". See [Type Github ](#type-github) below for details. + +`github_enterprise` - (Optional) x-displayName: "Github Enterprise Integration". See [Type Github Enterprise ](#type-github-enterprise) below for details. + +`gitlab` - (Optional) x-displayName: "GitLab Cloud Integration". See [Type Gitlab ](#type-gitlab) below for details. + +`gitlab_enterprise` - (Optional) x-displayName: "GitLab Enterprise Integration". See [Type Gitlab Enterprise ](#type-gitlab-enterprise) below for details. + +### Access Token Blindfold Secret Info Internal + +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. + +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). + +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). + +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). + +### Azure Repos Access Token + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Access Token Blindfold Secret Info Internal ](#access-token-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Bitbucket Passwd + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Passwd Blindfold Secret Info Internal ](#passwd-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Bitbucket Server Passwd + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Passwd Blindfold Secret Info Internal ](#passwd-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Github Access Token + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Access Token Blindfold Secret Info Internal ](#access-token-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Github Enterprise Access Token + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Access Token Blindfold Secret Info Internal ](#access-token-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Gitlab Access Token + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Access Token Blindfold Secret Info Internal ](#access-token-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Gitlab Enterprise Access Token + +x-required. + +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Access Token Blindfold Secret Info Internal ](#access-token-blindfold-secret-info-internal) below for details.(Deprecated) + +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set + +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + +### Passwd Blindfold Secret Info Internal + +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. + +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). + +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). + +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). + +### Secret Info Oneof Blindfold Secret Info + +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. + +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). + +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). + +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). + +### Secret Info Oneof Clear Secret Info + +Clear Secret is used for the secrets that are not encrypted. + +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). + +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). + +### Secret Info Oneof Vault Secret Info + +Vault Secret is used for the secrets managed by Hashicorp Vault. + +`key` - (Optional) If not provided entire secret will be returned. (`String`). + +`location` - (Required) Path to secret in Vault. (`String`). + +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). + +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). + +`version` - (Optional) If not provided latest version will be returned. (`Int`). + +### Secret Info Oneof Wingman Secret Info + +Secret is given as bootstrap secret in F5XC Security Sidecar. + +`name` - (Required) Name of the secret. (`String`). + +### Type Azure Repos + +x-displayName: "Azure Repos Integration". + +`access_token` - (Required) x-required. See [Azure Repos Access Token ](#azure-repos-access-token) below for details. + +### Type Bitbucket + +x-displayName: "BitBucket Cloud Integration". + +`passwd` - (Required) x-required. See [Bitbucket Passwd ](#bitbucket-passwd) below for details. + +`username` - (Required) x-required (`String`). + +### Type Bitbucket Server + +x-displayName: "BitBucket Server Integration". + +`passwd` - (Required) x-required. See [Bitbucket Server Passwd ](#bitbucket-server-passwd) below for details. + +`url` - (Required) x-required (`String`). + +`username` - (Required) x-required (`String`). + +`verify_ssl` - (Optional) x-displayName: "Verify SSL" (`Bool`). + +### Type Github + +x-displayName: "Github Integration". + +`access_token` - (Required) x-required. See [Github Access Token ](#github-access-token) below for details. + +`username` - (Required) x-required (`String`). + +`verify_ssl` - (Optional) x-displayName: "GitHub Verify SSL" (`Bool`). + +### Type Github Enterprise + +x-displayName: "Github Enterprise Integration". + +`access_token` - (Required) x-required. See [Github Enterprise Access Token ](#github-enterprise-access-token) below for details. + +`hostname` - (Required) x-required (`String`). + +`username` - (Required) x-required (`String`). + +### Type Gitlab + +x-displayName: "GitLab Cloud Integration". + +`access_token` - (Required) x-required. See [Gitlab Access Token ](#gitlab-access-token) below for details. + +### Type Gitlab Enterprise + +x-displayName: "GitLab Enterprise Integration". + +`access_token` - (Required) x-required. See [Gitlab Enterprise Access Token ](#gitlab-enterprise-access-token) below for details. + +`url` - (Required) x-required (`String`). + +Attribute Reference +------------------- + +- `id` - This is the id of the configured code_base_integration. diff --git a/docs/resources/volterra_container_registry.md b/docs/resources/volterra_container_registry.md index 142846c46..eb6e04196 100644 --- a/docs/resources/volterra_container_registry.md +++ b/docs/resources/volterra_container_registry.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: container_registry" -description: "The container_registry allows CRUD of Container Registry resource on Volterra SaaS" +description: "The container_registry allows CRUD of Container Registry resource on Volterra SaaS" + --- -# Resource volterra_container_registry -The Container Registry allows CRUD of Container Registry resource on Volterra SaaS +Resource volterra_container_registry +==================================== + +The Container Registry allows CRUD of Container Registry resource on Volterra SaaS -~> **Note:** Please refer to [Container Registry API docs](https://docs.cloud.f5.com/docs-v2/api/container-registry) to learn more +~> **Note:** Please refer to [Container Registry API docs](https://docs.cloud.f5.com/docs-v2/api/container-registry) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_container_registry" "example" { @@ -38,18 +31,14 @@ resource "volterra_container_registry" "example" { secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "wingman_secret_info blindfold_secret_info vault_secret_info clear_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set - vault_secret_info { - key = "key_pem" - - location = "v1/data/vhost_key" - - provider = "vault-vh-provider" + blindfold_secret_info { + decryption_provider = "value" - secret_encoding = "secret_encoding" + location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - version = "1" + store_provider = "value" } } @@ -59,115 +48,54 @@ resource "volterra_container_registry" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `email` - (Optional) Email used for the registry (`String`). - - `password` - (Required) Password for the above username. See [Password ](#password) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `registry` - (Required) Fully qualified name of the registry login server (`String`). - - `user_name` - (Required) Username used to access the registry (`String`). +### Password - -### Password - - Password for the above username. +Password for the above username. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -175,11 +103,9 @@ resource "volterra_container_registry" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -187,21 +113,17 @@ resource "volterra_container_registry" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -213,17 +135,13 @@ resource "volterra_container_registry" "example" { `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured container_registry. - +- `id` - This is the id of the configured container_registry. diff --git a/docs/resources/volterra_crl.md b/docs/resources/volterra_crl.md index a4af37557..82bf26783 100644 --- a/docs/resources/volterra_crl.md +++ b/docs/resources/volterra_crl.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: crl" -description: "The crl allows CRUD of Crl resource on Volterra SaaS" +description: "The crl allows CRUD of Crl resource on Volterra SaaS" + --- -# Resource volterra_crl -The Crl allows CRUD of Crl resource on Volterra SaaS +Resource volterra_crl +===================== -~> **Note:** Please refer to [Crl API docs](https://docs.cloud.f5.com/docs-v2/api/crl) to learn more +The Crl allows CRUD of Crl resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Crl API docs](https://docs.cloud.f5.com/docs-v2/api/crl) to learn more + +Example Usage +------------- ```hcl resource "volterra_crl" "example" { @@ -31,68 +24,46 @@ resource "volterra_crl" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "http_access" can be set `http_access` - (Optional) http://:/. See [Access Info Choice Http Access ](#access-info-choice-http-access) below for details. - - - - - - `refresh_interval` - (Optional) CRL refresh interval, in hours. (`Int`). - - `server_address` - (Required) CRL server address or hostname (`String`). - - `server_port` - (Optional) Set CRL Server port number (`Int`). - - `timeout` - (Optional) CRL download wait time, in seconds (`Int`). - - `verify_all_certs_with_crl` - (Optional) from that chain. (`Bool`).(Deprecated) +### Access Info Choice Http Access - -### Access Info Choice Http Access - - http://:/. +http://:/. `path` - (Optional) CRL file location (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured crl. - +- `id` - This is the id of the configured crl. diff --git a/docs/resources/volterra_data_type.md b/docs/resources/volterra_data_type.md index 13e01e8b2..657ec2be2 100644 --- a/docs/resources/volterra_data_type.md +++ b/docs/resources/volterra_data_type.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: data_type" -description: "The data_type allows CRUD of Data Type resource on Volterra SaaS" +description: "The data_type allows CRUD of Data Type resource on Volterra SaaS" + --- -# Resource volterra_data_type -The Data Type allows CRUD of Data Type resource on Volterra SaaS +Resource volterra_data_type +=========================== + +The Data Type allows CRUD of Data Type resource on Volterra SaaS -~> **Note:** Please refer to [Data Type API docs](https://docs.cloud.f5.com/docs-v2/api/data-type) to learn more +~> **Note:** Please refer to [Data Type API docs](https://docs.cloud.f5.com/docs-v2/api/data-type) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_data_type" "example" { @@ -30,213 +23,108 @@ resource "volterra_data_type" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`compliances` - (Optional) Choose applicable compliance frameworks such as GDPR, PCI/DSS, or CCPA to ensure the platform identifies whether vulnerabilities in API endpoints handling this data type may cause a compliance breach (`List of Strings`).(Deprecated) - - - -`is_pii` - (Optional) Select this option to classify the custom data type as personally identifiable information (PII) (`Bool`).(Deprecated) +`compliances` - (Optional) Choose applicable compliance frameworks such as GDPR, PCI/DSS, or CCPA to ensure the platform identifies whether vulnerabilities in API endpoints handling this data type may cause a compliance breach (`List of Strings`). +`is_pii` - (Optional) Select this option to classify the custom data type as personally identifiable information (PII) (`Bool`). `is_sensitive_data` - (Optional) Select this option to classify the custom data type as sensitive, enabling detection of API vulnerabilities related to this data type. (`Bool`). - - `rules` - (Optional) Configure key/value or regex match rules to enable the platform to detect this custom data type in the API request or response. See [Rules ](#rules) below for details. +### Rules +Configure key/value or regex match rules to enable the platform to detect this custom data type in the API request or response. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Rules - - Configure key/value or regex match rules to enable the platform to detect this custom data type in the API request or response. - - - -###### One of the arguments from this list "key_value_pattern, key_pattern, value_pattern" must be set +###### One of the arguments from this list "key_pattern, key_value_pattern, value_pattern" must be set `key_pattern` - (Optional) Search for pattern across all field names in the specified sections.. See [Pattern Choice Key Pattern ](#pattern-choice-key-pattern) below for details. - `key_value_pattern` - (Optional) Search for specific field and value patterns in the specified sections.. See [Pattern Choice Key Value Pattern ](#pattern-choice-key-value-pattern) below for details. - `value_pattern` - (Optional) Search for pattern across all field values in the specified sections.. See [Pattern Choice Value Pattern ](#pattern-choice-value-pattern) below for details. +### Key Value Pattern Key Pattern +Pattern for key/field.. - -### Key Value Pattern Key Pattern - - Pattern for key/field.. - - - -###### One of the arguments from this list "regex_value, exact_values, substring_value" must be set +###### One of the arguments from this list "exact_values, regex_value, substring_value" must be set `exact_values` - (Optional) Search for values that are exact match to at least one item of the list. See [Type Choice Exact Values ](#type-choice-exact-values) below for details. - `regex_value` - (Optional) Search for values matching this regular expression (`String`). - `substring_value` - (Optional) Search for values that include this substring (`String`). +### Key Value Pattern Value Pattern +Pattern for value.. - -### Key Value Pattern Value Pattern - - Pattern for value.. - - - -###### One of the arguments from this list "regex_value, exact_values, substring_value" must be set +###### One of the arguments from this list "exact_values, regex_value, substring_value" must be set `exact_values` - (Optional) Search for values that are exact match to at least one item of the list. See [Type Choice Exact Values ](#type-choice-exact-values) below for details. - `regex_value` - (Optional) Search for values matching this regular expression (`String`). - `substring_value` - (Optional) Search for values that include this substring (`String`). +### Pattern Choice Key Pattern +Search for pattern across all field names in the specified sections.. - -### Pattern Choice Key Pattern - - Search for pattern across all field names in the specified sections.. - - - -###### One of the arguments from this list "regex_value, exact_values, substring_value" must be set +###### One of the arguments from this list "exact_values, regex_value, substring_value" must be set `exact_values` - (Optional) Search for values that are exact match to at least one item of the list. See [Type Choice Exact Values ](#type-choice-exact-values) below for details. - `regex_value` - (Optional) Search for values matching this regular expression (`String`). - `substring_value` - (Optional) Search for values that include this substring (`String`). +### Pattern Choice Key Value Pattern - - -### Pattern Choice Key Value Pattern - - Search for specific field and value patterns in the specified sections.. +Search for specific field and value patterns in the specified sections.. `key_pattern` - (Required) Pattern for key/field.. See [Key Value Pattern Key Pattern ](#key-value-pattern-key-pattern) below for details. `value_pattern` - (Required) Pattern for value.. See [Key Value Pattern Value Pattern ](#key-value-pattern-value-pattern) below for details. +### Pattern Choice Value Pattern +Search for pattern across all field values in the specified sections.. -### Pattern Choice Value Pattern - - Search for pattern across all field values in the specified sections.. - - - -###### One of the arguments from this list "regex_value, exact_values, substring_value" must be set +###### One of the arguments from this list "exact_values, regex_value, substring_value" must be set `exact_values` - (Optional) Search for values that are exact match to at least one item of the list. See [Type Choice Exact Values ](#type-choice-exact-values) below for details. - `regex_value` - (Optional) Search for values matching this regular expression (`String`). - `substring_value` - (Optional) Search for values that include this substring (`String`). +### Type Choice Exact Values - - -### Type Choice Exact Values - - Search for values that are exact match to at least one item of the list. +Search for values that are exact match to at least one item of the list. `exact_values` - (Required) List of exact values to match. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured data_type. - +- `id` - This is the id of the configured data_type. diff --git a/docs/resources/volterra_dc_cluster_group.md b/docs/resources/volterra_dc_cluster_group.md index 1b51edde3..52c2fb17d 100644 --- a/docs/resources/volterra_dc_cluster_group.md +++ b/docs/resources/volterra_dc_cluster_group.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: dc_cluster_group" - description: "The dc_cluster_group allows CRUD of Dc Cluster Group resource on Volterra SaaS" ---------------------------------------------------------------------------------------------- + +--- Resource volterra_dc_cluster_group ================================== diff --git a/docs/resources/volterra_discovery.md b/docs/resources/volterra_discovery.md index 9b11289a9..ce2d6b710 100644 --- a/docs/resources/volterra_discovery.md +++ b/docs/resources/volterra_discovery.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: discovery" -description: "The discovery allows CRUD of Discovery resource on Volterra SaaS" +description: "The discovery allows CRUD of Discovery resource on Volterra SaaS" + --- -# Resource volterra_discovery -The Discovery allows CRUD of Discovery resource on Volterra SaaS +Resource volterra_discovery +=========================== + +The Discovery allows CRUD of Discovery resource on Volterra SaaS -~> **Note:** Please refer to [Discovery API docs](https://docs.cloud.f5.com/docs-v2/api/discovery) to learn more +~> **Note:** Please refer to [Discovery API docs](https://docs.cloud.f5.com/docs-v2/api/discovery) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_discovery" "example" { @@ -31,24 +24,17 @@ resource "volterra_discovery" "example" { no_cluster_id = true - // One of the arguments from this list "discovery_k8s discovery_consul" must be set + // One of the arguments from this list "discovery_cbip discovery_consul discovery_k8s" must be set discovery_k8s { access_info { - // One of the arguments from this list "kubeconfig_url connection_info in_cluster" must be set + // One of the arguments from this list "connection_info in_cluster kubeconfig_url" must be set kubeconfig_url { - blindfold_secret_info_internal { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - - store_provider = "value" - } secret_encoding_type = "secret_encoding_type" - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set blindfold_secret_info { decryption_provider = "value" @@ -65,13 +51,13 @@ resource "volterra_discovery" "example" { } publish_info { - // One of the arguments from this list "publish_fqdns dns_delegation disable publish" must be set + // One of the arguments from this list "disable dns_delegation publish publish_fqdns" must be set disable = true } } where { - // One of the arguments from this list "virtual_network site virtual_site" must be set + // One of the arguments from this list "site virtual_network virtual_site" must be set site { // One of the arguments from this list "disable_internet_vip enable_internet_vip" must be set @@ -97,379 +83,164 @@ resource "volterra_discovery" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "cluster_id, no_cluster_id" must be set `cluster_id` - (Optional) specified in endpoint object to discover only from this discovery object. (`String`). - `no_cluster_id` - (Optional) of the site will discover from this discovery object. (`Bool`). +###### One of the arguments from this list "discovery_cbip, discovery_consul, discovery_k8s" must be set - - +`discovery_cbip` - (Optional) Discovery configuration for Classic BIG-IP. See [Discovery Choice Discovery Cbip ](#discovery-choice-discovery-cbip) below for details. `discovery_consul` - (Optional) Discovery configuration for Hashicorp Consul. See [Discovery Choice Discovery Consul ](#discovery-choice-discovery-consul) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `discovery_k8s` - (Optional) Discovery configuration for K8s.. See [Discovery Choice Discovery K8s ](#discovery-choice-discovery-k8s) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `where` - (Required) All the sites where this discovery config is valid.. See [Where ](#where) below for details. +### Where +All the sites where this discovery config is valid.. +###### One of the arguments from this list "site, virtual_network, virtual_site" must be set - - - - - - - - - - - - - - - - +`site` - (Optional) Direct reference to site object. See [Ref Or Selector Site ](#ref-or-selector-site) below for details. +`virtual_network` - (Optional) Direct reference to virtual network object. See [Ref Or Selector Virtual Network ](#ref-or-selector-virtual-network) below for details. +`virtual_site` - (Optional) Direct reference to virtual site object. See [Ref Or Selector Virtual Site ](#ref-or-selector-virtual-site) below for details. +### Access Info Connection Info - +Configuration details to access Hashicorp Consul API service using REST.. +`api_server` - (Required) API server must be a fully qualified domain string and port specified as host:port pair (`String`). +`tls_info` - (Optional) TLS settings to enable transport layer security. See [Connection Info Tls Info ](#connection-info-tls-info) below for details. +### Access Info Http Basic Auth Info +Username and password used for HTTP/HTTPS access. - +`passwd_url` - (Optional) F5XC Secret. URL for password, needs to be fetched from this path. See [Http Basic Auth Info Passwd Url ](#http-basic-auth-info-passwd-url) below for details. +`user_name` - (Optional) username in consul (`String`). +### Admin Credentials Password +Password used to log into an admin account on the BIG-IP device. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Ca Certificate Url Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -### Where +### Cbip Clusters Cbip Devices - All the sites where this discovery config is valid.. +in Shared Configuration. Otherwise all devices are imported to current namespace.. +`admin_credentials` - (Required) x-required. See [Cbip Devices Admin Credentials ](#cbip-devices-admin-credentials) below for details. +`cbip_certificate_authority` - (Required) x-required. See [Cbip Devices Cbip Certificate Authority ](#cbip-devices-cbip-certificate-authority) below for details. -###### One of the arguments from this list "virtual_network, site, virtual_site" must be set +`cbip_mgmt_ip` - (Required) IP Address of the Classic BIG-IP device (`String`). -`site` - (Optional) Direct reference to site object. See [Ref Or Selector Site ](#ref-or-selector-site) below for details. +###### One of the arguments from this list "default_all, namespace_mapping" can be set +`default_all` - (Optional) All Partitions added to Shared Namespace (`Bool`). -`virtual_network` - (Optional) Direct reference to virtual network object. See [Ref Or Selector Virtual Network ](#ref-or-selector-virtual-network) below for details. +`namespace_mapping` - (Optional) Select which partition(s) should map to which XC namespace(s). See [Namespace Mapping Choice Namespace Mapping ](#namespace-mapping-choice-namespace-mapping) below for details. +`virtual_server_filter` - (Optional) Filters to only discover certain BIG-IP Virtual Servers. See [Cbip Devices Virtual Server Filter ](#cbip-devices-virtual-server-filter) below for details. -`virtual_site` - (Optional) Direct reference to virtual site object. See [Ref Or Selector Virtual Site ](#ref-or-selector-virtual-site) below for details. +### Cbip Clusters Metadata +Common attributes for the device configuration including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) -### Access Info Connection Info +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - Configuration details to access Hashicorp Consul API service using REST.. +### Cbip Devices Admin Credentials -`api_server` - (Required) API server must be a fully qualified domain string and port specified as host:port pair (`String`). +x-required. -`tls_info` - (Optional) TLS settings to enable transport layer security. See [Connection Info Tls Info ](#connection-info-tls-info) below for details. +`password` - (Required) Password used to log into an admin account on the BIG-IP device. See [Admin Credentials Password ](#admin-credentials-password) below for details. +`username` - (Required) Username used to log into an admin account on the BIG-IP device (`String`). +### Cbip Devices Cbip Certificate Authority -### Access Info Http Basic Auth Info +x-required. - Username and password used for HTTP/HTTPS access. +###### One of the arguments from this list "skip_server_verification, trusted_ca" must be set -`passwd_url` - (Optional) F5XC Secret. URL for password, needs to be fetched from this path. See [Http Basic Auth Info Passwd Url ](#http-basic-auth-info-passwd-url) below for details. +`skip_server_verification` - (Optional) Skip origin server verification (`Bool`). -`user_name` - (Optional) username in consul (`String`). +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. +### Cbip Devices Virtual Server Filter +Filters to only discover certain BIG-IP Virtual Servers. -### Ca Certificate Url Blindfold Secret Info Internal +`description_regex` - (Optional) Regex to match Virtual Server description (`String`). - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +###### One of the arguments from this list "enabled_only, include_disabled" must be set -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`enabled_only` - (Optional) Select to only discover enabled Virtual Servers (`Bool`). -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`include_disabled` - (Optional) Select to discover disabled Virtual Servers (`Bool`). -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`name_regex` - (Optional) Regex to match Virtual Server name (`String`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). +`protocols` - (Optional) Filter by protocol(s) (`String`). -### Certificate Url Blindfold Secret Info Internal +### Certificate Url Blindfold Secret Info Internal - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -477,51 +248,39 @@ resource "volterra_discovery" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Config Type Connection Info - -### Config Type Connection Info - - Provide API server access details (endpoint and TLS parameters). +Provide API server access details (endpoint and TLS parameters). `api_server` - (Required) API server must be a fully qualified domain string and port specified as host:port pair (`String`). `tls_info` - (Optional) TLS settings to enable transport layer security. See [Connection Info Tls Info ](#connection-info-tls-info) below for details. +### Config Type Kubeconfig Url - -### Config Type Kubeconfig Url - - Provide kubeconfig file to connect to K8s cluster. +Provide kubeconfig file to connect to K8s cluster. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Kubeconfig Url Blindfold Secret Info Internal ](#kubeconfig-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Connection Info Tls Info - - -### Connection Info Tls Info - - TLS settings to enable transport layer security. +TLS settings to enable transport layer security. `ca_certificate_url` - (Optional) F5XC Secret. URL to fetch the server CA certificate file. See [Tls Info Ca Certificate Url ](#tls-info-ca-certificate-url) below for details.(Deprecated) -`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). +`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). `certificate_url` - (Optional) F5XC Secret. URL to fetch the client certificate file. See [Tls Info Certificate Url ](#tls-info-certificate-url) below for details.(Deprecated) @@ -531,160 +290,145 @@ resource "volterra_discovery" "example" { `trusted_ca_url` - (Optional) Certificates in PEM format including the PEM headers. (`String`). +### Discover Disabled Choice Enabled Only +Select to only discover enabled Virtual Servers. -### Discovery Choice Discovery Consul +### Discover Disabled Choice Include Disabled - Discovery configuration for Hashicorp Consul. +Select to discover disabled Virtual Servers. -`access_info` - (Required) Credentials to access Hashicorp Consul service discovery. See [Discovery Consul Access Info ](#discovery-consul-access-info) below for details. +### Discovery Cbip Cbip Clusters -`publish_info` - (Required) Configuration to publish VIPs. See [Discovery Consul Publish Info ](#discovery-consul-publish-info) below for details. +are in an Active-Active or Active-Standby setup or even a standalone BIG-IP device.. +`cbip_devices` - (Required) in Shared Configuration. Otherwise all devices are imported to current namespace.. See [Cbip Clusters Cbip Devices ](#cbip-clusters-cbip-devices) below for details. +`metadata` - (Required) Common attributes for the device configuration including name and description.. See [Cbip Clusters Metadata ](#cbip-clusters-metadata) below for details. -### Discovery Choice Discovery K8s +### Discovery Choice Discovery Cbip - Discovery configuration for K8s.. +Discovery configuration for Classic BIG-IP. -`access_info` - (Required) Credentials can be kubeconfig file or mTLS using PKI certificates. See [Discovery K8s Access Info ](#discovery-k8s-access-info) below for details. +`cbip_clusters` - (Required) are in an Active-Active or Active-Standby setup or even a standalone BIG-IP device.. See [Discovery Cbip Cbip Clusters ](#discovery-cbip-cbip-clusters) below for details. -`publish_info` - (Required) Configuration to publish VIPs. See [Discovery K8s Publish Info ](#discovery-k8s-publish-info) below for details. +`internal_lb_domain` - (Optional) Domain name of the internal LB (`String`).(Deprecated) +### Discovery Choice Discovery Consul +Discovery configuration for Hashicorp Consul. -### Discovery Consul Access Info +`access_info` - (Required) Credentials to access Hashicorp Consul service discovery. See [Discovery Consul Access Info ](#discovery-consul-access-info) below for details. - Credentials to access Hashicorp Consul service discovery. +`publish_info` - (Required) Configuration to publish VIPs. See [Discovery Consul Publish Info ](#discovery-consul-publish-info) below for details. -`connection_info` - (Optional) Configuration details to access Hashicorp Consul API service using REST.. See [Access Info Connection Info ](#access-info-connection-info) below for details. +### Discovery Choice Discovery K8s -`http_basic_auth_info` - (Optional) Username and password used for HTTP/HTTPS access. See [Access Info Http Basic Auth Info ](#access-info-http-basic-auth-info) below for details. +Discovery configuration for K8s.. -`scheme` - (Optional) scheme (`String`).(Deprecated) +`access_info` - (Required) Credentials can be kubeconfig file or mTLS using PKI certificates. See [Discovery K8s Access Info ](#discovery-k8s-access-info) below for details. +`publish_info` - (Required) Configuration to publish VIPs. See [Discovery K8s Publish Info ](#discovery-k8s-publish-info) below for details. + +### Discovery Consul Access Info + +Credentials to access Hashicorp Consul service discovery. +`connection_info` - (Optional) Configuration details to access Hashicorp Consul API service using REST.. See [Access Info Connection Info ](#access-info-connection-info) below for details. -### Discovery Consul Publish Info +`http_basic_auth_info` - (Optional) Username and password used for HTTP/HTTPS access. See [Access Info Http Basic Auth Info ](#access-info-http-basic-auth-info) below for details. - Configuration to publish VIPs. +`scheme` - (Optional) scheme (`String`).(Deprecated) +### Discovery Consul Publish Info +Configuration to publish VIPs. ###### One of the arguments from this list "disable, publish" must be set `disable` - (Optional) Disable VIP Publishing (`Bool`). - `publish` - (Optional) Publish domain to VIP mapping. (`Bool`). +### Discovery K8s Access Info +Credentials can be kubeconfig file or mTLS using PKI certificates. - -### Discovery K8s Access Info - - Credentials can be kubeconfig file or mTLS using PKI certificates. - - - -###### One of the arguments from this list "kubeconfig_url, connection_info, in_cluster" must be set +###### One of the arguments from this list "connection_info, in_cluster, kubeconfig_url" must be set `connection_info` - (Optional) Provide API server access details (endpoint and TLS parameters). See [Config Type Connection Info ](#config-type-connection-info) below for details. - `in_cluster` - (Optional) VER is POD running in the same K8s cluster. (`Bool`).(Deprecated) - `kubeconfig_url` - (Optional) Provide kubeconfig file to connect to K8s cluster. See [Config Type Kubeconfig Url ](#config-type-kubeconfig-url) below for details. - - - ###### One of the arguments from this list "isolated, reachable" must be set `isolated` - (Optional) discovered when Kubernetes cluster is in InCluster mode. (`Bool`). - `reachable` - (Optional) always discovers POD IP Address for configured endpoints. (`Bool`). +### Discovery K8s Publish Info +Configuration to publish VIPs. - -### Discovery K8s Publish Info - - Configuration to publish VIPs. - - - -###### One of the arguments from this list "dns_delegation, disable, publish, publish_fqdns" must be set +###### One of the arguments from this list "disable, dns_delegation, publish, publish_fqdns" must be set `disable` - (Optional) Disable VIP Publishing and DNS Delegation (`Bool`). - `dns_delegation` - (Optional) Program DNS delegation for a sub-domain in external cluster. See [Publish Choice Dns Delegation ](#publish-choice-dns-delegation) below for details. - `publish` - (Optional) Publish domain to VIP mapping.. See [Publish Choice Publish ](#publish-choice-publish) below for details. - `publish_fqdns` - (Optional) Use this option to publish domain to VIP mapping when all domains are expected to be fully qualified i.e. they include the namesapce. (`Bool`). +### Http Basic Auth Info Passwd Url - - -### Http Basic Auth Info Passwd Url - - F5XC Secret. URL for password, needs to be fetched from this path. +F5XC Secret. URL for password, needs to be fetched from this path. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Passwd Url Blindfold Secret Info Internal ](#passwd-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Internet Vip Choice Disable Internet Vip +Do not enable advertise on external internet vip.. +### Internet Vip Choice Enable Internet Vip -### Internet Vip Choice Disable Internet Vip - - Do not enable advertise on external internet vip.. - - - -### Internet Vip Choice Enable Internet Vip +Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. - Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### K8s Pod Network Choice Isolated +discovered when Kubernetes cluster is in InCluster mode.. +### K8s Pod Network Choice Reachable -### K8s Pod Network Choice Isolated +always discovers POD IP Address for configured endpoints.. - discovered when Kubernetes cluster is in InCluster mode.. +### Key Url Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -### K8s Pod Network Choice Reachable - - always discovers POD IP Address for configured endpoints.. - +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -### Key Url Blindfold Secret Info Internal +### Kubeconfig Url Blindfold Secret Info Internal - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -692,23 +436,27 @@ resource "volterra_discovery" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Namespace Mapping Items +Map BIG-IP partition(s) to XC Namespaces. -### Kubeconfig Url Blindfold Secret Info Internal +`namespace` - (Optional) Select a namespace (`String`). - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`partition_regex` - (Optional) The regex here will be used to match BIG-IP partition(s). (`String`). -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +### Namespace Mapping Choice Default All -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +All Partitions added to Shared Namespace. -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Namespace Mapping Choice Namespace Mapping +Select which partition(s) should map to which XC namespace(s). +`items` - (Optional) Map BIG-IP partition(s) to XC Namespaces. See [Namespace Mapping Items ](#namespace-mapping-items) below for details. -### Passwd Url Blindfold Secret Info Internal +### Passwd Url Blindfold Secret Info Internal - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -716,46 +464,43 @@ resource "volterra_discovery" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Password Blindfold Secret Info Internal + +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -### Publish Choice Disable +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - Disable VIP Publishing. +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Publish Choice Disable +Disable VIP Publishing. -### Publish Choice Dns Delegation +### Publish Choice Dns Delegation - Program DNS delegation for a sub-domain in external cluster. +Program DNS delegation for a sub-domain in external cluster. `dns_mode` - (Required) Indicates whether external K8S is running core DNS or kube DNS (`String`). `subdomain` - (Required) The DNS subdomain for which F5XC will respond to DNS queries. (`String`). +### Publish Choice Publish +Publish domain to VIP mapping.. -### Publish Choice Publish +### Publish Choice Publish - Publish domain to VIP mapping.. - - - -### Publish Choice Publish - - Publish domain to VIP mapping.. +Publish domain to VIP mapping.. `namespace` - (Required) The external K8S administrator needs to ensure that the namespace exists. (`String`). +### Publish Choice Publish Fqdns +Use this option to publish domain to VIP mapping when all domains are expected to be fully qualified i.e. they include the namesapce.. -### Publish Choice Publish Fqdns - - Use this option to publish domain to VIP mapping when all domains are expected to be fully qualified i.e. they include the namesapce.. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -765,63 +510,47 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Ref Or Selector Site - -### Ref Or Selector Site - - Direct reference to site object. - - +Direct reference to site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred site (`String`). `ref` - (Required) A site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Ref Or Selector Virtual Network - -### Ref Or Selector Virtual Network - - Direct reference to virtual network object. +Direct reference to virtual network object. `ref` - (Required) A virtual network direct reference. See [ref](#ref) below for details. +### Ref Or Selector Virtual Site - -### Ref Or Selector Virtual Site - - Direct reference to virtual site object. - - +Direct reference to virtual site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred virtual_site (`String`). `ref` - (Required) A virtual_site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -829,21 +558,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -855,95 +580,71 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Server Validation Choice Skip Server Verification +Skip origin server verification. -### Tls Info Ca Certificate Url +### Tls Info Ca Certificate Url - F5XC Secret. URL to fetch the server CA certificate file. +F5XC Secret. URL to fetch the server CA certificate file. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Ca Certificate Url Blindfold Secret Info Internal ](#ca-certificate-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Info Certificate Url - - -### Tls Info Certificate Url - - F5XC Secret. URL to fetch the client certificate file. +F5XC Secret. URL to fetch the client certificate file. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Certificate Url Blindfold Secret Info Internal ](#certificate-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Info Key Url - - -### Tls Info Key Url - - The data may be optionally secured using BlindFold.. +The data may be optionally secured using BlindFold.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Key Url Blindfold Secret Info Internal ](#key-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured discovery. - +- `id` - This is the id of the configured discovery. diff --git a/docs/resources/volterra_dns_compliance_checks.md b/docs/resources/volterra_dns_compliance_checks.md index 19a4b5dc6..74c3f60df 100644 --- a/docs/resources/volterra_dns_compliance_checks.md +++ b/docs/resources/volterra_dns_compliance_checks.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: dns_compliance_checks" -description: "The dns_compliance_checks allows CRUD of Dns Compliance Checks resource on Volterra SaaS" +description: "The dns_compliance_checks allows CRUD of Dns Compliance Checks resource on Volterra SaaS" + --- -# Resource volterra_dns_compliance_checks -The Dns Compliance Checks allows CRUD of Dns Compliance Checks resource on Volterra SaaS +Resource volterra_dns_compliance_checks +======================================= + +The Dns Compliance Checks allows CRUD of Dns Compliance Checks resource on Volterra SaaS -~> **Note:** Please refer to [Dns Compliance Checks API docs](https://docs.cloud.f5.com/docs-v2/api/dns-compliance-checks) to learn more +~> **Note:** Please refer to [Dns Compliance Checks API docs](https://docs.cloud.f5.com/docs-v2/api/dns-compliance-checks) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_dns_compliance_checks" "example" { @@ -32,41 +25,32 @@ resource "volterra_dns_compliance_checks" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`disallowed_query_type_list` - (Optional) Disallowed Query Type Values (`List of Strings`). +`disallowed_query_type_list` - (Optional) Disallowed Query Type Values (`List of Strings`). `disallowed_resource_record_type_list` - (Optional) Disallowed Resource Record Type List (`List of Strings`). - - `domain_denylist` - (Required) List of domains to be denied by configuration object (`List of String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_compliance_checks. - +- `id` - This is the id of the configured dns_compliance_checks. diff --git a/docs/resources/volterra_dns_domain.md b/docs/resources/volterra_dns_domain.md index 99e8bf808..bbf9f4135 100644 --- a/docs/resources/volterra_dns_domain.md +++ b/docs/resources/volterra_dns_domain.md @@ -1,91 +1,68 @@ - - - - - - - - - - - - --- + page_title: "Volterra: dns_domain" -description: "The dns_domain allows CRUD of Dns Domain resource on Volterra SaaS" +description: "The dns_domain allows CRUD of Dns Domain resource on Volterra SaaS" + --- -# Resource volterra_dns_domain -The Dns Domain allows CRUD of Dns Domain resource on Volterra SaaS +Resource volterra_dns_domain +============================ + +The Dns Domain allows CRUD of Dns Domain resource on Volterra SaaS -~> **Note:** Please refer to [Dns Domain API docs](https://docs.cloud.f5.com/docs-v2/api/dns-domain) to learn more +~> **Note:** Please refer to [Dns Domain API docs](https://docs.cloud.f5.com/docs-v2/api/dns-domain) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_dns_domain" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "volterra_managed route53 verification_only" must be set + // One of the arguments from this list "route53 verification_only volterra_managed" must be set volterra_managed = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`dnssec_mode` - (Optional) Control whether DNSSEC is enabled on the dns domain or not (`String`). - +`dnssec_mode` - (Optional) Control whether DNSSEC is enabled on the dns domain or not (`String`). +###### One of the arguments from this list "route53, verification_only, volterra_managed" must be set `route53` - (Optional) sub domain in Amazon Route 53 zone owned by users. See [Domain Choice Route53 ](#domain-choice-route53) below for details.(Deprecated) - - - - `verification_only` - (Optional) F5XC will verify this domain, but will not manage it. (`Bool`).(Deprecated) - `volterra_managed` - (Optional) sub domain (`Bool`). +### Domain Choice Route53 - - -### Domain Choice Route53 - - sub domain in Amazon Route 53 zone owned by users. +sub domain in Amazon Route 53 zone owned by users. `creds` - (Optional) Reference to AWS credentials to program route53. See [ref](#ref) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -95,10 +72,8 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_domain. -* `txt_record` - This is the txt-record of the configured dns_domain. - +- `id` - This is the id of the configured dns_domain. +- `txt_record` - This is the txt-record of the configured dns_domain. diff --git a/docs/resources/volterra_dns_lb_health_check.md b/docs/resources/volterra_dns_lb_health_check.md index db510e9f0..4f6eae98c 100644 --- a/docs/resources/volterra_dns_lb_health_check.md +++ b/docs/resources/volterra_dns_lb_health_check.md @@ -1,118 +1,74 @@ - - - - - - - - - - - - --- + page_title: "Volterra: dns_lb_health_check" -description: "The dns_lb_health_check allows CRUD of Dns Lb Health Check resource on Volterra SaaS" +description: "The dns_lb_health_check allows CRUD of Dns Lb Health Check resource on Volterra SaaS" + --- -# Resource volterra_dns_lb_health_check -The Dns Lb Health Check allows CRUD of Dns Lb Health Check resource on Volterra SaaS +Resource volterra_dns_lb_health_check +===================================== -~> **Note:** Please refer to [Dns Lb Health Check API docs](https://docs.cloud.f5.com/docs-v2/api/dns-lb-health-check) to learn more +The Dns Lb Health Check allows CRUD of Dns Lb Health Check resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Dns Lb Health Check API docs](https://docs.cloud.f5.com/docs-v2/api/dns-lb-health-check) to learn more + +Example Usage +------------- ```hcl resource "volterra_dns_lb_health_check" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "https_health_check tcp_hex_health_check http_health_check tcp_health_check udp_health_check icmp_health_check" must be set + // One of the arguments from this list "http_health_check https_health_check icmp_health_check tcp_health_check tcp_hex_health_check udp_health_check" must be set - udp_health_check { + tcp_hex_health_check { health_check_port = "80" - receive = "receive" + receive = "00000034" - send = "send" + send = "000000FF" } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "http_health_check, https_health_check, icmp_health_check, tcp_health_check, tcp_hex_health_check, udp_health_check" must be set `http_health_check` - (Optional) HTTP Health Check. See [Health Check Http Health Check ](#health-check-http-health-check) below for details. - - - - - - `https_health_check` - (Optional) HTTPS Health Check. See [Health Check Https Health Check ](#health-check-https-health-check) below for details. - - - - - - `icmp_health_check` - (Optional) ICMP Health Check (`Bool`). - `tcp_health_check` - (Optional) TCP Health Check. See [Health Check Tcp Health Check ](#health-check-tcp-health-check) below for details. - - - - - - `tcp_hex_health_check` - (Optional) TCP Health Check with Hex Encoded Payload. See [Health Check Tcp Hex Health Check ](#health-check-tcp-hex-health-check) below for details. - - - - - - `udp_health_check` - (Optional) UDP Health Check. See [Health Check Udp Health Check ](#health-check-udp-health-check) below for details. - - - - +### Health Check Http Health Check - - - -### Health Check Http Health Check - - HTTP Health Check. +HTTP Health Check. `health_check_port` - (Required) x-example: "80" (`Int`). @@ -120,11 +76,9 @@ resource "volterra_dns_lb_health_check" "example" { `send` - (Optional) HTTP payload to send to the target (`String`). +### Health Check Https Health Check - -### Health Check Https Health Check - - HTTPS Health Check. +HTTPS Health Check. `health_check_port` - (Required) x-example: "80" (`Int`). @@ -132,11 +86,9 @@ resource "volterra_dns_lb_health_check" "example" { `send` - (Optional) HTTP payload to send to the target (`String`). +### Health Check Tcp Health Check - -### Health Check Tcp Health Check - - TCP Health Check. +TCP Health Check. `health_check_port` - (Required) x-example: "80" (`Int`). @@ -144,11 +96,9 @@ resource "volterra_dns_lb_health_check" "example" { `send` - (Optional) Send this string to target (default empty. When send and receive are both empty, monitor just tests 3WHS) (`String`). +### Health Check Tcp Hex Health Check - -### Health Check Tcp Hex Health Check - - TCP Health Check with Hex Encoded Payload. +TCP Health Check with Hex Encoded Payload. `health_check_port` - (Required) x-example: "80" (`Int`). @@ -156,11 +106,9 @@ resource "volterra_dns_lb_health_check" "example" { `send` - (Optional) Hex encoded raw bytes sent in the request. Empty payloads imply a connect-only health check. (`String`). +### Health Check Udp Health Check - -### Health Check Udp Health Check - - UDP Health Check. +UDP Health Check. `health_check_port` - (Required) x-example: "80" (`Int`). @@ -168,9 +116,7 @@ resource "volterra_dns_lb_health_check" "example" { `send` - (Required) UDP payload (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_lb_health_check. - +- `id` - This is the id of the configured dns_lb_health_check. diff --git a/docs/resources/volterra_dns_lb_pool.md b/docs/resources/volterra_dns_lb_pool.md index 595ecc403..58d1432e7 100644 --- a/docs/resources/volterra_dns_lb_pool.md +++ b/docs/resources/volterra_dns_lb_pool.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: dns_lb_pool" -description: "The dns_lb_pool allows CRUD of Dns Lb Pool resource on Volterra SaaS" +description: "The dns_lb_pool allows CRUD of Dns Lb Pool resource on Volterra SaaS" + --- -# Resource volterra_dns_lb_pool -The Dns Lb Pool allows CRUD of Dns Lb Pool resource on Volterra SaaS +Resource volterra_dns_lb_pool +============================= + +The Dns Lb Pool allows CRUD of Dns Lb Pool resource on Volterra SaaS -~> **Note:** Please refer to [Dns Lb Pool API docs](https://docs.cloud.f5.com/docs-v2/api/dns-lb-pool) to learn more +~> **Note:** Please refer to [Dns Lb Pool API docs](https://docs.cloud.f5.com/docs-v2/api/dns-lb-pool) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_dns_lb_pool" "example" { @@ -28,7 +21,7 @@ resource "volterra_dns_lb_pool" "example" { namespace = "staging" load_balancing_mode = ["load_balancing_mode"] - // One of the arguments from this list "srv_pool a_pool aaaa_pool cname_pool mx_pool" must be set + // One of the arguments from this list "a_pool aaaa_pool cname_pool mx_pool srv_pool" must be set a_pool { // One of the arguments from this list "disable_health_check health_check" must be set @@ -50,132 +43,55 @@ resource "volterra_dns_lb_pool" "example" { } } - // One of the arguments from this list "use_rrset_ttl ttl" must be set + // One of the arguments from this list "ttl use_rrset_ttl" must be set use_rrset_ttl = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`load_balancing_mode` - (Required) x-required (`String`). - +`load_balancing_mode` - (Required) x-required (`String`). +###### One of the arguments from this list "a_pool, aaaa_pool, cname_pool, mx_pool, srv_pool" must be set `a_pool` - (Optional) x-displayName: "A". See [Pool Type Choice A Pool ](#pool-type-choice-a-pool) below for details. - - - - - - - - - - - - - - - - - - - - `aaaa_pool` - (Optional) x-displayName: "AAAA". See [Pool Type Choice Aaaa Pool ](#pool-type-choice-aaaa-pool) below for details. - - - - - - - - - - - - `cname_pool` - (Optional) x-displayName: "CNAME". See [Pool Type Choice Cname Pool ](#pool-type-choice-cname-pool) below for details. - - - - - - - - - - `mx_pool` - (Optional) x-displayName: "MX". See [Pool Type Choice Mx Pool ](#pool-type-choice-mx-pool) below for details. - - - - - - - - - - - `srv_pool` - (Optional) x-displayName: "SRV". See [Pool Type Choice Srv Pool ](#pool-type-choice-srv-pool) below for details. - - - - - - - - - - - - - - - - +###### One of the arguments from this list "ttl, use_rrset_ttl" must be set `ttl` - (Optional) Custom TTL in seconds (default 30) for responses from this pool (`Int`). - `use_rrset_ttl` - (Optional) Use TTL specified in the RRSet of the DNS Load Balancer Record which uses the pool (`Bool`). +### A Pool Members - - -### A Pool Members - - x-required. +x-required. `disable` - (Optional) A value of true will disable the pool-member (`Bool`). @@ -187,11 +103,9 @@ resource "volterra_dns_lb_pool" "example" { `ratio` - (Optional) Used if the pool’s load balancing mode is set to Ratio-Member (`Int`). +### Aaaa Pool Members - -### Aaaa Pool Members - - x-required. +x-required. `disable` - (Optional) A value of true will disable the pool-member (`Bool`). @@ -203,11 +117,9 @@ resource "volterra_dns_lb_pool" "example" { `ratio` - (Optional) Used if the pool’s load balancing mode is set to Ratio-Member (`Int`). +### Cname Pool Members - -### Cname Pool Members - - x-required. +x-required. `domain` - (Required) x-required (`String`). @@ -217,17 +129,13 @@ resource "volterra_dns_lb_pool" "example" { `ratio` - (Optional) Ratio (`Int`). +### Health Check Choice Disable Health Check +When health check is disabled, the pool member is presumed to be always healthy. -### Health Check Choice Disable Health Check - - When health check is disabled, the pool member is presumed to be always healthy. +### Mx Pool Members - - -### Mx Pool Members - - x-required. +x-required. `domain` - (Required) x-required (`String`). @@ -237,68 +145,51 @@ resource "volterra_dns_lb_pool" "example" { `ratio` - (Optional) Load Balancing Ratio (`Int`). +### Pool Type Choice A Pool - -### Pool Type Choice A Pool - - x-displayName: "A". - - +x-displayName: "A". ###### One of the arguments from this list "disable_health_check, health_check" must be set `disable_health_check` - (Optional) When health check is disabled, the pool member is presumed to be always healthy (`Bool`). - `health_check` - (Optional) Select the health check to be applied to all the pool members. See [ref](#ref) below for details. - `max_answers` - (Required) Limit on number of Resource Records to be included in the response to query (`Int`). `members` - (Required) x-required. See [A Pool Members ](#a-pool-members) below for details. +### Pool Type Choice Aaaa Pool - -### Pool Type Choice Aaaa Pool - - x-displayName: "AAAA". +x-displayName: "AAAA". `max_answers` - (Required) Limit on number of Resource Records to be included in the response to query (`Int`). `members` - (Required) x-required. See [Aaaa Pool Members ](#aaaa-pool-members) below for details. +### Pool Type Choice Cname Pool - -### Pool Type Choice Cname Pool - - x-displayName: "CNAME". +x-displayName: "CNAME". `members` - (Required) x-required. See [Cname Pool Members ](#cname-pool-members) below for details. +### Pool Type Choice Mx Pool - -### Pool Type Choice Mx Pool - - x-displayName: "MX". +x-displayName: "MX". `max_answers` - (Required) Limit on number of Resource Records to be included in the response to query (`Int`). `members` - (Required) x-required. See [Mx Pool Members ](#mx-pool-members) below for details. +### Pool Type Choice Srv Pool - -### Pool Type Choice Srv Pool - - x-displayName: "SRV". +x-displayName: "SRV". `max_answers` - (Required) Limit on number of Resource Records to be included in the response to query (`Int`). `members` - (Required) x-required. See [Srv Pool Members ](#srv-pool-members) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -308,11 +199,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Srv Pool Members - -### Srv Pool Members - - x-required. +x-required. `final_translation` - (Optional) If this flag is true, the SRV record will not be translated further. (`Bool`). @@ -328,9 +217,7 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `weight` - (Required) x-required (`Int`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_lb_pool. - +- `id` - This is the id of the configured dns_lb_pool. diff --git a/docs/resources/volterra_dns_load_balancer.md b/docs/resources/volterra_dns_load_balancer.md index ea6f1bcb3..6a207bae2 100644 --- a/docs/resources/volterra_dns_load_balancer.md +++ b/docs/resources/volterra_dns_load_balancer.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: dns_load_balancer" -description: "The dns_load_balancer allows CRUD of Dns Load Balancer resource on Volterra SaaS" +description: "The dns_load_balancer allows CRUD of Dns Load Balancer resource on Volterra SaaS" + --- -# Resource volterra_dns_load_balancer -The Dns Load Balancer allows CRUD of Dns Load Balancer resource on Volterra SaaS +Resource volterra_dns_load_balancer +=================================== + +The Dns Load Balancer allows CRUD of Dns Load Balancer resource on Volterra SaaS -~> **Note:** Please refer to [Dns Load Balancer API docs](https://docs.cloud.f5.com/docs-v2/api/dns-load-balancer) to learn more +~> **Note:** Please refer to [Dns Load Balancer API docs](https://docs.cloud.f5.com/docs-v2/api/dns-load-balancer) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_dns_load_balancer" "example" { @@ -30,20 +23,18 @@ resource "volterra_dns_load_balancer" "example" { rule_list { rules { - // One of the arguments from this list "pool nxdomain" must be set - - pool { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } + // One of the arguments from this list "nxdomain pool" must be set - // One of the arguments from this list "asn_matcher ip_prefix_list ip_prefix_set geo_location_label_selector geo_location_set asn_list" must be set + nxdomain = true - ip_prefix_list { - invert_match = true + // One of the arguments from this list "asn_list asn_matcher geo_location_label_selector geo_location_set ip_prefix_list ip_prefix_set" must be set - ip_prefixes = ["192.168.20.0/24"] + asn_matcher { + asn_sets { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } } score = "50" } @@ -52,190 +43,92 @@ resource "volterra_dns_load_balancer" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `fallback_pool` - (Optional) Fallback Pool to be used for load balancing if none of the Load Balancing rules match. See [ref](#ref) below for details. `record_type` - (Required) x-required (`String`). - - `response_cache` - (Optional) Response Cache Parameters. See [Response Cache ](#response-cache) below for details. - - - - - - - - - - - - - - - - - - - - - - `rule_list` - (Required) Load Balancing Rules. See [Rule List ](#rule-list) below for details. +### Response Cache - - - - - - - - - - - - - - - - - - - - - - - - +Response Cache Parameters. - - - - - - - - - - - - - - - - - - - - - - - -### Response Cache - - Response Cache Parameters. - - - -###### One of the arguments from this list "disable, default_response_cache_parameters, response_cache_parameters" must be set +###### One of the arguments from this list "default_response_cache_parameters, disable, response_cache_parameters" must be set `default_response_cache_parameters` - (Optional) Default Parameters for caching the DNS responses (`Bool`). - `disable` - (Optional) When Response Cache is disabled, responses will be computed for each request (`Bool`). - `response_cache_parameters` - (Optional) Customize the parameters for Response cache. See [Response Cache Parameters Choice Response Cache Parameters ](#response-cache-parameters-choice-response-cache-parameters) below for details. +### Rule List - - -### Rule List - - Load Balancing Rules. +Load Balancing Rules. `rules` - (Required) Rules to perform load balancing. See [Rule List Rules ](#rule-list-rules) below for details. +### Action Choice Nxdomain +Do not perform any load-balancing. Instead return NXDOMAIN. -### Action Choice Nxdomain - - Do not perform any load-balancing. Instead return NXDOMAIN. - - - -### Client Choice Asn List +### Client Choice Asn List - The rule evaluates to true if the origin ASN is present in the ASN list.. +The rule evaluates to true if the origin ASN is present in the ASN list.. `as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Client Choice Asn Matcher - -### Client Choice Asn Matcher - - The rule evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. +The rule evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. `asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Client Choice Geo Location Label Selector - -### Client Choice Geo Location Label Selector - - with the translated geo locations derived from incoming EDNS0 client-subnet in the DNS request.. +with the translated geo locations derived from incoming EDNS0 client-subnet in the DNS request.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Client Choice Ip Prefix List - -### Client Choice Ip Prefix List - - IP Prefix list.. +IP Prefix list.. `invert_match` - (Optional) Invert the match result. (`Bool`). `ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Client Choice Ip Prefix Set -### Client Choice Ip Prefix Set - - IP Prefix set.. +IP Prefix set.. `invert_matcher` - (Optional) Invert the match result. (`Bool`). `prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -245,23 +138,17 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Response Cache Parameters Choice Default Response Cache Parameters +Default Parameters for caching the DNS responses. -### Response Cache Parameters Choice Default Response Cache Parameters - - Default Parameters for caching the DNS responses. - - +### Response Cache Parameters Choice Disable -### Response Cache Parameters Choice Disable +When Response Cache is disabled, responses will be computed for each request. - When Response Cache is disabled, responses will be computed for each request. +### Response Cache Parameters Choice Response Cache Parameters - - -### Response Cache Parameters Choice Response Cache Parameters - - Customize the parameters for Response cache. +Customize the parameters for Response cache. `cache_cidr_ipv4` - (Optional) Length of CIDR masks used to group IPv4 clients (`Int`). @@ -269,49 +156,33 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `cache_ttl` - (Optional) TTL for response cache (`Int`). +### Rule List Rules +Rules to perform load balancing. -### Rule List Rules - - Rules to perform load balancing. - - - -###### One of the arguments from this list "pool, nxdomain" must be set +###### One of the arguments from this list "nxdomain, pool" must be set `nxdomain` - (Optional) Do not perform any load-balancing. Instead return NXDOMAIN (`Bool`).(Deprecated) - `pool` - (Optional) Use this pool for the Load Balancing.. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "asn_list, asn_matcher, ip_prefix_list, ip_prefix_set, geo_location_label_selector, geo_location_set" must be set +###### One of the arguments from this list "asn_list, asn_matcher, geo_location_label_selector, geo_location_set, ip_prefix_list, ip_prefix_set" must be set `asn_list` - (Optional) The rule evaluates to true if the origin ASN is present in the ASN list.. See [Client Choice Asn List ](#client-choice-asn-list) below for details. - `asn_matcher` - (Optional) The rule evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Client Choice Asn Matcher ](#client-choice-asn-matcher) below for details. - `geo_location_label_selector` - (Optional) with the translated geo locations derived from incoming EDNS0 client-subnet in the DNS request.. See [Client Choice Geo Location Label Selector ](#client-choice-geo-location-label-selector) below for details. - `geo_location_set` - (Optional) with the translated geo locations derived from incoming EDNS0 client-subnet in the DNS request.. See [ref](#ref) below for details. - `ip_prefix_list` - (Optional) IP Prefix list.. See [Client Choice Ip Prefix List ](#client-choice-ip-prefix-list) below for details. - `ip_prefix_set` - (Optional) IP Prefix set.. See [Client Choice Ip Prefix Set ](#client-choice-ip-prefix-set) below for details. - `score` - (Optional) When multiple load balancing rules match a query, the one with the highest score is chosen (`Int`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_load_balancer. - +- `id` - This is the id of the configured dns_load_balancer. diff --git a/docs/resources/volterra_dns_zone.md b/docs/resources/volterra_dns_zone.md index 37f0f3d45..2a9419287 100644 --- a/docs/resources/volterra_dns_zone.md +++ b/docs/resources/volterra_dns_zone.md @@ -1,599 +1,126 @@ +--- +page_title: "Volterra: dns_zone" +description: "The dns_zone allows CRUD of Dns Zone resource on Volterra SaaS" +--- +Resource volterra_dns_zone +========================== +The Dns Zone allows CRUD of Dns Zone resource on Volterra SaaS +~> **Note:** Please refer to [Dns Zone API docs](https://docs.cloud.f5.com/docs-v2/api/dns-zone) to learn more +Example Usage +------------- +```hcl +resource "volterra_dns_zone" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "primary secondary" must be set + primary { + allow_http_lb_managed_records = true + default_rr_set_group { + description = "Comment" + ttl = "3600" ---- -page_title: "Volterra: dns_zone" -description: "The dns_zone allows CRUD of Dns Zone resource on Volterra SaaS" ---- -# Resource volterra_dns_zone - -The Dns Zone allows CRUD of Dns Zone resource on Volterra SaaS - -~> **Note:** Please refer to [Dns Zone API docs](https://docs.cloud.f5.com/docs-v2/api/dns-zone) to learn more - -## Example Usage - -```hcl -resource "volterra_dns_zone" "example" { - name = "acmecorp-web" - namespace = "staging" - - // One of the arguments from this list "primary secondary" must be set - - primary { - allow_http_lb_managed_records = true - - default_rr_set_group { - description = "Comment" - - ttl = "3600" - - // One of the arguments from this list "mx_record ptr_record txt_record afsdb_record tlsa_record a_record naptr_record cname_record lb_record cds_record eui48_record eui64_record loc_record caa_record alias_record ns_record srv_record ds_record sshfp_record cert_record dlv_record aaaa_record" must be set - - tlsa_record { - name = "www or mail or * or ww* or *ab" - - values { - certificate_association_data = "Certificate Association Data" - - certificate_usage = "certificate_usage" - - matching_type = "1" - - selector = "1" - } - } - } - - dnssec_mode { - // One of the arguments from this list "disable enable" must be set - - enable {} - } - - rr_set_group { - metadata { - description = "Virtual Host for acmecorp website" - - disable = true - - name = "acmecorp-web" - } - - rr_set { - description = "Comment" - - ttl = "3600" - - // One of the arguments from this list "txt_record afsdb_record tlsa_record a_record mx_record ptr_record naptr_record cds_record eui48_record eui64_record loc_record caa_record cname_record lb_record srv_record ds_record sshfp_record cert_record dlv_record aaaa_record alias_record ns_record" must be set - - lb_record { - name = "www or mail or * or ww* or *ab" - - value { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } - } - } - } - - // One of the arguments from this list "default_soa_parameters soa_parameters" can be set - - default_soa_parameters = true - } -} - -``` - -## Argument Reference - -### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). - - -`description` - (Optional) Human readable description for the object (`String`). - - -`disable` - (Optional) A value of true will administratively disable the object (`Bool`). - - -`labels` - (Optional) by selector expression (`String`). - - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - - -### Spec Argument Reference - - -`primary` - (Optional) Primary DNS. See [Dns Type Primary ](#dns-type-primary) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`secondary` - (Optional) Secondary DNS. See [Dns Type Secondary ](#dns-type-secondary) below for details. - - - - - - - - - - - - - - - - - + // One of the arguments from this list "a_record aaaa_record afsdb_record alias_record caa_record cds_record cert_record cname_record dlv_record ds_record eui48_record eui64_record lb_record loc_record mx_record naptr_record ns_record ptr_record srv_record sshfp_record tlsa_record txt_record" must be set - + srv_record { + name = "www or mail or * or corp.web or *.b" + values { + port = "10" + priority = "10" + target = "my.example.com" + weight = "10" + } + } + } + dnssec_mode { + // One of the arguments from this list "disable enable" must be set + disable = true + } - + rr_set_group { + metadata { + description = "Virtual Host for acmecorp website" + disable = true + name = "acmecorp-web" + } + rr_set { + description = "Comment" + ttl = "3600" + // One of the arguments from this list "a_record aaaa_record afsdb_record alias_record caa_record cds_record cert_record cname_record dlv_record ds_record eui48_record eui64_record lb_record loc_record mx_record naptr_record ns_record ptr_record srv_record sshfp_record tlsa_record txt_record" must be set - + alias_record { + name = "name" + value = "example.com" + } + } + } + // One of the arguments from this list "default_soa_parameters soa_parameters" can be set + default_soa_parameters = true + } +} +``` +Argument Reference +------------------ +### Metadata Argument Reference +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`description` - (Optional) Human readable description for the object (`String`). - +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). +`labels` - (Optional) by selector expression (`String`). +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). +### Spec Argument Reference +###### One of the arguments from this list "primary, secondary" must be set +`primary` - (Optional) Primary DNS. See [Dns Type Primary ](#dns-type-primary) below for details. +`secondary` - (Optional) Secondary DNS. See [Dns Type Secondary ](#dns-type-secondary) below for details. -### Afsdb Record Values +### Afsdb Record Values - x-required. +x-required. `hostname` - (Required) Server name of the AFS cell database server or the DCE name server. (`String`). `subtype` - (Required) AFSDB Record Subtype. (`String`). +### Caa Record Values - -### Caa Record Values - - x-displayName: "CAA Record Value". +x-displayName: "CAA Record Value". `flags` - (Optional) This flag should be an integer between 0 and 255. (`Int`). @@ -601,34 +128,25 @@ resource "volterra_dns_zone" "example" { `value` - (Optional) x-example: "value" (`String`). +### Cds Record Values - -### Cds Record Values - - x-required. - - +x-required. ###### One of the arguments from this list "sha1_digest, sha256_digest, sha384_digest" must be set `sha1_digest` - (Optional) x-displayName: "SHA1 Digest". See [Digest Choice Sha1 Digest ](#digest-choice-sha1-digest) below for details. - `sha256_digest` - (Optional) x-displayName: "SHA256 Digest". See [Digest Choice Sha256 Digest ](#digest-choice-sha256-digest) below for details. - `sha384_digest` - (Optional) x-displayName: "SHA384 Digest". See [Digest Choice Sha384 Digest ](#digest-choice-sha384-digest) below for details. - `ds_key_algorithm` - (Required) DS key value must be compatible with the specified algorithm. (`String`). `key_tag` - (Required) A short numeric value which can help quickly identify the referenced DNSKEY-record. (`Int`). +### Cert Record Values - -### Cert Record Values - - x-required. +x-required. `algorithm` - (Required) x-required (`String`). @@ -638,58 +156,43 @@ resource "volterra_dns_zone" "example" { `certificate` - (Required) Certificate in base 64 format. (`String`). +### Digest Choice Sha1 Digest +x-displayName: "SHA1 Digest". -### Digest Choice Sha1 Digest - - x-displayName: "SHA1 Digest". - -`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). - - +`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). -### Digest Choice Sha256 Digest +### Digest Choice Sha256 Digest - x-displayName: "SHA256 Digest". +x-displayName: "SHA256 Digest". -`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). +`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). +### Digest Choice Sha384 Digest +x-displayName: "SHA384 Digest". -### Digest Choice Sha384 Digest - - x-displayName: "SHA384 Digest". - -`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). - - - -### Dlv Record Values - - It uses the same format as the DS record.. +`digest` - (Required) The 'digest' is the DS key and the actual contents of the DS record. (`String`). +### Dlv Record Values +It uses the same format as the DS record.. ###### One of the arguments from this list "sha1_digest, sha256_digest, sha384_digest" must be set `sha1_digest` - (Optional) x-displayName: "SHA1 Digest". See [Digest Choice Sha1 Digest ](#digest-choice-sha1-digest) below for details. - `sha256_digest` - (Optional) x-displayName: "SHA256 Digest". See [Digest Choice Sha256 Digest ](#digest-choice-sha256-digest) below for details. - `sha384_digest` - (Optional) x-displayName: "SHA384 Digest". See [Digest Choice Sha384 Digest ](#digest-choice-sha384-digest) below for details. - `ds_key_algorithm` - (Required) DS key value must be compatible with the specified algorithm. (`String`). `key_tag` - (Required) A short numeric value which can help quickly identify the referenced DNSKEY-record. (`Int`). +### Dns Type Primary - -### Dns Type Primary - - Primary DNS. +Primary DNS. `allow_http_lb_managed_records` - (Optional)allow_http_lb_managed_records (`Bool`). @@ -699,22 +202,15 @@ resource "volterra_dns_zone" "example" { `rr_set_group` - (Optional)rr_set_group. See [Primary Rr Set Group ](#primary-rr-set-group) below for details. - - - ###### One of the arguments from this list "default_soa_parameters, soa_parameters" can be set `default_soa_parameters` - (Optional)default_soa_parameters (`Bool`). - `soa_parameters` - (Optional)soa_parameters. See [Soa Record Parameters Choice Soa Parameters ](#soa-record-parameters-choice-soa-parameters) below for details. +### Dns Type Secondary - - -### Dns Type Secondary - - Secondary DNS. +Secondary DNS. `primary_servers` - (Required) x-required (`String`). @@ -724,50 +220,37 @@ resource "volterra_dns_zone" "example" { `tsig_key_value` - (Optional) x-displayName: "TSIG Key Value in Base 64 Format". See [Secondary Tsig Key Value ](#secondary-tsig-key-value) below for details. +### Ds Record Values +x-required. -### Ds Record Values - - x-required. - - - -###### One of the arguments from this list "sha256_digest, sha384_digest, sha1_digest" must be set +###### One of the arguments from this list "sha1_digest, sha256_digest, sha384_digest" must be set `sha1_digest` - (Optional) x-displayName: "SHA1 Digest". See [Digest Choice Sha1 Digest ](#digest-choice-sha1-digest) below for details. - `sha256_digest` - (Optional) x-displayName: "SHA256 Digest". See [Digest Choice Sha256 Digest ](#digest-choice-sha256-digest) below for details. - `sha384_digest` - (Optional) x-displayName: "SHA384 Digest". See [Digest Choice Sha384 Digest ](#digest-choice-sha384-digest) below for details. - `ds_key_algorithm` - (Required) DS key value must be compatible with the specified algorithm. (`String`). `key_tag` - (Required) A short numeric value which can help quickly identify the referenced DNSKEY-record. (`Int`). +### Fingerprint Type Sha1 Fingerprint +x-displayName: "SHA1 Fingerprint". -### Fingerprint Type Sha1 Fingerprint - - x-displayName: "SHA1 Fingerprint". - -`fingerprint` - (Required) The 'fingerprint' is the DS key and the actual contents of the DS record. (`String`). - - - -### Fingerprint Type Sha256 Fingerprint - - x-displayName: "SHA256 Fingerprint". +`fingerprint` - (Required) The 'fingerprint' is the DS key and the actual contents of the DS record. (`String`). -`fingerprint` - (Required) The 'fingerprint' is the DS key and the actual contents of the DS record. (`String`). +### Fingerprint Type Sha256 Fingerprint +x-displayName: "SHA256 Fingerprint". +`fingerprint` - (Required) The 'fingerprint' is the DS key and the actual contents of the DS record. (`String`). -### Loc Record Values +### Loc Record Values - x-required. +x-required. `altitude` - (Required) Altitude in meters (`Float`). @@ -793,33 +276,25 @@ resource "volterra_dns_zone" "example" { `vertical_precision` - (Optional) Vertical Precision in meters (`Float`). +### Mode Disable +DNSSEC disabled. -### Mode Disable +### Mode Enable - DNSSEC disabled. +DNSSEC enable. +### Mx Record Values - -### Mode Enable - - DNSSEC enable. - - - -### Mx Record Values - - x-required. +x-required. `domain` - (Optional) Mail exchanger domain name, please provide the full hostname, for example: mail.example.com (`String`). `priority` - (Optional) Mail exchanger priority code (`Int`). +### Naptr Record Values - -### Naptr Record Values - - x-required. +x-required. `flags` - (Required) Flag to control aspects of the rewriting and interpretation of the fields in the record. At this time only four flags, S/A/U/P, are defined. (`String`). @@ -833,9 +308,7 @@ resource "volterra_dns_zone" "example" { `service` - (Optional) Specifies the service(s) available down this rewrite path. (`String`). - - -### Primary Default Rr Set Group +### Primary Default Rr Set Group default_rr_set_group. @@ -843,95 +316,63 @@ default_rr_set_group. `ttl` - (Optional) x-example: "3600" (`Int`). - - -###### One of the arguments from this list "txt_record, afsdb_record, tlsa_record, a_record, mx_record, ptr_record, naptr_record, cds_record, eui48_record, eui64_record, loc_record, caa_record, cname_record, lb_record, srv_record, ds_record, sshfp_record, cert_record, dlv_record, aaaa_record, alias_record, ns_record" must be set +###### One of the arguments from this list "a_record, aaaa_record, afsdb_record, alias_record, caa_record, cds_record, cert_record, cname_record, dlv_record, ds_record, eui48_record, eui64_record, lb_record, loc_record, mx_record, naptr_record, ns_record, ptr_record, srv_record, sshfp_record, tlsa_record, txt_record" must be set `a_record` - (Optional) x-displayName: "A". See [Type Record Set A Record ](#type-record-set-a-record) below for details. - `aaaa_record` - (Optional) x-displayName: "AAAA". See [Type Record Set Aaaa Record ](#type-record-set-aaaa-record) below for details. - `afsdb_record` - (Optional) x-displayName: "AFSDB". See [Type Record Set Afsdb Record ](#type-record-set-afsdb-record) below for details. - `alias_record` - (Optional) x-displayName: "ALIAS". See [Type Record Set Alias Record ](#type-record-set-alias-record) below for details. - `caa_record` - (Optional) x-displayName: "CAA". See [Type Record Set Caa Record ](#type-record-set-caa-record) below for details. - `cds_record` - (Optional) x-displayName: "CDS". See [Type Record Set Cds Record ](#type-record-set-cds-record) below for details. - `cert_record` - (Optional) x-displayName: "CERT". See [Type Record Set Cert Record ](#type-record-set-cert-record) below for details. - `cname_record` - (Optional) x-displayName: "CNAME". See [Type Record Set Cname Record ](#type-record-set-cname-record) below for details. - `dlv_record` - (Optional) x-displayName: "DLV". See [Type Record Set Dlv Record ](#type-record-set-dlv-record) below for details.(Deprecated) - `ds_record` - (Optional) x-displayName: "DS". See [Type Record Set Ds Record ](#type-record-set-ds-record) below for details. - `eui48_record` - (Optional) x-displayName: "EUI48". See [Type Record Set Eui48 Record ](#type-record-set-eui48-record) below for details. - `eui64_record` - (Optional) x-displayName: "EUI64". See [Type Record Set Eui64 Record ](#type-record-set-eui64-record) below for details. - `lb_record` - (Optional) x-displayName: "DNS Load Balancer". See [Type Record Set Lb Record ](#type-record-set-lb-record) below for details. - `loc_record` - (Optional) x-displayName: "LOC". See [Type Record Set Loc Record ](#type-record-set-loc-record) below for details. - `mx_record` - (Optional) x-displayName: "MX". See [Type Record Set Mx Record ](#type-record-set-mx-record) below for details. - `naptr_record` - (Optional) x-displayName: "NAPTR". See [Type Record Set Naptr Record ](#type-record-set-naptr-record) below for details. - `ns_record` - (Optional) x-displayName: "NS". See [Type Record Set Ns Record ](#type-record-set-ns-record) below for details. - `ptr_record` - (Optional) x-displayName: "PTR". See [Type Record Set Ptr Record ](#type-record-set-ptr-record) below for details. - `srv_record` - (Optional) x-displayName: "SRV". See [Type Record Set Srv Record ](#type-record-set-srv-record) below for details. - `sshfp_record` - (Optional) x-displayName: "SSHFP". See [Type Record Set Sshfp Record ](#type-record-set-sshfp-record) below for details. - `tlsa_record` - (Optional) x-displayName: "TLSA". See [Type Record Set Tlsa Record ](#type-record-set-tlsa-record) below for details. - `txt_record` - (Optional) x-displayName: "TXT". See [Type Record Set Txt Record ](#type-record-set-txt-record) below for details. - - - -### Primary Dnssec Mode +### Primary Dnssec Mode dnssec_mode. - - ###### One of the arguments from this list "disable, enable" must be set `disable` - (Optional) DNSSEC disabled (`Bool`). - `enable` - (Optional) DNSSEC enable. See [Mode Enable ](#mode-enable) below for details. - - - -### Primary Rr Set Group +### Primary Rr Set Group rr_set_group. @@ -939,10 +380,7 @@ rr_set_group. `rr_set` - (Optional) Collection of DNS resource record sets. See [Rr Set Group Rr Set ](#rr-set-group-rr-set) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -952,11 +390,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rr Set Group Metadata - -### Rr Set Group Metadata - - x-required. +x-required. `description` - (Optional) Human readable description. (`String`). @@ -964,117 +400,81 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Rr Set Group Rr Set - -### Rr Set Group Rr Set - - Collection of DNS resource record sets. +Collection of DNS resource record sets. `description` - (Optional) x-displayName: "Comment" (`String`). `ttl` - (Optional) x-example: "3600" (`Int`). - - -###### One of the arguments from this list "naptr_record, lb_record, cds_record, eui48_record, eui64_record, loc_record, caa_record, cname_record, ns_record, srv_record, ds_record, sshfp_record, cert_record, dlv_record, aaaa_record, alias_record, ptr_record, txt_record, afsdb_record, tlsa_record, a_record, mx_record" must be set +###### One of the arguments from this list "a_record, aaaa_record, afsdb_record, alias_record, caa_record, cds_record, cert_record, cname_record, dlv_record, ds_record, eui48_record, eui64_record, lb_record, loc_record, mx_record, naptr_record, ns_record, ptr_record, srv_record, sshfp_record, tlsa_record, txt_record" must be set `a_record` - (Optional) x-displayName: "A". See [Type Record Set A Record ](#type-record-set-a-record) below for details. - `aaaa_record` - (Optional) x-displayName: "AAAA". See [Type Record Set Aaaa Record ](#type-record-set-aaaa-record) below for details. - `afsdb_record` - (Optional) x-displayName: "AFSDB". See [Type Record Set Afsdb Record ](#type-record-set-afsdb-record) below for details. - `alias_record` - (Optional) x-displayName: "ALIAS". See [Type Record Set Alias Record ](#type-record-set-alias-record) below for details. - `caa_record` - (Optional) x-displayName: "CAA". See [Type Record Set Caa Record ](#type-record-set-caa-record) below for details. - `cds_record` - (Optional) x-displayName: "CDS". See [Type Record Set Cds Record ](#type-record-set-cds-record) below for details. - `cert_record` - (Optional) x-displayName: "CERT". See [Type Record Set Cert Record ](#type-record-set-cert-record) below for details. - `cname_record` - (Optional) x-displayName: "CNAME". See [Type Record Set Cname Record ](#type-record-set-cname-record) below for details. - `dlv_record` - (Optional) x-displayName: "DLV". See [Type Record Set Dlv Record ](#type-record-set-dlv-record) below for details.(Deprecated) - `ds_record` - (Optional) x-displayName: "DS". See [Type Record Set Ds Record ](#type-record-set-ds-record) below for details. - `eui48_record` - (Optional) x-displayName: "EUI48". See [Type Record Set Eui48 Record ](#type-record-set-eui48-record) below for details. - `eui64_record` - (Optional) x-displayName: "EUI64". See [Type Record Set Eui64 Record ](#type-record-set-eui64-record) below for details. - `lb_record` - (Optional) x-displayName: "DNS Load Balancer". See [Type Record Set Lb Record ](#type-record-set-lb-record) below for details. - `loc_record` - (Optional) x-displayName: "LOC". See [Type Record Set Loc Record ](#type-record-set-loc-record) below for details. - `mx_record` - (Optional) x-displayName: "MX". See [Type Record Set Mx Record ](#type-record-set-mx-record) below for details. - `naptr_record` - (Optional) x-displayName: "NAPTR". See [Type Record Set Naptr Record ](#type-record-set-naptr-record) below for details. - `ns_record` - (Optional) x-displayName: "NS". See [Type Record Set Ns Record ](#type-record-set-ns-record) below for details. - `ptr_record` - (Optional) x-displayName: "PTR". See [Type Record Set Ptr Record ](#type-record-set-ptr-record) below for details. - `srv_record` - (Optional) x-displayName: "SRV". See [Type Record Set Srv Record ](#type-record-set-srv-record) below for details. - `sshfp_record` - (Optional) x-displayName: "SSHFP". See [Type Record Set Sshfp Record ](#type-record-set-sshfp-record) below for details. - `tlsa_record` - (Optional) x-displayName: "TLSA". See [Type Record Set Tlsa Record ](#type-record-set-tlsa-record) below for details. - `txt_record` - (Optional) x-displayName: "TXT". See [Type Record Set Txt Record ](#type-record-set-txt-record) below for details. +### Secondary Tsig Key Value - - -### Secondary Tsig Key Value - - x-displayName: "TSIG Key Value in Base 64 Format". +x-displayName: "TSIG Key Value in Base 64 Format". `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Tsig Key Value Blindfold Secret Info Internal ](#tsig-key-value-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Secret Info Oneof Blindfold Secret Info - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1082,21 +482,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -1108,23 +504,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). - - -### Soa Record Parameters Choice Default Soa Parameters +### Soa Record Parameters Choice Default Soa Parameters default_soa_parameters. - - -### Soa Record Parameters Choice Soa Parameters +### Soa Record Parameters Choice Soa Parameters soa_parameters. @@ -1138,11 +528,9 @@ soa_parameters. `ttl` - (Optional) SOA record time to live (in seconds) (`Int`). +### Srv Record Values - -### Srv Record Values - - x-required. +x-required. `port` - (Optional) Port on which the service can be found (`Int`). @@ -1152,33 +540,25 @@ soa_parameters. `weight` - (Optional) Weight of the target. A higher number indicates a higher preference. (`Int`). +### Sshfp Record Values - -### Sshfp Record Values - - x-required. +x-required. `algorithm` - (Required) Algorithm of the public key. (`String`). `fingerprint` - (Optional) The hexadecimal representation of the hash result of the SSH key as text. (`String`).(Deprecated) - - ###### One of the arguments from this list "sha1_fingerprint, sha256_fingerprint" must be set `sha1_fingerprint` - (Optional) x-displayName: "SHA1 Fingerprint". See [Fingerprint Type Sha1 Fingerprint ](#fingerprint-type-sha1-fingerprint) below for details. - `sha256_fingerprint` - (Optional) x-displayName: "SHA256 Fingerprint". See [Fingerprint Type Sha256 Fingerprint ](#fingerprint-type-sha256-fingerprint) below for details. - `fingerprinttype` - (Required) Algorithm used to calculate the fingerprint of the public key. (`String`).(Deprecated) +### Tlsa Record Values - -### Tlsa Record Values - - x-required. +x-required. `certificate_association_data` - (Required) The actual data to be matched given the settings of the other fields. (`String`). @@ -1188,11 +568,9 @@ soa_parameters. `selector` - (Required) TLSA Record Selector. (`String`). +### Tsig Key Value Blindfold Secret Info Internal - -### Tsig Key Value Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1200,229 +578,183 @@ soa_parameters. `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Type Record Set A Record - -### Type Record Set A Record - - x-displayName: "A". +x-displayName: "A". `name` - (Optional) A Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) A valid IPv4 address, for example: 1.1.1.1 (`String`). +### Type Record Set Aaaa Record - -### Type Record Set Aaaa Record - - x-displayName: "AAAA". +x-displayName: "AAAA". `name` - (Optional) AAAA Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) A valid IPv6 address, for example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 (`String`). +### Type Record Set Afsdb Record - -### Type Record Set Afsdb Record - - x-displayName: "AFSDB". +x-displayName: "AFSDB". `name` - (Optional) AFSDB Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Afsdb Record Values ](#afsdb-record-values) below for details. +### Type Record Set Alias Record - -### Type Record Set Alias Record - - x-displayName: "ALIAS". +x-displayName: "ALIAS". `name` - (Optional) Alias Record name, please provide only the specific subdomain or record name without the base domain. (`String`).(Deprecated) `value` - (Optional) A valid domain name, for example: example.com (`String`). +### Type Record Set Caa Record - -### Type Record Set Caa Record - - x-displayName: "CAA". +x-displayName: "CAA". `name` - (Optional) CAA Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Optional) x-displayName: "CAA Record Value". See [Caa Record Values ](#caa-record-values) below for details. +### Type Record Set Cds Record - -### Type Record Set Cds Record - - x-displayName: "CDS". +x-displayName: "CDS". `name` - (Optional) CDS Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Cds Record Values ](#cds-record-values) below for details. +### Type Record Set Cert Record - -### Type Record Set Cert Record - - x-displayName: "CERT". +x-displayName: "CERT". `name` - (Optional) CERT Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Cert Record Values ](#cert-record-values) below for details. +### Type Record Set Cname Record - -### Type Record Set Cname Record - - x-displayName: "CNAME". +x-displayName: "CNAME". `name` - (Required) CName Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `value` - (Optional) x-example: "example.com" (`String`). +### Type Record Set Dlv Record - -### Type Record Set Dlv Record - - x-displayName: "DLV". +x-displayName: "DLV". `name` - (Optional) DLV Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) It uses the same format as the DS record.. See [Dlv Record Values ](#dlv-record-values) below for details. +### Type Record Set Ds Record - -### Type Record Set Ds Record - - x-displayName: "DS". +x-displayName: "DS". `name` - (Optional) DS Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Ds Record Values ](#ds-record-values) below for details. +### Type Record Set Eui48 Record - -### Type Record Set Eui48 Record - - x-displayName: "EUI48". +x-displayName: "EUI48". `name` - (Optional) EUI48 Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `value` - (Required) A valid eui48 identifier, for example: 01-23-45-67-89-ab (`String`). +### Type Record Set Eui64 Record - -### Type Record Set Eui64 Record - - x-displayName: "EUI64". +x-displayName: "EUI64". `name` - (Optional) EUI64 Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `value` - (Required) A valid EUI64 identifier, for example: 01-23-45-67-89-ab-cd-ef (`String`). +### Type Record Set Lb Record - -### Type Record Set Lb Record - - x-displayName: "DNS Load Balancer". +x-displayName: "DNS Load Balancer". `name` - (Optional) Load Balancer record name (except for SRV DNS Load balancer record) should be a simple record name and not a subdomain of a subdomain. (`String`). `value` - (Optional) x-displayName: "DNS Load Balancer Record". See [ref](#ref) below for details. +### Type Record Set Loc Record - -### Type Record Set Loc Record - - x-displayName: "LOC". +x-displayName: "LOC". `name` - (Optional) LOC Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Loc Record Values ](#loc-record-values) below for details. +### Type Record Set Mx Record - -### Type Record Set Mx Record - - x-displayName: "MX". +x-displayName: "MX". `name` - (Optional) MX Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Mx Record Values ](#mx-record-values) below for details. +### Type Record Set Naptr Record - -### Type Record Set Naptr Record - - x-displayName: "NAPTR". +x-displayName: "NAPTR". `name` - (Optional) NAPTR Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Naptr Record Values ](#naptr-record-values) below for details. +### Type Record Set Ns Record - -### Type Record Set Ns Record - - x-displayName: "NS". +x-displayName: "NS". `name` - (Optional) NS Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required (`String`). +### Type Record Set Ptr Record - -### Type Record Set Ptr Record - - x-displayName: "PTR". +x-displayName: "PTR". `name` - (Optional) PTR Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required (`String`). +### Type Record Set Srv Record - -### Type Record Set Srv Record - - x-displayName: "SRV". +x-displayName: "SRV". `name` - (Required) SRV Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Srv Record Values ](#srv-record-values) below for details. +### Type Record Set Sshfp Record - -### Type Record Set Sshfp Record - - x-displayName: "SSHFP". +x-displayName: "SSHFP". `name` - (Optional) SSHFP Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Sshfp Record Values ](#sshfp-record-values) below for details. +### Type Record Set Tlsa Record - -### Type Record Set Tlsa Record - - x-displayName: "TLSA". +x-displayName: "TLSA". `name` - (Optional) TLSA Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required. See [Tlsa Record Values ](#tlsa-record-values) below for details. +### Type Record Set Txt Record - -### Type Record Set Txt Record - - x-displayName: "TXT". +x-displayName: "TXT". `name` - (Optional) TXT Record name, please provide only the specific subdomain or record name without the base domain. (`String`). `values` - (Required) x-required (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured dns_zone. - +- `id` - This is the id of the configured dns_zone. diff --git a/docs/resources/volterra_dns_zone_record.md b/docs/resources/volterra_dns_zone_record.md index 267258f2b..21f75a1e8 100644 --- a/docs/resources/volterra_dns_zone_record.md +++ b/docs/resources/volterra_dns_zone_record.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: dns_zone_record" - description: "The dns_zone_record allows CRUD of Dns Load Balancer resource on Volterra SaaS" ---------------------------------------------------------------------------------------------- + +--- Resource volterra_dns_zone_record ================================= diff --git a/docs/resources/volterra_endpoint.md b/docs/resources/volterra_endpoint.md index 9f6d3649e..516e11219 100644 --- a/docs/resources/volterra_endpoint.md +++ b/docs/resources/volterra_endpoint.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: endpoint" -description: "The endpoint allows CRUD of Endpoint resource on Volterra SaaS" +description: "The endpoint allows CRUD of Endpoint resource on Volterra SaaS" + --- -# Resource volterra_endpoint -The Endpoint allows CRUD of Endpoint resource on Volterra SaaS +Resource volterra_endpoint +========================== -~> **Note:** Please refer to [Endpoint API docs](https://docs.cloud.f5.com/docs-v2/api/endpoint) to learn more +The Endpoint allows CRUD of Endpoint resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Endpoint API docs](https://docs.cloud.f5.com/docs-v2/api/endpoint) to learn more + +Example Usage +------------- ```hcl resource "volterra_endpoint" "example" { @@ -30,199 +23,90 @@ resource "volterra_endpoint" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "dns_name, dns_name_advanced, ip, service_info" can be set `dns_name` - (Optional) Endpoint's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `dns_name_advanced` - (Optional) Specifies name and TTL used for DNS resolution.. See [Endpoint Address Dns Name Advanced ](#endpoint-address-dns-name-advanced) below for details. - - - - - - - - - - - - `ip` - (Optional) Endpoint is reachable at the given ipv4/ipv6 address (`String`). - -`service_info` - (Optional) In case of Consul, tags on the service is matched against service_selector. See [Endpoint Address Service Info ](#endpoint-address-service-info) below for details. - - - - - - - - - - - - - - - +`service_info` - (Optional) In case of Consul, tags on the service is matched against service_selector. See [Endpoint Address Service Info ](#endpoint-address-service-info) below for details. `health_check_port` - (Optional) Setting this with a non-zero value allows an endpoint to have different health check port. (`Int`). - - `port` - (Optional) Endpoint service is available on this port (`Int`). - - `protocol` - (Optional) Both TCP and UDP protocols are supported (`String`). - - `where` - (Optional) This endpoint is present in site, virtual_site or virtual_network selected by following field.. See [Where ](#where) below for details. +### Where +This endpoint is present in site, virtual_site or virtual_network selected by following field.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Where - - This endpoint is present in site, virtual_site or virtual_network selected by following field.. - - - -###### One of the arguments from this list "virtual_network, site, virtual_site" must be set +###### One of the arguments from this list "site, virtual_network, virtual_site" must be set `site` - (Optional) Direct reference to site object. See [Ref Or Selector Site ](#ref-or-selector-site) below for details. - `virtual_network` - (Optional) Direct reference to virtual network object. See [Ref Or Selector Virtual Network ](#ref-or-selector-virtual-network) below for details. - `virtual_site` - (Optional) Direct reference to virtual site object. See [Ref Or Selector Virtual Site ](#ref-or-selector-virtual-site) below for details. +### Endpoint Address Dns Name Advanced - - -### Endpoint Address Dns Name Advanced - - Specifies name and TTL used for DNS resolution.. +Specifies name and TTL used for DNS resolution.. `name` - (Optional) Endpoint's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - - - -###### One of the arguments from this list "strict_ttl, refresh_interval" can be set +###### One of the arguments from this list "refresh_interval, strict_ttl" can be set `refresh_interval` - (Optional) Interval for DNS refresh in seconds. (`Int`). - `strict_ttl` - (Optional) Use TTL value returned by DNS Server during DNS resolution as DNS refresh interval (`Bool`).(Deprecated) +### Endpoint Address Service Info - - -### Endpoint Address Service Info - - In case of Consul, tags on the service is matched against service_selector. +``` + In case of Consul, tags on the service is matched against service_selector. +``` `discovery_type` - (Required) Specifies whether the discovery is from Kubernetes or Consul cluster (`String`). - - - ###### One of the arguments from this list "service_name, service_selector" can be set `service_name` - (Optional) discovery objects of the site. (`String`). - `service_selector` - (Optional) discovery has to happen. This implicit label is added to service_selector. See [Service Info Service Selector ](#service-info-service-selector) below for details. +### Internet Vip Choice Disable Internet Vip +Do not enable advertise on external internet vip.. +### Internet Vip Choice Enable Internet Vip -### Internet Vip Choice Disable Internet Vip - - Do not enable advertise on external internet vip.. - - - -### Internet Vip Choice Enable Internet Vip - - Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. - - - -### Ref +Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site.. +### Ref Reference to another volterra object is shown like below @@ -232,75 +116,55 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Ref Or Selector Site - -### Ref Or Selector Site - - Direct reference to site object. - - +Direct reference to site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred site (`String`). `ref` - (Required) A site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Ref Or Selector Virtual Network - -### Ref Or Selector Virtual Network - - Direct reference to virtual network object. +Direct reference to virtual network object. `ref` - (Required) A virtual network direct reference. See [ref](#ref) below for details. +### Ref Or Selector Virtual Site - -### Ref Or Selector Virtual Site - - Direct reference to virtual site object. - - +Direct reference to virtual site object. ###### One of the arguments from this list "disable_internet_vip, enable_internet_vip" must be set `disable_internet_vip` - (Optional) Do not enable advertise on external internet vip. (`Bool`). - `enable_internet_vip` - (Optional) Enable advertise on internet vip. Only supported for AWS TGW Site or AWS VPC Site. (`Bool`). - `network_type` - (Optional) The type of network on the referred virtual_site (`String`). `ref` - (Required) A virtual_site direct reference. See [ref](#ref) below for details. `refs` - (Optional) Reference to virtual network. See [ref](#ref) below for details.(Deprecated) +### Service Info Service Selector - -### Service Info Service Selector - - discovery has to happen. This implicit label is added to service_selector. +discovery has to happen. This implicit label is added to service_selector. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Ttl Choice Strict Ttl +Use TTL value returned by DNS Server during DNS resolution as DNS refresh interval. -### Ttl Choice Strict Ttl - - Use TTL value returned by DNS Server during DNS resolution as DNS refresh interval. - - - -## Attribute Reference - -* `id` - This is the id of the configured endpoint. +Attribute Reference +------------------- +- `id` - This is the id of the configured endpoint. diff --git a/docs/resources/volterra_enhanced_firewall_policy.md b/docs/resources/volterra_enhanced_firewall_policy.md index f2583c039..b6386d423 100644 --- a/docs/resources/volterra_enhanced_firewall_policy.md +++ b/docs/resources/volterra_enhanced_firewall_policy.md @@ -1,462 +1,168 @@ - - - - - - - - - - - - --- + page_title: "Volterra: enhanced_firewall_policy" -description: "The enhanced_firewall_policy allows CRUD of Enhanced Firewall Policy resource on Volterra SaaS" +description: "The enhanced_firewall_policy allows CRUD of Enhanced Firewall Policy resource on Volterra SaaS" + --- -# Resource volterra_enhanced_firewall_policy -The Enhanced Firewall Policy allows CRUD of Enhanced Firewall Policy resource on Volterra SaaS +Resource volterra_enhanced_firewall_policy +========================================== -~> **Note:** Please refer to [Enhanced Firewall Policy API docs](https://docs.cloud.f5.com/docs-v2/api/enhanced-firewall-policy) to learn more +The Enhanced Firewall Policy allows CRUD of Enhanced Firewall Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Enhanced Firewall Policy API docs](https://docs.cloud.f5.com/docs-v2/api/enhanced-firewall-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_enhanced_firewall_policy" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "rule_list allow_all allowed_sources allowed_destinations deny_all denied_sources denied_destinations" must be set - - allowed_destinations { - ipv6_prefix = ["[2001:db8::1::/112, 2001::db8::2::/112]"] + // One of the arguments from this list "allow_all allowed_destinations allowed_sources denied_destinations denied_sources deny_all rule_list" must be set - prefix = ["[192.168.1.0/24, 192.168.2.0/24]\""] - } + allow_all = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "allow_all, allowed_destinations, allowed_sources, denied_destinations, denied_sources, deny_all, rule_list" must be set `allow_all` - (Optional) Allow all connections from any source to any destination (`Bool`). - `allowed_destinations` - (Optional) Allow all connections to list of destinations from any source. See [Rule Choice Allowed Destinations ](#rule-choice-allowed-destinations) below for details. - - - - - `allowed_sources` - (Optional) Allow all connections from list of sources to any destination. See [Rule Choice Allowed Sources ](#rule-choice-allowed-sources) below for details. - - - - - `denied_destinations` - (Optional) Deny all connections to list of destinations from any source. See [Rule Choice Denied Destinations ](#rule-choice-denied-destinations) below for details. - - - - - `denied_sources` - (Optional) Deny all connections from list of sources to any destination. See [Rule Choice Denied Sources ](#rule-choice-denied-sources) below for details. - - - - - `deny_all` - (Optional) Deny all connections from any source to any destination (`Bool`). - `rule_list` - (Optional) Custom Enhanced Firewall Policy Rule Selection. See [Rule Choice Rule List ](#rule-choice-rule-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `segment_policy` - (Optional) Skip the configuration or set option as Any to ignore corresponding segment match. See [Segment Policy ](#segment-policy) below for details. +### Segment Policy +Skip the configuration or set option as Any to ignore corresponding segment match. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Segment Policy - - Skip the configuration or set option as Any to ignore corresponding segment match. - - - - -###### One of the arguments from this list "dst_any, intra_segment, dst_segments" can be set +###### One of the arguments from this list "dst_any, dst_segments, intra_segment" can be set `dst_any` - (Optional) Traffic is not matched against any segment (`Bool`). - `dst_segments` - (Optional) Traffic is matched against destination segment in selected segments. See [Dst Segment Choice Dst Segments ](#dst-segment-choice-dst-segments) below for details. - `intra_segment` - (Optional) Traffic is matched for source and destination on the same segment (`Bool`). - - - - ###### One of the arguments from this list "src_any, src_segments" can be set `src_any` - (Optional) Traffic is not matched against any segment (`Bool`). - `src_segments` - (Optional) Source traffic is matched against selected segments. See [Src Segment Choice Src Segments ](#src-segment-choice-src-segments) below for details. +### Action Choice Allow +Allow any connection matching the rule. +### Action Choice Deny -### Action Choice Allow - - Allow any connection matching the rule. - - +Deny any connection matching the rule. -### Action Choice Deny +### Action Choice Insert Service - Deny any connection matching the rule. - - - -### Action Choice Insert Service - - Send selected traffic to NFV Service of type Palo Alto Networks VM-Series Firewall for inspection. +Send selected traffic to NFV Service of type Palo Alto Networks VM-Series Firewall for inspection. `nfv_service` - (Required) Select External Service, to which the traffic should be forwarded to. Forwarding to Palo Alto Networks external service is supported.. See [ref](#ref) below for details. +### Destination Choice All Destinations +Any address that matches 0/0 ip prefix. -### Destination Choice All Destinations - - Any address that matches 0/0 ip prefix. - - - -### Destination Choice All Sli Vips - - Destination is virtual-ip of all loadbalancer on site-local-inside network. - - +### Destination Choice All Sli Vips -### Destination Choice All Slo Vips +Destination is virtual-ip of all loadbalancer on site-local-inside network. - Destination is virtual-ip of all loadbalancer on site-local-outside network. +### Destination Choice All Slo Vips +Destination is virtual-ip of all loadbalancer on site-local-outside network. +### Destination Choice Destination Aws Subnet Ids -### Destination Choice Destination Aws Subnet Ids - - Destination is any address in list of AWS Subnets. +Destination is any address in list of AWS Subnets. `subnet_id` - (Required) List of Subnet Identifiers in AWS (`String`). +### Destination Choice Destination Aws Vpc Ids - -### Destination Choice Destination Aws Vpc Ids - - Destination is any address in list of AWS VPCs. +Destination is any address in list of AWS VPCs. `vpc_id` - (Required) List of VPC Identifiers in AWS (`String`). +### Destination Choice Destination Ip Prefix Set - -### Destination Choice Destination Ip Prefix Set - - Addresses that match one of the prefix in the ip-prefix-set. +Addresses that match one of the prefix in the ip-prefix-set. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Destination Choice Destination Label Selector - -### Destination Choice Destination Label Selector - - These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. +These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Destination Choice Destination Prefix List - -### Destination Choice Destination Prefix List - - Addresses that match one of the prefix in the list. +Addresses that match one of the prefix in the list. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Destination Choice Inside Destinations +All addresses reachable in site-local inside interfaces. -### Destination Choice Inside Destinations - - All addresses reachable in site-local inside interfaces. - +### Destination Choice Outside Destinations +All addresses reachable in site-local outside interfaces. -### Destination Choice Outside Destinations +### Dst Segment Choice Dst Any - All addresses reachable in site-local outside interfaces. +Traffic is not matched against any segment. +### Dst Segment Choice Dst Segments - -### Dst Segment Choice Dst Any - - Traffic is not matched against any segment. - - - -### Dst Segment Choice Dst Segments - - Traffic is matched against destination segment in selected segments. +Traffic is matched against destination segment in selected segments. `segments` - (Required) Select list of segments. See [ref](#ref) below for details. +### Dst Segment Choice Intra Segment +Traffic is matched for source and destination on the same segment. -### Dst Segment Choice Intra Segment - - Traffic is matched for source and destination on the same segment. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -466,187 +172,133 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rule Choice Allowed Destinations - -### Rule Choice Allowed Destinations - - Allow all connections to list of destinations from any source. +Allow all connections to list of destinations from any source. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Rule Choice Allowed Sources - -### Rule Choice Allowed Sources - - Allow all connections from list of sources to any destination. +Allow all connections from list of sources to any destination. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Rule Choice Denied Destinations - -### Rule Choice Denied Destinations - - Deny all connections to list of destinations from any source. +Deny all connections to list of destinations from any source. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Rule Choice Denied Sources - -### Rule Choice Denied Sources - - Deny all connections from list of sources to any destination. +Deny all connections from list of sources to any destination. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Rule Choice Rule List - -### Rule Choice Rule List - - Custom Enhanced Firewall Policy Rule Selection. +Custom Enhanced Firewall Policy Rule Selection. `rules` - (Required) Ordered List of Enhanced Firewall Policy Rules. See [Rule List Rules ](#rule-list-rules) below for details. +### Rule List Rules +Ordered List of Enhanced Firewall Policy Rules. -### Rule List Rules - - Ordered List of Enhanced Firewall Policy Rules. - - - -###### One of the arguments from this list "deny, allow, insert_service" must be set +###### One of the arguments from this list "allow, deny, insert_service" must be set `allow` - (Optional) Allow any connection matching the rule (`Bool`). - `deny` - (Optional) Deny any connection matching the rule (`Bool`). - `insert_service` - (Optional) Send selected traffic to NFV Service of type Palo Alto Networks VM-Series Firewall for inspection. See [Action Choice Insert Service ](#action-choice-insert-service) below for details. - `advanced_action` - (Optional) Log any connection matching the rule. See [Rules Advanced Action ](#rules-advanced-action) below for details. - - -###### One of the arguments from this list "inside_destinations, destination_label_selector, all_slo_vips, all_sli_vips, destination_aws_vpc_ids, all_destinations, destination_ip_prefix_set, destination_namespace, destination_aws_subnet_ids, destination_prefix_list, outside_destinations" must be set +###### One of the arguments from this list "all_destinations, all_sli_vips, all_slo_vips, destination_aws_subnet_ids, destination_aws_vpc_ids, destination_ip_prefix_set, destination_label_selector, destination_namespace, destination_prefix_list, inside_destinations, outside_destinations" must be set `all_destinations` - (Optional) Any address that matches 0/0 ip prefix (`Bool`). - `all_sli_vips` - (Optional) Destination is virtual-ip of all loadbalancer on site-local-inside network (`Bool`). - `all_slo_vips` - (Optional) Destination is virtual-ip of all loadbalancer on site-local-outside network (`Bool`). - `destination_aws_subnet_ids` - (Optional) Destination is any address in list of AWS Subnets. See [Destination Choice Destination Aws Subnet Ids ](#destination-choice-destination-aws-subnet-ids) below for details. - `destination_aws_vpc_ids` - (Optional) Destination is any address in list of AWS VPCs. See [Destination Choice Destination Aws Vpc Ids ](#destination-choice-destination-aws-vpc-ids) below for details. - `destination_ip_prefix_set` - (Optional) Addresses that match one of the prefix in the ip-prefix-set. See [Destination Choice Destination Ip Prefix Set ](#destination-choice-destination-ip-prefix-set) below for details. - `destination_label_selector` - (Optional) These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. See [Destination Choice Destination Label Selector ](#destination-choice-destination-label-selector) below for details. - `destination_namespace` - (Optional) All addresses in a namespace (`String`).(Deprecated) - `destination_prefix_list` - (Optional) Addresses that match one of the prefix in the list. See [Destination Choice Destination Prefix List ](#destination-choice-destination-prefix-list) below for details. - `inside_destinations` - (Optional) All addresses reachable in site-local inside interfaces (`Bool`). - `outside_destinations` - (Optional) All addresses reachable in site-local outside interfaces (`Bool`). - `label_matcher` - (Optional) not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. See [Rules Label Matcher ](#rules-label-matcher) below for details. `metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - - -###### One of the arguments from this list "source_aws_subnet_ids, all_sources, source_ip_prefix_set, source_namespace, source_label_selector, source_aws_vpc_ids, source_prefix_list, inside_sources, outside_sources" must be set +###### One of the arguments from this list "all_sources, inside_sources, outside_sources, source_aws_subnet_ids, source_aws_vpc_ids, source_ip_prefix_set, source_label_selector, source_namespace, source_prefix_list" must be set `all_sources` - (Optional) Any address that matches 0/0 ip prefix (`Bool`). - `inside_sources` - (Optional) All addresses reachable in site-local inside interfaces (`Bool`). - `outside_sources` - (Optional) All addresses reachable in site-local outside interfaces (`Bool`). - `source_aws_subnet_ids` - (Optional) Source is any address in list of AWS Subnets. See [Source Choice Source Aws Subnet Ids ](#source-choice-source-aws-subnet-ids) below for details. - `source_aws_vpc_ids` - (Optional) Source is any address in list of AWS VPCs. See [Source Choice Source Aws Vpc Ids ](#source-choice-source-aws-vpc-ids) below for details. - `source_ip_prefix_set` - (Optional) Addresses that match one of the prefix in the ip-prefix-set. See [Source Choice Source Ip Prefix Set ](#source-choice-source-ip-prefix-set) below for details. - `source_label_selector` - (Optional) These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. See [Source Choice Source Label Selector ](#source-choice-source-label-selector) below for details. - `source_namespace` - (Optional) All addresses in a namespace (`String`).(Deprecated) - `source_prefix_list` - (Optional) list contains sublist of both v4 and v6 prfix list. See [Source Choice Source Prefix List ](#source-choice-source-prefix-list) below for details. - - - -###### One of the arguments from this list "applications, protocol_port_range, all_traffic, all_tcp_traffic, all_udp_traffic" must be set +###### One of the arguments from this list "all_tcp_traffic, all_traffic, all_udp_traffic, applications, protocol_port_range" must be set `all_tcp_traffic` - (Optional) Select all TCP traffic to match (`Bool`). - `all_traffic` - (Optional) Select all traffic to match (`Bool`). - `all_udp_traffic` - (Optional) Select all UDP traffic to match (`Bool`). - `applications` - (Optional) Select Application traffic to match. See [Traffic Choice Applications ](#traffic-choice-applications) below for details. - `protocol_port_range` - (Optional) Select specific protocol and port ranges traffic to match. See [Traffic Choice Protocol Port Range ](#traffic-choice-protocol-port-range) below for details. +### Rules Advanced Action - - -### Rules Advanced Action - - Log any connection matching the rule. +Log any connection matching the rule. `action` - (Optional) Enable or disable logging. (`String`). +### Rules Label Matcher - -### Rules Label Matcher - - not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. +not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Rules Metadata - -### Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -654,119 +306,87 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Source Choice All Sources +Any address that matches 0/0 ip prefix. -### Source Choice All Sources - - Any address that matches 0/0 ip prefix. +### Source Choice Inside Sources +All addresses reachable in site-local inside interfaces. +### Source Choice Outside Sources -### Source Choice Inside Sources +All addresses reachable in site-local outside interfaces. - All addresses reachable in site-local inside interfaces. +### Source Choice Source Aws Subnet Ids - - -### Source Choice Outside Sources - - All addresses reachable in site-local outside interfaces. - - - -### Source Choice Source Aws Subnet Ids - - Source is any address in list of AWS Subnets. +Source is any address in list of AWS Subnets. `subnet_id` - (Required) List of Subnet Identifiers in AWS (`String`). +### Source Choice Source Aws Vpc Ids - -### Source Choice Source Aws Vpc Ids - - Source is any address in list of AWS VPCs. +Source is any address in list of AWS VPCs. `vpc_id` - (Required) List of VPC Identifiers in AWS (`String`). +### Source Choice Source Ip Prefix Set - -### Source Choice Source Ip Prefix Set - - Addresses that match one of the prefix in the ip-prefix-set. +Addresses that match one of the prefix in the ip-prefix-set. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Source Choice Source Label Selector - -### Source Choice Source Label Selector - - These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. +These labels can be cloud tags defined on the vpc resource, labels on the global network or others.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Source Choice Source Prefix List - -### Source Choice Source Prefix List - - list contains sublist of both v4 and v6 prfix list. +list contains sublist of both v4 and v6 prfix list. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Src Segment Choice Src Any +Traffic is not matched against any segment. -### Src Segment Choice Src Any - - Traffic is not matched against any segment. - +### Src Segment Choice Src Segments - -### Src Segment Choice Src Segments - - Source traffic is matched against selected segments. +Source traffic is matched against selected segments. `segments` - (Required) Select list of segments. See [ref](#ref) below for details. +### Traffic Choice All Tcp Traffic +Select all TCP traffic to match. -### Traffic Choice All Tcp Traffic - - Select all TCP traffic to match. - - +### Traffic Choice All Traffic -### Traffic Choice All Traffic +Select all traffic to match. - Select all traffic to match. +### Traffic Choice All Udp Traffic +Select all UDP traffic to match. +### Traffic Choice Applications -### Traffic Choice All Udp Traffic - - Select all UDP traffic to match. - - - -### Traffic Choice Applications - - Select Application traffic to match. +Select Application traffic to match. `applications` - (Optional) Application protocols like HTTP, SNMP (`List of Strings`). +### Traffic Choice Protocol Port Range - -### Traffic Choice Protocol Port Range - - Select specific protocol and port ranges traffic to match. +Select specific protocol and port ranges traffic to match. `port_ranges` - (Optional) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). `protocol` - (Optional) Values are tcp, udp, and icmp (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured enhanced_firewall_policy. - +- `id` - This is the id of the configured enhanced_firewall_policy. diff --git a/docs/resources/volterra_fast_acl.md b/docs/resources/volterra_fast_acl.md index 542699c0b..b25614924 100644 --- a/docs/resources/volterra_fast_acl.md +++ b/docs/resources/volterra_fast_acl.md @@ -1,46 +1,33 @@ - - - - - - - - - - - - --- + page_title: "Volterra: fast_acl" -description: "The fast_acl allows CRUD of Fast Acl resource on Volterra SaaS" +description: "The fast_acl allows CRUD of Fast Acl resource on Volterra SaaS" + --- -# Resource volterra_fast_acl -The Fast Acl allows CRUD of Fast Acl resource on Volterra SaaS +Resource volterra_fast_acl +========================== + +The Fast Acl allows CRUD of Fast Acl resource on Volterra SaaS -~> **Note:** Please refer to [Fast Acl API docs](https://docs.cloud.f5.com/docs-v2/api/fast-acl) to learn more +~> **Note:** Please refer to [Fast Acl API docs](https://docs.cloud.f5.com/docs-v2/api/fast-acl) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_fast_acl" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "site_acl re_acl legacy_acl" must be set + // One of the arguments from this list "legacy_acl re_acl site_acl" must be set site_acl { fast_acl_rules { action { // One of the arguments from this list "policer_action protocol_policer_action simple_action" can be set - policer_action { - ref { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } - } + simple_action = "simple_action" } metadata { @@ -54,25 +41,27 @@ resource "volterra_fast_acl" "example" { name = "value" port { - // One of the arguments from this list "all user_defined dns" can be set + // One of the arguments from this list "all dns user_defined" can be set all = true } - // One of the arguments from this list "prefix ip_prefix_set" must be set - - prefix { - ipv6_prefix = ["[2001:db8::1::/112, 2001::db8::2::/112]"] + // One of the arguments from this list "ip_prefix_set prefix" must be set - prefix = ["[192.168.1.0/24, 192.168.2.0/24]\""] + ip_prefix_set { + ref { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } } } - // One of the arguments from this list "outside_network inside_network" must be set + // One of the arguments from this list "inside_network outside_network" must be set outside_network = true - // One of the arguments from this list "interface_services vip_services all_services" must be set + // One of the arguments from this list "all_services interface_services vip_services" must be set interface_services = true } @@ -80,337 +69,76 @@ resource "volterra_fast_acl" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `protocol_policer` - (Optional) on that group, giving a semantics of hash limit for source IP. See [ref](#ref) below for details. - +###### One of the arguments from this list "legacy_acl, re_acl, site_acl" must be set `legacy_acl` - (Optional) ACL may be applied at regional edge sites or customer edge sites. Not recommended. See [Site Choice Legacy Acl ](#site-choice-legacy-acl) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `re_acl` - (Optional) ACL will be applied at regional edge sites. See [Site Choice Re Acl ](#site-choice-re-acl) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `site_acl` - (Optional) ACL will be applied at customer edge sites. See [Site Choice Site Acl ](#site-choice-site-acl) below for details. - - - - - - - - +### Action Policer Action - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Action Policer Action - - Reference to policer object to which traffic would be subjected. +Reference to policer object to which traffic would be subjected. `ref` - (Optional) A policer direct reference. See [ref](#ref) below for details. +### Action Protocol Policer Action - -### Action Protocol Policer Action - - Reference to protocol based policer object. +Reference to protocol based policer object. `ref` - (Optional) Reference to protocol policer object. See [ref](#ref) below for details. +### Destination Ip Address Address - -### Destination Ip Address Address - - List of IP addresses to match with destination. - - - +List of IP addresses to match with destination. ###### One of the arguments from this list "ipv4, ipv6" can be set `ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Destination Ip Address Ports +Special value "0" means all valid ports on the VIPs. - -### Destination Ip Address Ports - - Special value "0" means all valid ports on the VIPs. - - - - -###### One of the arguments from this list "dns, all, user_defined" can be set +###### One of the arguments from this list "all, dns, user_defined" can be set `all` - (Optional) Matches all port (`Bool`). - `dns` - (Optional) Matches dns port 53 (`Bool`). - `user_defined` - (Optional) Matches the user defined port (`Int`). +### Destination Type Choice All Services +Regional Edge: Applies the configuration to all the VIPs assigned to tenant. +### Destination Type Choice Destination Ip Address -### Destination Type Choice All Services - - Regional Edge: Applies the configuration to all the VIPs assigned to tenant. - - - -### Destination Type Choice Destination Ip Address - - Regional Edge : Tenant can not configure it. +Regional Edge : Tenant can not configure it. `address` - (Optional) List of IP addresses to match with destination. See [Destination Ip Address Address ](#destination-ip-address-address) below for details. @@ -418,63 +146,43 @@ resource "volterra_fast_acl" "example" { `protocol` - (Optional) Protocol to match in the traffic (`String`). +### Destination Type Choice Interface Services +Regional Edge : tenants CANNOT use this option on RE. -### Destination Type Choice Interface Services - - Regional Edge : tenants CANNOT use this option on RE. - +### Destination Type Choice Selected Vip Address - -### Destination Type Choice Selected Vip Address - - Valid only for RE.. +Valid only for RE.. `address` - (Optional) List of IP addresses to match with destination. See [Selected Vip Address Address ](#selected-vip-address-address) below for details. +### Destination Type Choice Shared Vip Services +Regional Edge: Applies configuration on all shared VIPs used for services. -### Destination Type Choice Shared Vip Services - - Regional Edge: Applies configuration on all shared VIPs used for services. - - - -### Destination Type Choice Vhost - - Regional Edge: Allowed. - - - -### Destination Type Choice Vip Services - - Regional Edge: Applies the configuration to VIP which has been assigned by default to tenant. Not applicable for shared VIP(s). +### Destination Type Choice Vhost +Regional Edge: Allowed. +### Destination Type Choice Vip Services -### Fast Acl Rules Action - - Action to be applied if traffic matched rule (pass, deny or rate limit). - +Regional Edge: Applies the configuration to VIP which has been assigned by default to tenant. Not applicable for shared VIP(s). +### Fast Acl Rules Action +Action to be applied if traffic matched rule (pass, deny or rate limit). ###### One of the arguments from this list "policer_action, protocol_policer_action, simple_action" can be set `policer_action` - (Optional) Reference to policer object to which traffic would be subjected. See [Action Policer Action ](#action-policer-action) below for details. - `protocol_policer_action` - (Optional) Reference to protocol based policer object. See [Action Protocol Policer Action ](#action-protocol-policer-action) below for details. - `simple_action` - (Optional) Simple action like dropping or forwarding the traffic (`String`). +### Fast Acl Rules Metadata - - -### Fast Acl Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -482,107 +190,69 @@ resource "volterra_fast_acl" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Fast Acl Rules Port +L4 port numbers to match. -### Fast Acl Rules Port - - L4 port numbers to match. - - - - -###### One of the arguments from this list "all, user_defined, dns" can be set +###### One of the arguments from this list "all, dns, user_defined" can be set `all` - (Optional) Matches all port (`Bool`). - `dns` - (Optional) Matches dns port 53 (`Bool`). - `user_defined` - (Optional) Matches the user defined port (`Int`). +### Legacy Acl Destination Type +1. Explicit IP and port. - -### Legacy Acl Destination Type - - 4. Explicit IP and port. - - - - -###### One of the arguments from this list "interface_services, vip_services, all_services, destination_ip_address, selected_vip_address, shared_vip_services, vhost" can be set +###### One of the arguments from this list "all_services, destination_ip_address, interface_services, selected_vip_address, shared_vip_services, vhost, vip_services" can be set `all_services` - (Optional) Regional Edge: Applies the configuration to all the VIPs assigned to tenant (`Bool`). - `destination_ip_address` - (Optional) Regional Edge : Tenant can not configure it. See [Destination Type Choice Destination Ip Address ](#destination-type-choice-destination-ip-address) below for details. - `interface_services` - (Optional) Regional Edge : tenants CANNOT use this option on RE (`Bool`). - `selected_vip_address` - (Optional) Valid only for RE.. See [Destination Type Choice Selected Vip Address ](#destination-type-choice-selected-vip-address) below for details. - `shared_vip_services` - (Optional) Regional Edge: Applies configuration on all shared VIPs used for services (`Bool`). - `vhost` - (Optional) Regional Edge: Allowed (`Bool`).(Deprecated) - `vip_services` - (Optional) Regional Edge: Applies the configuration to VIP which has been assigned by default to tenant. Not applicable for shared VIP(s) (`Bool`). +### Legacy Acl Network Type +CE applies Fast ACLs with network type selector as "site_local" and "site_local_inside" only. - -### Legacy Acl Network Type - - CE applies Fast ACLs with network type selector as "site_local" and "site_local_inside" only. - - - - -###### One of the arguments from this list "site_local, site_local_inside, public" can be set +###### One of the arguments from this list "public, site_local, site_local_inside" can be set `public` - (Optional) Indicates use of public network (`Bool`). - `site_local` - (Optional) Indicates use of site local network (`Bool`). - `site_local_inside` - (Optional) Indicates use of site local inside network (`Bool`). +### Network Choice Inside Network +Site Local Inside network. +### Network Choice Outside Network -### Network Choice Inside Network - - Site Local Inside network. +Site Local Outside network. +### Port Value Type Choice All +Matches all port. -### Network Choice Outside Network +### Port Value Type Choice Dns - Site Local Outside network. +Matches dns port 53. +### Re Acl Fast Acl Rules - -### Port Value Type Choice All - - Matches all port. - - - -### Port Value Type Choice Dns - - Matches dns port 53. - - - -### Re Acl Fast Acl Rules - - Fast ACL rules to match. +Fast ACL rules to match. `action` - (Required) Action to be applied if traffic matched rule (pass, deny or rate limit). See [Fast Acl Rules Action ](#fast-acl-rules-action) below for details. @@ -592,20 +262,13 @@ resource "volterra_fast_acl" "example" { `port` - (Optional) L4 port numbers to match. See [Fast Acl Rules Port ](#fast-acl-rules-port) below for details. - - ###### One of the arguments from this list "ip_prefix_set, prefix" must be set `ip_prefix_set` - (Optional) Reference to IP prefix set object. See [Source Ip Prefix Set ](#source-ip-prefix-set) below for details. - `prefix` - (Optional) List of IP prefixes. See [Source Prefix ](#source-prefix) below for details. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -615,28 +278,19 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Selected Vip Address Address +List of IP addresses to match with destination. -### Selected Vip Address Address - - List of IP addresses to match with destination. - - - - -###### One of the arguments from this list "ipv6, ipv4" can be set +###### One of the arguments from this list "ipv4, ipv6" can be set `ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Site Acl Fast Acl Rules - - -### Site Acl Fast Acl Rules - - Fast ACL rules to match. +Fast ACL rules to match. `action` - (Required) Action to be applied if traffic matched rule (pass, deny or rate limit). See [Fast Acl Rules Action ](#fast-acl-rules-action) below for details. @@ -646,175 +300,123 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `port` - (Optional) L4 port numbers to match. See [Fast Acl Rules Port ](#fast-acl-rules-port) below for details. - - -###### One of the arguments from this list "prefix, ip_prefix_set" must be set +###### One of the arguments from this list "ip_prefix_set, prefix" must be set `ip_prefix_set` - (Optional) Reference to IP prefix set object. See [Source Ip Prefix Set ](#source-ip-prefix-set) below for details. - `prefix` - (Optional) List of IP prefixes. See [Source Prefix ](#source-prefix) below for details. +### Site Choice Legacy Acl +ACL may be applied at regional edge sites or customer edge sites. Not recommended. - -### Site Choice Legacy Acl - - ACL may be applied at regional edge sites or customer edge sites. Not recommended. - -`destination_type` - (Required) 4. Explicit IP and port. See [Legacy Acl Destination Type ](#legacy-acl-destination-type) below for details. +`destination_type` - (Required) 4. Explicit IP and port. See [Legacy Acl Destination Type ](#legacy-acl-destination-type) below for details. `network_type` - (Required) CE applies Fast ACLs with network type selector as "site_local" and "site_local_inside" only. See [Legacy Acl Network Type ](#legacy-acl-network-type) below for details. `source_rules` - (Optional) List of Fast ACL rules to be applied to received packets on this site. See [ref](#ref) below for details. +### Site Choice Re Acl - -### Site Choice Re Acl - - ACL will be applied at regional edge sites. +ACL will be applied at regional edge sites. `fast_acl_rules` - (Optional) Fast ACL rules to match. See [Re Acl Fast Acl Rules ](#re-acl-fast-acl-rules) below for details. - - ###### One of the arguments from this list "all_public_vips, default_tenant_vip, selected_tenant_vip" must be set `all_public_vips` - (Optional) Apply this Fast ACL to all public vips (`Bool`). - `default_tenant_vip` - (Optional) Apply this Fast ACL to Default(dedicated) Tenant VIP (`Bool`). - `selected_tenant_vip` - (Optional) Apply this Fast ACL to List of some selected public VIP(s). See [Vip Choice Selected Tenant Vip ](#vip-choice-selected-tenant-vip) below for details. +### Site Choice Site Acl - - -### Site Choice Site Acl - - ACL will be applied at customer edge sites. +ACL will be applied at customer edge sites. `fast_acl_rules` - (Optional) Fast ACL rules to match. See [Site Acl Fast Acl Rules ](#site-acl-fast-acl-rules) below for details. - - -###### One of the arguments from this list "outside_network, inside_network" must be set +###### One of the arguments from this list "inside_network, outside_network" must be set `inside_network` - (Optional) Site Local Inside network (`Bool`). - `outside_network` - (Optional) Site Local Outside network (`Bool`). - - - ###### One of the arguments from this list "all_services, interface_services, vip_services" must be set `all_services` - (Optional) Port and protocol is picked up from advertise policies (`Bool`). - `interface_services` - (Optional) Port and protocol is picked up from advertise policies (`Bool`). - `vip_services` - (Optional) Port and protocol is picked up from advertise policies (`Bool`). +### Source Ip Prefix Set - - -### Source Ip Prefix Set - - Reference to IP prefix set object. +Reference to IP prefix set object. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Source Prefix - -### Source Prefix - - List of IP prefixes. +List of IP prefixes. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Vip Choice All Public Vips +Apply this Fast ACL to all public vips. -### Vip Choice All Public Vips - - Apply this Fast ACL to all public vips. - - - -### Vip Choice All Services - - Port and protocol is picked up from advertise policies. - - - -### Vip Choice Default Tenant Vip - - Apply this Fast ACL to Default(dedicated) Tenant VIP. - +### Vip Choice All Services +Port and protocol is picked up from advertise policies. -### Vip Choice Interface Services +### Vip Choice Default Tenant Vip - Port and protocol is picked up from advertise policies. +Apply this Fast ACL to Default(dedicated) Tenant VIP. +### Vip Choice Interface Services +Port and protocol is picked up from advertise policies. -### Vip Choice Selected Tenant Vip +### Vip Choice Selected Tenant Vip - Apply this Fast ACL to List of some selected public VIP(s). +Apply this Fast ACL to List of some selected public VIP(s). `default_tenant_vip` - (Optional) Include tenant vip in list of specific VIP(s) (`Bool`). `public_ip_refs` - (Required) Select additional public VIP(s). See [ref](#ref) below for details. +### Vip Choice Vip Services +Port and protocol is picked up from advertise policies. -### Vip Choice Vip Services - - Port and protocol is picked up from advertise policies. - - - -### Vn Type Choice Public - - Indicates use of public network. - - - -### Vn Type Choice Site Local - - Indicates use of site local network. - - +### Vn Type Choice Public -### Vn Type Choice Site Local Inside +Indicates use of public network. - Indicates use of site local inside network. +### Vn Type Choice Site Local +Indicates use of site local network. +### Vn Type Choice Site Local Inside -## Attribute Reference +Indicates use of site local inside network. -* `id` - This is the id of the configured fast_acl. +Attribute Reference +------------------- +- `id` - This is the id of the configured fast_acl. diff --git a/docs/resources/volterra_fast_acl_for_internet_vips.md b/docs/resources/volterra_fast_acl_for_internet_vips.md index 3e21308f1..520d91b16 100644 --- a/docs/resources/volterra_fast_acl_for_internet_vips.md +++ b/docs/resources/volterra_fast_acl_for_internet_vips.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: fast_acl_for_internet_vips" - description: "The fast_acl_for_internet_vips activates the passed list of FastACLs for Internet VIPs" ------------------------------------------------------------------------------------------------------ + +--- Resource volterra_fast_acl_for_internet_vips ============================================ diff --git a/docs/resources/volterra_fast_acl_rule.md b/docs/resources/volterra_fast_acl_rule.md index 970d148a1..ecdd26c99 100644 --- a/docs/resources/volterra_fast_acl_rule.md +++ b/docs/resources/volterra_fast_acl_rule.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: fast_acl_rule" -description: "The fast_acl_rule allows CRUD of Fast Acl Rule resource on Volterra SaaS" +description: "The fast_acl_rule allows CRUD of Fast Acl Rule resource on Volterra SaaS" + --- -# Resource volterra_fast_acl_rule -The Fast Acl Rule allows CRUD of Fast Acl Rule resource on Volterra SaaS +Resource volterra_fast_acl_rule +=============================== + +The Fast Acl Rule allows CRUD of Fast Acl Rule resource on Volterra SaaS -~> **Note:** Please refer to [Fast Acl Rule API docs](https://docs.cloud.f5.com/docs-v2/api/fast-acl-rule) to learn more +~> **Note:** Please refer to [Fast Acl Rule API docs](https://docs.cloud.f5.com/docs-v2/api/fast-acl-rule) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_fast_acl_rule" "example" { @@ -28,18 +21,18 @@ resource "volterra_fast_acl_rule" "example" { namespace = "staging" action { - // One of the arguments from this list "protocol_policer_action simple_action policer_action" can be set + // One of the arguments from this list "policer_action protocol_policer_action simple_action" can be set simple_action = "simple_action" } port { - // One of the arguments from this list "all user_defined dns" can be set + // One of the arguments from this list "all dns user_defined" can be set all = true } - // One of the arguments from this list "prefix ip_prefix_set" must be set + // One of the arguments from this list "ip_prefix_set prefix" must be set prefix { ipv6_prefix = ["[2001:db8::1::/112, 2001::db8::2::/112]"] @@ -50,152 +43,80 @@ resource "volterra_fast_acl_rule" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `action` - (Required) Action to be applied if traffic matched rule (allow, deny or police). See [Action ](#action) below for details. - - - - - - - - - - - - - - - - - `port` - (Required) L4 port numbers to match. See [Port ](#port) below for details. - - - - - - - - - - - - - - - +###### One of the arguments from this list "ip_prefix_set, prefix" must be set `ip_prefix_set` - (Optional) Reference to IP prefix set object. See [Source Ip Prefix Set ](#source-ip-prefix-set) below for details. - - - - `prefix` - (Optional) List of IP prefixes. See [Source Prefix ](#source-prefix) below for details. - - - - - +### Action +Action to be applied if traffic matched rule (allow, deny or police). -### Action - - Action to be applied if traffic matched rule (allow, deny or police). - - - - -###### One of the arguments from this list "simple_action, policer_action, protocol_policer_action" can be set +###### One of the arguments from this list "policer_action, protocol_policer_action, simple_action" can be set `policer_action` - (Optional) Reference to policer object to which traffic would be subjected. See [Action Policer Action ](#action-policer-action) below for details. - `protocol_policer_action` - (Optional) Reference to protocol based policer object. See [Action Protocol Policer Action ](#action-protocol-policer-action) below for details. - `simple_action` - (Optional) Simple action like dropping or forwarding the traffic (`String`). +### Port +L4 port numbers to match. - -### Port - - L4 port numbers to match. - - - - -###### One of the arguments from this list "dns, all, user_defined" can be set +###### One of the arguments from this list "all, dns, user_defined" can be set `all` - (Optional) Matches all port (`Bool`). - `dns` - (Optional) Matches dns port 53 (`Bool`). - `user_defined` - (Optional) Matches the user defined port (`Int`). +### Action Policer Action - - -### Action Policer Action - - Reference to policer object to which traffic would be subjected. +Reference to policer object to which traffic would be subjected. `ref` - (Optional) A policer direct reference. See [ref](#ref) below for details. +### Action Protocol Policer Action - -### Action Protocol Policer Action - - Reference to protocol based policer object. +Reference to protocol based policer object. `ref` - (Optional) Reference to protocol policer object. See [ref](#ref) below for details. +### Port Value Type Choice All +Matches all port. -### Port Value Type Choice All - - Matches all port. - - +### Port Value Type Choice Dns -### Port Value Type Choice Dns - - Matches dns port 53. - - - -### Ref +Matches dns port 53. +### Ref Reference to another volterra object is shown like below @@ -205,27 +126,21 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Source Ip Prefix Set - -### Source Ip Prefix Set - - Reference to IP prefix set object. +Reference to IP prefix set object. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Source Prefix - -### Source Prefix - - List of IP prefixes. +List of IP prefixes. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured fast_acl_rule. - +- `id` - This is the id of the configured fast_acl_rule. diff --git a/docs/resources/volterra_filter_set.md b/docs/resources/volterra_filter_set.md index 536681102..62895a1d6 100644 --- a/docs/resources/volterra_filter_set.md +++ b/docs/resources/volterra_filter_set.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: filter_set" -description: "The filter_set allows CRUD of Filter Set resource on Volterra SaaS" +description: "The filter_set allows CRUD of Filter Set resource on Volterra SaaS" + --- -# Resource volterra_filter_set -The Filter Set allows CRUD of Filter Set resource on Volterra SaaS +Resource volterra_filter_set +============================ -~> **Note:** Please refer to [Filter Set API docs](https://docs.cloud.f5.com/docs-v2/api/filter-set) to learn more +The Filter Set allows CRUD of Filter Set resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Filter Set API docs](https://docs.cloud.f5.com/docs-v2/api/filter-set) to learn more + +Example Usage +------------- ```hcl resource "volterra_filter_set" "example" { @@ -31,159 +24,92 @@ resource "volterra_filter_set" "example" { filter_fields { field_id = "field_id" - // One of the arguments from this list "string_field date_field label_selector_field filter_expression_field" must be set + // One of the arguments from this list "date_field filter_expression_field label_selector_field string_field" must be set - string_field { - field_values = ["field_values"] + filter_expression_field { + expression = "region in (us-west1, us-west2),tier in (staging)" } } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `context_key` - (Required) indexable context key that identifies a page or page type for which the FilterSet is applicable (`String`). - - `filter_fields` - (Required) list of fields and their values selected by the user. See [Filter Fields ](#filter-fields) below for details. +### Filter Fields - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Filter Fields - - list of fields and their values selected by the user. +list of fields and their values selected by the user. `field_id` - (Required) an identifier for the field that maps to some UI filter component (`String`). - - -###### One of the arguments from this list "string_field, date_field, label_selector_field, filter_expression_field" must be set +###### One of the arguments from this list "date_field, filter_expression_field, label_selector_field, string_field" must be set `date_field` - (Optional) x-displayName: "Date/Time Range". See [Field Value Date Field ](#field-value-date-field) below for details. - `filter_expression_field` - (Optional) x-displayName: "Key/Value Selector Expression". See [Field Value Filter Expression Field ](#field-value-filter-expression-field) below for details. - `label_selector_field` - (Optional) x-displayName: "Kubernetes-style Label Selector Expression (deprecated)". See [Field Value Label Selector Field ](#field-value-label-selector-field) below for details.(Deprecated) - `string_field` - (Optional) x-displayName: "String". See [Field Value String Field ](#field-value-string-field) below for details. +### Field Value Date Field +x-displayName: "Date/Time Range". - -### Field Value Date Field - - x-displayName: "Date/Time Range". - - - -###### One of the arguments from this list "relative, absolute" must be set +###### One of the arguments from this list "absolute, relative" must be set `absolute` - (Optional) absolute start and end timestamps. See [Range Type Absolute ](#range-type-absolute) below for details. - `relative` - (Optional) relative time duration (`String`). +### Field Value Filter Expression Field - - -### Field Value Filter Expression Field - - x-displayName: "Key/Value Selector Expression". +x-displayName: "Key/Value Selector Expression". `expression` - (Required) differs in that it allows special characters in the keys and values (`String`). +### Field Value Label Selector Field - -### Field Value Label Selector Field - - x-displayName: "Kubernetes-style Label Selector Expression (deprecated)". +x-displayName: "Kubernetes-style Label Selector Expression (deprecated)". `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Field Value String Field - -### Field Value String Field - - x-displayName: "String". +x-displayName: "String". `field_values` - (Required) x-required (`String`). +### Range Type Absolute - -### Range Type Absolute - - absolute start and end timestamps. +absolute start and end timestamps. `end_date` - (Required) Contains end date (`String`). `start_date` - (Required) Contains start date (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured filter_set. - +- `id` - This is the id of the configured filter_set. diff --git a/docs/resources/volterra_fleet.md b/docs/resources/volterra_fleet.md index b76c7d190..ba1d03e10 100644 --- a/docs/resources/volterra_fleet.md +++ b/docs/resources/volterra_fleet.md @@ -1,1160 +1,241 @@ +--- +page_title: "Volterra: fleet" +description: "The fleet allows CRUD of Fleet resource on Volterra SaaS" +--- +Resource volterra_fleet +======================= +The Fleet allows CRUD of Fleet resource on Volterra SaaS +~> **Note:** Please refer to [Fleet API docs](https://docs.cloud.f5.com/docs-v2/api/fleet) to learn more +Example Usage +------------- +```hcl +resource "volterra_fleet" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "bond_device_list no_bond_devices" must be set + no_bond_devices = true + // One of the arguments from this list "dc_cluster_group dc_cluster_group_inside no_dc_cluster_group" must be set + no_dc_cluster_group = true + fleet_label = ["sfo"] ---- -page_title: "Volterra: fleet" -description: "The fleet allows CRUD of Fleet resource on Volterra SaaS" ---- -# Resource volterra_fleet - -The Fleet allows CRUD of Fleet resource on Volterra SaaS - -~> **Note:** Please refer to [Fleet API docs](https://docs.cloud.f5.com/docs-v2/api/fleet) to learn more - -## Example Usage - -```hcl -resource "volterra_fleet" "example" { - name = "acmecorp-web" - namespace = "staging" - - // One of the arguments from this list "no_bond_devices bond_device_list" must be set - - no_bond_devices = true - - // One of the arguments from this list "no_dc_cluster_group dc_cluster_group dc_cluster_group_inside" must be set - - no_dc_cluster_group = true - fleet_label = ["sfo"] - - // One of the arguments from this list "disable_gpu enable_gpu enable_vgpu" must be set - - disable_gpu = true - - // One of the arguments from this list "interface_list default_config device_list" must be set - - interface_list { - interfaces { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } - } - - // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set - - logs_streaming_disabled = true - - // One of the arguments from this list "sriov_interfaces default_sriov_interface" must be set - - sriov_interfaces { - sriov_interface { - interface_name = "eth0" - - number_of_vfio_vfs = "2" - - number_of_vfs = "3" - } - } - - // One of the arguments from this list "default_storage_class storage_class_list" must be set - - default_storage_class = true - - // One of the arguments from this list "no_storage_device storage_device_list" must be set - - storage_device_list { - storage_devices { - advanced_advanced_parameters = { - "key1" = "value1" - } - - // One of the arguments from this list "netapp_trident pure_service_orchestrator custom_storage hpe_storage" must be set - - netapp_trident { - // One of the arguments from this list "netapp_backend_ontap_nas netapp_backend_ontap_san" must be set - - netapp_backend_ontap_nas { - auto_export_cidrs { - ipv6_prefixes = ["fd48:fa09:d9d4::/48"] - - prefixes = ["192.168.20.0/24"] - } - - auto_export_policy = true - - backend_name = "value" - - client_certificate = "value" - - client_private_key { - blindfold_secret_info_internal { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - - store_provider = "value" - } - - secret_encoding_type = "secret_encoding_type" - - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set - - blindfold_secret_info { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - - store_provider = "value" - } - } - - // One of the arguments from this list "data_lif_ip data_lif_dns_name" can be set - - data_lif_ip = "10.5.2.4" - labels = { - "key1" = "value1" - } - limit_aggregate_usage = "80%" - limit_volume_size = "50Gi" - - // One of the arguments from this list "management_lif_ip management_lif_dns_name" must be set - - management_lif_ip = "10.5.2.4" - nfs_mount_options = "nfsvers=4" - password { - blindfold_secret_info_internal { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - - store_provider = "value" - } - - secret_encoding_type = "secret_encoding_type" - - // One of the arguments from this list "blindfold_secret_info vault_secret_info clear_secret_info wingman_secret_info" must be set - - blindfold_secret_info { - decryption_provider = "value" - - location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" - - store_provider = "value" - } - } - region = "us_east_1b" - storage { - labels = { - "key1" = "value1" - } - - volume_defaults { - encryption = true - - export_policy = "default" - - // One of the arguments from this list "no_qos qos_policy adaptive_qos_policy" must be set - - no_qos = true - security_style = "unix" - snapshot_dir = true - snapshot_policy = "none" - snapshot_reserve = "10" - space_reserve = "thick" - split_on_clone = true - tiering_policy = "snapshot-only" - unix_permissions = "777" - } - - zone = "us_east_1b" - } - storage_driver_name = "ontap-nas" - storage_prefix = "trident" - svm = "trident_svm" - trusted_ca_certificate = "value" - username = "cluster-admin" - volume_defaults { - encryption = true - - export_policy = "default" - - // One of the arguments from this list "no_qos qos_policy adaptive_qos_policy" must be set - - no_qos = true - security_style = "unix" - snapshot_dir = true - snapshot_policy = "none" - snapshot_reserve = "10" - space_reserve = "thick" - split_on_clone = true - tiering_policy = "snapshot-only" - unix_permissions = "777" - } - } - } - storage_device = "DellEMC-isilon-F800-0" - } - } - - // One of the arguments from this list "no_storage_interfaces storage_interface_list" must be set - - no_storage_interfaces = true - - // One of the arguments from this list "no_storage_static_routes storage_static_routes" must be set - - no_storage_static_routes = true - - // One of the arguments from this list "deny_all_usb allow_all_usb usb_policy" must be set - - allow_all_usb = true -} - -``` - -## Argument Reference - -### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). - - -`description` - (Optional) Human readable description for the object (`String`). - - -`disable` - (Optional) A value of true will administratively disable the object (`Bool`). - - -`labels` - (Optional) by selector expression (`String`). - - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - - -### Spec Argument Reference - -`blocked_services` - (Optional) Disable node local services on this site.. See [Blocked Services ](#blocked-services) below for details. - - - - - - - - - - - - - - - - - - - - - - -`bond_device_list` - (Optional) Configure Bond Devices for this fleet. See [Bond Choice Bond Device List ](#bond-choice-bond-device-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - -`no_bond_devices` - (Optional) No Bond Devices configured for this Fleet (`Bool`). - - - - - -`dc_cluster_group` - (Optional) This fleet is member of dc cluster group via site local network. See [ref](#ref) below for details. - - -`dc_cluster_group_inside` - (Optional) This fleet is member of dc cluster group via site local inside network. See [ref](#ref) below for details. - - -`no_dc_cluster_group` - (Optional) This fleet is not a member of a DC cluster group (`Bool`). - - - - -`enable_default_fleet_config_download` - (Optional) Enable default fleet config, It must be set for storage config and gpu config (`Bool`). - - - -`fleet_label` - (Required) fleet_label with "sfo" will create a known_label "ves.io/fleet=sfo" in tenant for the fleet (`String`). - - - - -`disable_gpu` - (Optional) GPU is not enabled for this fleet (`Bool`). - - -`enable_gpu` - (Optional) GPU is enabled for this fleet (`Bool`). - - -`enable_vgpu` - (Optional) Enable NVIDIA vGPU hosted on VMware. See [Gpu Choice Enable Vgpu ](#gpu-choice-enable-vgpu) below for details. - - - - - - - - - -`inside_virtual_network` - (Optional) Default inside (site local) virtual network for the fleet. See [ref](#ref) below for details. - - - -`default_config` - (Optional) Use default configuration for interfaces belonging to this fleet (`Bool`). - - -`device_list` - (Optional) Add device for all interfaces belonging to this fleet. See [Interface Choice Device List ](#interface-choice-device-list) below for details. - - - - - - - - - - - - - - - - - - -`interface_list` - (Optional) Add all interfaces belonging to this fleet. See [Interface Choice Interface List ](#interface-choice-interface-list) below for details. - - - - - - - -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. - - -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). - - - - -`network_connectors` - (Optional) The network connectors configuration is applied on all sites that are member of the fleet.. See [ref](#ref) below for details. - - -`network_firewall` - (Optional) The Network Firewall is applied on Virtual Networks of type site local network and site local inside network. See [ref](#ref) below for details. - - -`operating_system_version` - (Optional) Current Operating System version can be overridden via site config. (`String`). - - - -`outside_virtual_network` - (Optional) Default outside (site local) virtual network for the fleet. See [ref](#ref) below for details. - - -`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`default_sriov_interface` - (Optional) Disable Single Root I/O Virtualization interfaces (`Bool`). - - -`sriov_interfaces` - (Optional) Use custom Single Root I/O Virtualization interfaces. See [Sriov Interface Choice Sriov Interfaces ](#sriov-interface-choice-sriov-interfaces) below for details. - - - - - - - - - - - - - -`default_storage_class` - (Optional) Use only default storage class in kubernetes (`Bool`). - - -`storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for this fleet. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`no_storage_device` - (Optional) This fleet does not have any storage devices (`Bool`). - - -`storage_device_list` - (Optional) Add all storage devices belonging to this fleet. See [Storage Device Choice Storage Device List ](#storage-device-choice-storage-device-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + // One of the arguments from this list "disable_gpu enable_gpu enable_vgpu" must be set + disable_gpu = true + // One of the arguments from this list "default_config device_list interface_list" must be set + interface_list { + interfaces { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set + logs_streaming_disabled = true + // One of the arguments from this list "default_sriov_interface sriov_interfaces" must be set + default_sriov_interface = true + // One of the arguments from this list "default_storage_class storage_class_list" must be set + default_storage_class = true + // One of the arguments from this list "no_storage_device storage_device_list" must be set + no_storage_device = true + // One of the arguments from this list "no_storage_interfaces storage_interface_list" must be set + no_storage_interfaces = true + // One of the arguments from this list "no_storage_static_routes storage_static_routes" must be set + no_storage_static_routes = true + // One of the arguments from this list "allow_all_usb deny_all_usb usb_policy" must be set + usb_policy { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } +} +``` +Argument Reference +------------------ +### Metadata Argument Reference +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`description` - (Optional) Human readable description for the object (`String`). - +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). +`labels` - (Optional) by selector expression (`String`). +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - +### Spec Argument Reference +`blocked_services` - (Optional) Disable node local services on this site.. See [Blocked Services ](#blocked-services) below for details. - +###### One of the arguments from this list "bond_device_list, no_bond_devices" must be set +`bond_device_list` - (Optional) Configure Bond Devices for this fleet. See [Bond Choice Bond Device List ](#bond-choice-bond-device-list) below for details. +`no_bond_devices` - (Optional) No Bond Devices configured for this Fleet (`Bool`). +###### One of the arguments from this list "dc_cluster_group, dc_cluster_group_inside, no_dc_cluster_group" must be set +`dc_cluster_group` - (Optional) This fleet is member of dc cluster group via site local network. See [ref](#ref) below for details. +`dc_cluster_group_inside` - (Optional) This fleet is member of dc cluster group via site local inside network. See [ref](#ref) below for details. +`no_dc_cluster_group` - (Optional) This fleet is not a member of a DC cluster group (`Bool`). +`enable_default_fleet_config_download` - (Optional) Enable default fleet config, It must be set for storage config and gpu config (`Bool`). +`fleet_label` - (Required) fleet_label with "sfo" will create a known_label "ves.io/fleet=sfo" in tenant for the fleet (`String`). +###### One of the arguments from this list "disable_gpu, enable_gpu, enable_vgpu" must be set +`disable_gpu` - (Optional) GPU is not enabled for this fleet (`Bool`). +`enable_gpu` - (Optional) GPU is enabled for this fleet (`Bool`). +`enable_vgpu` - (Optional) Enable NVIDIA vGPU hosted on VMware. See [Gpu Choice Enable Vgpu ](#gpu-choice-enable-vgpu) below for details. +`inside_virtual_network` - (Optional) Default inside (site local) virtual network for the fleet. See [ref](#ref) below for details. +###### One of the arguments from this list "default_config, device_list, interface_list" must be set +`default_config` - (Optional) Use default configuration for interfaces belonging to this fleet (`Bool`). +`device_list` - (Optional) Add device for all interfaces belonging to this fleet. See [Interface Choice Device List ](#interface-choice-device-list) below for details. +`interface_list` - (Optional) Add all interfaces belonging to this fleet. See [Interface Choice Interface List ](#interface-choice-interface-list) below for details. +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`network_connectors` - (Optional) The network connectors configuration is applied on all sites that are member of the fleet.. See [ref](#ref) below for details. +`network_firewall` - (Optional) The Network Firewall is applied on Virtual Networks of type site local network and site local inside network. See [ref](#ref) below for details. +`operating_system_version` - (Optional) Current Operating System version can be overridden via site config. (`String`). +`outside_virtual_network` - (Optional) Default outside (site local) virtual network for the fleet. See [ref](#ref) below for details. +`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +###### One of the arguments from this list "default_sriov_interface, sriov_interfaces" must be set +`default_sriov_interface` - (Optional) Disable Single Root I/O Virtualization interfaces (`Bool`). +`sriov_interfaces` - (Optional) Use custom Single Root I/O Virtualization interfaces. See [Sriov Interface Choice Sriov Interfaces ](#sriov-interface-choice-sriov-interfaces) below for details. +###### One of the arguments from this list "default_storage_class, storage_class_list" must be set +`default_storage_class` - (Optional) Use only default storage class in kubernetes (`Bool`). +`storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for this fleet. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. +###### One of the arguments from this list "no_storage_device, storage_device_list" must be set +`no_storage_device` - (Optional) This fleet does not have any storage devices (`Bool`). +`storage_device_list` - (Optional) Add all storage devices belonging to this fleet. See [Storage Device Choice Storage Device List ](#storage-device-choice-storage-device-list) below for details. +###### One of the arguments from this list "no_storage_interfaces, storage_interface_list" must be set `no_storage_interfaces` - (Optional) This fleet does not have any storage interfaces (`Bool`). - `storage_interface_list` - (Optional) Add all storage interfaces belonging to this fleet. See [Storage Interface Choice Storage Interface List ](#storage-interface-choice-storage-interface-list) below for details. - - - - - - +###### One of the arguments from this list "no_storage_static_routes, storage_static_routes" must be set `no_storage_static_routes` - (Optional) This fleet does not have any storage static routes (`Bool`). - `storage_static_routes` - (Optional) Add all storage storage static routes. See [Storage Static Routes Choice Storage Static Routes ](#storage-static-routes-choice-storage-static-routes) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "allow_all_usb, deny_all_usb, usb_policy" must be set `allow_all_usb` - (Optional) All USB devices are allowed (`Bool`). - `deny_all_usb` - (Optional) All USB devices are denied (`Bool`). - `usb_policy` - (Optional) Allow only specific USB devices. See [ref](#ref) below for details. - - - +###### One of the arguments from this list "disable_vm, enable_vm" can be set `disable_vm` - (Optional) VMs support is not enabled for this fleet (`Bool`). - `enable_vm` - (Optional) VMs support is enabled for this fleet. See [Vm Choice Enable Vm ](#vm-choice-enable-vm) below for details. - - - - - `volterra_software_version` - (Optional) Current software installed can be overridden via site config. (`String`). +### Blocked Services +Disable node local services on this site.. -### Blocked Services - - Disable node local services on this site.. - - - - -###### One of the arguments from this list "ssh, web_user_interface, dns" can be set +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set `dns` - (Optional) Matches DNS port 53 (`Bool`). - `ssh` - (Optional) x-displayName: "SSH" (`Bool`). - `web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - `network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). +### Kubernetes Upgrade Drain - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - +Enable Kubernetes Drain during OS or SW upgrade. ###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set `disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - `enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. +### Performance Enhancement Mode - - -### Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - +Performance Enhancement Mode to optimize for L3 or L7 networking. ###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set `perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - `perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Api Token Blindfold Secret Info Internal - - -### Api Token Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1162,11 +243,9 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Arrays Flash Array - -### Arrays Flash Array - - For FlashArrays you must set the "mgmt_endpoint" and "api_token". +For FlashArrays you must set the "mgmt_endpoint" and "api_token". `default_fs_opt` - (Optional) Block volume default mkfs options. Not recommended to change! (`String`). @@ -1182,11 +261,9 @@ resource "volterra_fleet" "example" { `san_type` - (Required) Block volume access protocol, either ISCSI or FC (`String`). +### Arrays Flash Blade - -### Arrays Flash Blade - - Specify what storage flash blades should be managed the plugin. +Specify what storage flash blades should be managed the plugin. `enable_snapshot_directory` - (Optional) Enable/Disable FlashBlade snapshots (`Bool`). @@ -1194,11 +271,9 @@ resource "volterra_fleet" "example" { `flash_blades` - (Required) For FlashBlades you must set the "mgmt_endpoint", "api_token" and nfs_endpoint. See [Flash Blade Flash Blades ](#flash-blade-flash-blades) below for details. +### Backend Choice Netapp Backend Ontap Nas - -### Backend Choice Netapp Backend Ontap Nas - - Backend configuration for ONTAP NAS. +Backend configuration for ONTAP NAS. `auto_export_cidrs` - (Optional) List of CIDRs to filter Kubernetes’ node IPs against when autoExportPolicy is enabled. See [Netapp Backend Ontap Nas Auto Export Cidrs ](#netapp-backend-ontap-nas-auto-export-cidrs) below for details. @@ -1210,33 +285,24 @@ resource "volterra_fleet" "example" { `client_private_key` - (Optional) Please Enter value of client private key. Used for certificate-based auth.. See [Netapp Backend Ontap Nas Client Private Key ](#netapp-backend-ontap-nas-client-private-key) below for details. - - - -###### One of the arguments from this list "data_lif_ip, data_lif_dns_name" can be set +###### One of the arguments from this list "data_lif_dns_name, data_lif_ip" can be set `data_lif_dns_name` - (Optional) Backend Data LIF IP Address's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `data_lif_ip` - (Optional) Backend Data LIF IP Address is reachable at the given ip address (`String`). - `labels` - (Optional) List of labels for Storage Device used in NetApp ONTAP. It is used for storage class selection. (`String`). `limit_aggregate_usage` - (Optional) Fail provisioning if usage is above this percentage. Not enforced by default. (`String`). `limit_volume_size` - (Optional) Fail provisioning if requested volume size is above this value. Not enforced by default. (`String`). - - -###### One of the arguments from this list "management_lif_ip, management_lif_dns_name" must be set +###### One of the arguments from this list "management_lif_dns_name, management_lif_ip" must be set `management_lif_dns_name` - (Optional) Backend Management LIF IP Address's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `management_lif_ip` - (Optional) Backend Management LIF IP Address is reachable at the given ip address (`String`). - `nfs_mount_options` - (Optional) Comma-separated list of NFS mount options. Not enforced by default. (`String`). `password` - (Optional) Please Enter you password. Password to connect to the cluster/SVM. See [Netapp Backend Ontap Nas Password ](#netapp-backend-ontap-nas-password) below for details. @@ -1257,38 +323,26 @@ resource "volterra_fleet" "example" { `volume_defaults` - (Optional) List of QoS volume defaults types. See [Netapp Backend Ontap Nas Volume Defaults ](#netapp-backend-ontap-nas-volume-defaults) below for details. +### Backend Choice Netapp Backend Ontap San - -### Backend Choice Netapp Backend Ontap San - - Backend configuration for ONTAP SAN. - - - +Backend configuration for ONTAP SAN. ###### One of the arguments from this list "no_chap, use_chap" can be set `no_chap` - (Optional) CHAP disabled (`Bool`). - `use_chap` - (Optional) Device NetApp Backend ONTAP SAN CHAP configuration options for enabled CHAP. See [Chap Choice Use Chap ](#chap-choice-use-chap) below for details. - `client_certificate` - (Optional) Please Enter Base64-encoded value of client certificate. Used for certificate-based auth. (`String`). `client_private_key` - (Optional) Please Enter value of client private key. Used for certificate-based auth.. See [Netapp Backend Ontap San Client Private Key ](#netapp-backend-ontap-san-client-private-key) below for details. - - - -###### One of the arguments from this list "data_lif_ip, data_lif_dns_name" can be set +###### One of the arguments from this list "data_lif_dns_name, data_lif_ip" can be set `data_lif_dns_name` - (Optional) Backend Data LIF IP Address's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `data_lif_ip` - (Optional) Backend Data LIF IP Address is reachable at the given ip address (`String`). - `igroup_name` - (Optional) Name of the igroup for SAN volumes to use (`String`). `labels` - (Optional) List of labels for Storage Device used in NetApp ONTAP. It is used for storage class selection. (`String`). @@ -1297,16 +351,12 @@ resource "volterra_fleet" "example" { `limit_volume_size` - (Optional) Fail provisioning if requested volume size in GBi is above this value. Not enforced by default. (`Int`). - - -###### One of the arguments from this list "management_lif_ip, management_lif_dns_name" must be set +###### One of the arguments from this list "management_lif_dns_name, management_lif_ip" must be set `management_lif_dns_name` - (Optional) Backend Management LIF IP Address's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `management_lif_ip` - (Optional) Backend Management LIF IP Address is reachable at the given ip address (`String`). - `password` - (Optional) Please Enter you password. Password to connect to the cluster/SVM. See [Netapp Backend Ontap San Password ](#netapp-backend-ontap-san-password) below for details. `region` - (Optional) Virtual Pool Region (`String`). @@ -1325,67 +375,49 @@ resource "volterra_fleet" "example" { `volume_defaults` - (Optional) List of QoS volume defaults types. See [Netapp Backend Ontap San Volume Defaults ](#netapp-backend-ontap-san-volume-defaults) below for details. +### Blocked Services Value Type Choice Dns +Matches DNS port 53. -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - +### Blocked Services Value Type Choice Ssh -### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". - x-displayName: "SSH". +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Bond Choice Bond Device List -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Bond Choice Bond Device List - - Configure Bond Devices for this fleet. +Configure Bond Devices for this fleet. `bond_devices` - (Required) List of bond devices. See [Bond Device List Bond Devices ](#bond-device-list-bond-devices) below for details. +### Bond Device List Bond Devices - -### Bond Device List Bond Devices - - List of bond devices. +List of bond devices. `devices` - (Required) Ethernet devices that will make up this bond (`String`). - - -###### One of the arguments from this list "lacp, active_backup" must be set +###### One of the arguments from this list "active_backup, lacp" must be set `active_backup` - (Optional) Configure active/backup based bond device (`Bool`). - `lacp` - (Optional) Configure LACP (802.3ad) based bond device. See [Lacp Choice Lacp ](#lacp-choice-lacp) below for details. - `link_polling_interval` - (Required) Link polling interval in milliseconds (`Int`). `link_up_delay` - (Required) Milliseconds wait before link is declared up (`Int`). `name` - (Required) Name for the Bond. Ex 'bond0' (`String`). +### Chap Choice No Chap +CHAP disabled. -### Chap Choice No Chap - - CHAP disabled. +### Chap Choice Use Chap - - -### Chap Choice Use Chap - - Device NetApp Backend ONTAP SAN CHAP configuration options for enabled CHAP. +Device NetApp Backend ONTAP SAN CHAP configuration options for enabled CHAP. `chap_initiator_secret` - (Optional) CHAP initiator secret. Required if useCHAP=true. See [Use Chap Chap Initiator Secret ](#use-chap-chap-initiator-secret) below for details. @@ -1395,11 +427,9 @@ resource "volterra_fleet" "example" { `chap_username` - (Optional) Inbound username. Required if useCHAP=true (`String`). +### Chap Initiator Secret Blindfold Secret Info Internal - -### Chap Initiator Secret Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1407,11 +437,9 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Chap Target Initiator Secret Blindfold Secret Info Internal - -### Chap Target Initiator Secret Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1419,11 +447,9 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Client Private Key Blindfold Secret Info Internal - -### Client Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1431,25 +457,19 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Device Choice Custom Storage +Device configuration for Custom Storage. -### Device Choice Custom Storage - - Device configuration for Custom Storage. - - +### Device Choice Custom Storage -### Device Choice Custom Storage - - Storage configuration for Custom Storage. +Storage configuration for Custom Storage. `yaml` - (Optional) K8s YAML for StorageClass (`String`). +### Device Choice Hpe Storage - -### Device Choice Hpe Storage - - Storage configuration for HPE Storage. +Storage configuration for HPE Storage. `allow_mutations` - (Optional) mutation can override specified parameters (`String`). @@ -1483,11 +503,9 @@ resource "volterra_fleet" "example" { `thick` - (Optional) Indicates that the volume should be thick provisioned. (`Bool`). +### Device Choice Hpe Storage - -### Device Choice Hpe Storage - - Device configuration for HPE Storage. +Device configuration for HPE Storage. `api_server_port` - (Optional) Enter Storage Server Port (`Int`). @@ -1505,39 +523,29 @@ resource "volterra_fleet" "example" { `storage_server_name` - (Optional) Enter storage server Name (`String`). -`username` - (Required) Username to connect to the HPE storage management IP (`String`). - - +`username` - (Required) Username to connect to the HPE storage management IP (`String`). -### Device Choice Netapp Trident +### Device Choice Netapp Trident - Storage class Device configuration for NetApp Trident. +Storage class Device configuration for NetApp Trident. `selector` - (Optional) The volume will have the aspects defined in the chosen virtual pool. (`String`). `storage_pools` - (Optional) The storagePools parameter is used to further restrict the set of pools that match any specified attributes (`String`). +### Device Choice Netapp Trident - -### Device Choice Netapp Trident - - Device configuration for NetApp Trident. - - +Device configuration for NetApp Trident. ###### One of the arguments from this list "netapp_backend_ontap_nas, netapp_backend_ontap_san" must be set `netapp_backend_ontap_nas` - (Optional) Backend configuration for ONTAP NAS. See [Backend Choice Netapp Backend Ontap Nas ](#backend-choice-netapp-backend-ontap-nas) below for details. - `netapp_backend_ontap_san` - (Optional) Backend configuration for ONTAP SAN. See [Backend Choice Netapp Backend Ontap San ](#backend-choice-netapp-backend-ontap-san) below for details. +### Device Choice Pure Service Orchestrator - - -### Device Choice Pure Service Orchestrator - - Storage class Device configuration for Pure Service Orchestrator. +Storage class Device configuration for Pure Service Orchestrator. `backend` - (Optional) The volume will have the aspects defined in the chosen virtual pool. (`String`). @@ -1545,11 +553,9 @@ resource "volterra_fleet" "example" { `iops_limit` - (Optional) Enable IOPS limitation. It must be between 100 and 100 million. If value is 0, IOPS limit is not defined. (`Int`). +### Device Choice Pure Service Orchestrator - -### Device Choice Pure Service Orchestrator - - Device configuration for Pure Storage Service Orchestrator. +Device configuration for Pure Storage Service Orchestrator. `arrays` - (Required) This section configure PSO storage arrays. See [Pure Service Orchestrator Arrays ](#pure-service-orchestrator-arrays) below for details. @@ -1559,140 +565,99 @@ resource "volterra_fleet" "example" { `enable_strict_topology` - (Optional) This option is to enable/disable the strict csi topology feature for pso-csi (`Bool`). +### Device Instance Network Device - -### Device Instance Network Device - - Device instance is a networking device like ethernet. +Device instance is a networking device like ethernet. `interface` - (Required) if use is NETWORK_INTERFACE_USE_INSIDE, the virtual-network must of type VIRTUAL_NETWORK_SITE_LOCAL_INSIDE. See [ref](#ref) below for details. `use` - (Required) Specifies if the network interface is connected to inside network or outside network. (`String`). +### Device List Devices - -### Device List Devices - - device instance specific sections. - - +device instance specific sections. ###### One of the arguments from this list "network_device" must be set `network_device` - (Optional) Device instance is a networking device like ethernet. See [Device Instance Network Device ](#device-instance-network-device) below for details. - `name` - (Optional) Name of the device including the unit number (e.g. eth0 or disk1). The name must match name of device in host-os of node (`String`). -`owner` - (Required) This option is not yet supported (`String`). - - +`owner` - (Required) This option is not yet supported (`String`). -### Flash Array Flash Arrays +### Flash Array Flash Arrays - For FlashArrays you must set the "mgmt_endpoint" and "api_token". +For FlashArrays you must set the "mgmt_endpoint" and "api_token". `api_token` - (Optional) Please Enter API TOken. Token to connect to management interface. See [Flash Arrays Api Token ](#flash-arrays-api-token) below for details. `labels` - (Optional) The labels are optional, and can be any key-value pair for use with the PSO "fleet" provisioner. (`String`). - - -###### One of the arguments from this list "mgmt_ip, mgmt_dns_name" must be set +###### One of the arguments from this list "mgmt_dns_name, mgmt_ip" must be set `mgmt_dns_name` - (Optional) Management Endpoint's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `mgmt_ip` - (Optional) Management Endpoint is reachable at the given ip address (`String`). +### Flash Arrays Api Token - - -### Flash Arrays Api Token - - Please Enter API TOken. Token to connect to management interface. +Please Enter API TOken. Token to connect to management interface. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Api Token Blindfold Secret Info Internal ](#api-token-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Flash Blade Flash Blades - - -### Flash Blade Flash Blades - - For FlashBlades you must set the "mgmt_endpoint", "api_token" and nfs_endpoint. +For FlashBlades you must set the "mgmt_endpoint", "api_token" and nfs_endpoint. `api_token` - (Optional) Please Enter API TOken. Token to connect to management interface. See [Flash Blades Api Token ](#flash-blades-api-token) below for details. `lables` - (Optional) The labels are optional, and can be any key-value pair for use with the PSO "fleet" provisioner. (`String`). - - -###### One of the arguments from this list "mgmt_ip, mgmt_dns_name" must be set +###### One of the arguments from this list "mgmt_dns_name, mgmt_ip" must be set `mgmt_dns_name` - (Optional) Management Endpoint's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `mgmt_ip` - (Optional) Management Endpoint is reachable at the given ip address (`String`). - - - -###### One of the arguments from this list "nfs_endpoint_ip, nfs_endpoint_dns_name" must be set +###### One of the arguments from this list "nfs_endpoint_dns_name, nfs_endpoint_ip" must be set `nfs_endpoint_dns_name` - (Optional) Endpoint's ip address is discovered using DNS name resolution. The name given here is fully qualified domain name. (`String`). - `nfs_endpoint_ip` - (Optional) Endpoint is reachable at the given ip address (`String`). +### Flash Blades Api Token - - -### Flash Blades Api Token - - Please Enter API TOken. Token to connect to management interface. +Please Enter API TOken. Token to connect to management interface. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Api Token Blindfold Secret Info Internal ](#api-token-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Gpu Choice Enable Vgpu - - -### Gpu Choice Enable Vgpu - - Enable NVIDIA vGPU hosted on VMware. +Enable NVIDIA vGPU hosted on VMware. `feature_type` - (Required) Set Feature to be enabled (`String`). @@ -1700,79 +665,57 @@ resource "volterra_fleet" "example" { `server_port` - (Optional) Set License Server port number (`Int`). +### Hpe Storage Iscsi Chap Password - -### Hpe Storage Iscsi Chap Password - - chap Password to connect to the HPE storage. +chap Password to connect to the HPE storage. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Iscsi Chap Password Blindfold Secret Info Internal ](#iscsi-chap-password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Hpe Storage Password - - -### Hpe Storage Password - - Please Enter you password.. +Please Enter you password.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Interface Choice Device List - - -### Interface Choice Device List - - Add device for all interfaces belonging to this fleet. +Add device for all interfaces belonging to this fleet. `devices` - (Optional) device instance specific sections. See [Device List Devices ](#device-list-devices) below for details. +### Interface Choice Interface List - -### Interface Choice Interface List - - Add all interfaces belonging to this fleet. +Add all interfaces belonging to this fleet. `interfaces` - (Required) Add all interfaces belonging to this fleet. See [ref](#ref) below for details. +### Iscsi Chap Password Blindfold Secret Info Internal - -### Iscsi Chap Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1780,121 +723,85 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain +x-displayName: "Enable Node by Node Upgrade". ###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set `drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - `drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - `drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - ###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set `disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - `enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) +### Lacp Choice Active Backup +Configure active/backup based bond device. +### Lacp Choice Lacp -### Lacp Choice Active Backup - - Configure active/backup based bond device. - - - -### Lacp Choice Lacp - - Configure LACP (802.3ad) based bond device. +Configure LACP (802.3ad) based bond device. `rate` - (Optional) Interval in seconds to transmit LACP packets (`Int`). +### Netapp Backend Ontap Nas Auto Export Cidrs - -### Netapp Backend Ontap Nas Auto Export Cidrs - - List of CIDRs to filter Kubernetes’ node IPs against when autoExportPolicy is enabled. +List of CIDRs to filter Kubernetes’ node IPs against when autoExportPolicy is enabled. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Netapp Backend Ontap Nas Client Private Key - -### Netapp Backend Ontap Nas Client Private Key - - Please Enter value of client private key. Used for certificate-based auth.. +Please Enter value of client private key. Used for certificate-based auth.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Client Private Key Blindfold Secret Info Internal ](#client-private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Netapp Backend Ontap Nas Password - - -### Netapp Backend Ontap Nas Password - - Please Enter you password. Password to connect to the cluster/SVM. +Please Enter you password. Password to connect to the cluster/SVM. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Netapp Backend Ontap Nas Storage - - -### Netapp Backend Ontap Nas Storage - - List of Virtual Storage Pool definitions which are referred back by Storage Class label match selection.. +List of Virtual Storage Pool definitions which are referred back by Storage Class label match selection.. `labels` - (Optional) List of labels for Storage Device used in NetApp ONTAP. It is used for storage class label match selection. (`String`). @@ -1902,29 +809,22 @@ resource "volterra_fleet" "example" { `zone` - (Optional) Virtual Storage Pool zone definition. (`String`). +### Netapp Backend Ontap Nas Volume Defaults - -### Netapp Backend Ontap Nas Volume Defaults - - List of QoS volume defaults types. +List of QoS volume defaults types. `encryption` - (Optional) Enable NetApp volume encryption. (`Bool`). `export_policy` - (Optional) Export policy to use. (`String`). - - -###### One of the arguments from this list "no_qos, qos_policy, adaptive_qos_policy" must be set +###### One of the arguments from this list "adaptive_qos_policy, no_qos, qos_policy" must be set `adaptive_qos_policy` - (Optional) Enter Adaptive QoS Policy Name (`String`). - `no_qos` - (Optional) No QoS configured (`Bool`). - `qos_policy` - (Optional) Enter QoS Policy Name (`String`). - `security_style` - (Optional) Security style for new volumes. (`String`). `snapshot_dir` - (Optional) Access to the .snapshot directory. (`Bool`). @@ -1941,63 +841,45 @@ resource "volterra_fleet" "example" { `unix_permissions` - (Optional) Unix permission mode for new volumes. All allowed 777 (`Int`). +### Netapp Backend Ontap San Client Private Key - -### Netapp Backend Ontap San Client Private Key - - Please Enter value of client private key. Used for certificate-based auth.. +Please Enter value of client private key. Used for certificate-based auth.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Client Private Key Blindfold Secret Info Internal ](#client-private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Netapp Backend Ontap San Password - - -### Netapp Backend Ontap San Password - - Please Enter you password. Password to connect to the cluster/SVM. +Please Enter you password. Password to connect to the cluster/SVM. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Netapp Backend Ontap San Storage - - -### Netapp Backend Ontap San Storage - - List of Virtual Storage Pool definitions which are referred back by Storage Class label match selection.. +List of Virtual Storage Pool definitions which are referred back by Storage Class label match selection.. `labels` - (Optional) List of labels for Storage Device used in NetApp ONTAP. It is used for storage class label match selection. (`String`). @@ -2005,29 +887,22 @@ resource "volterra_fleet" "example" { `zone` - (Optional) Virtual Storage Pool zone definition. (`String`). +### Netapp Backend Ontap San Volume Defaults - -### Netapp Backend Ontap San Volume Defaults - - List of QoS volume defaults types. +List of QoS volume defaults types. `encryption` - (Optional) Enable NetApp volume encryption. (`Bool`). `export_policy` - (Optional) Export policy to use. (`String`). - - -###### One of the arguments from this list "no_qos, qos_policy, adaptive_qos_policy" must be set +###### One of the arguments from this list "adaptive_qos_policy, no_qos, qos_policy" must be set `adaptive_qos_policy` - (Optional) Enter Adaptive QoS Policy Name (`String`). - `no_qos` - (Optional) No QoS configured (`Bool`). - `qos_policy` - (Optional) Enter QoS Policy Name (`String`). - `security_style` - (Optional) Security style for new volumes. (`String`). `snapshot_dir` - (Optional) Access to the .snapshot directory. (`Bool`). @@ -2044,28 +919,19 @@ resource "volterra_fleet" "example" { `unix_permissions` - (Optional) Unix permission mode for new volumes. All allowed 777 (`Int`). +### Nexthop Nexthop Address - -### Nexthop Nexthop Address - - Nexthop address when type is "Use-Configured". - - - +Nexthop address when type is "Use-Configured". ###### One of the arguments from this list "ipv4, ipv6" can be set `ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2073,60 +939,41 @@ resource "volterra_fleet" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Perf Mode Choice Jumbo +x-displayName: "Enabled". -### Perf Mode Choice Jumbo - - x-displayName: "Enabled". +### Perf Mode Choice No Jumbo +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced -### Perf Mode Choice No Jumbo +Site optimized for L3 traffic processing. - x-displayName: "Disabled". - - - -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - - -###### One of the arguments from this list "no_jumbo, jumbo" must be set +###### One of the arguments from this list "jumbo, no_jumbo" must be set `jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - `no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Pure Service Orchestrator Arrays -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Pure Service Orchestrator Arrays - - This section configure PSO storage arrays. +This section configure PSO storage arrays. `flash_array` - (Optional) For FlashArrays you must set the "mgmt_endpoint" and "api_token". See [Arrays Flash Array ](#arrays-flash-array) below for details. `flash_blade` - (Optional) Specify what storage flash blades should be managed the plugin. See [Arrays Flash Blade ](#arrays-flash-blade) below for details. +### Qos Policy Choice No Qos +No QoS configured. -### Qos Policy Choice No Qos - - No QoS configured. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -2136,11 +983,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2148,21 +993,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2174,27 +1015,21 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Sriov Interface Choice Sriov Interfaces - -### Sriov Interface Choice Sriov Interfaces - - Use custom Single Root I/O Virtualization interfaces. +Use custom Single Root I/O Virtualization interfaces. `sriov_interface` - (Optional) Use custom SR-IOV interfaces Configuration. See [Sriov Interfaces Sriov Interface ](#sriov-interfaces-sriov-interface) below for details. +### Sriov Interfaces Sriov Interface - -### Sriov Interfaces Sriov Interface - - Use custom SR-IOV interfaces Configuration. +Use custom SR-IOV interfaces Configuration. `interface_name` - (Required) Name of SR-IOV physical interface (`String`). @@ -2202,29 +1037,22 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `number_of_vfs` - (Required) Total number of virtual functions (`Int`). +### Storage Volume Defaults - -### Storage Volume Defaults - - List of QoS volume default types. +List of QoS volume default types. `encryption` - (Optional) Enable NetApp volume encryption. (`Bool`). `export_policy` - (Optional) Export policy to use. (`String`). - - -###### One of the arguments from this list "no_qos, qos_policy, adaptive_qos_policy" must be set +###### One of the arguments from this list "adaptive_qos_policy, no_qos, qos_policy" must be set `adaptive_qos_policy` - (Optional) Enter Adaptive QoS Policy Name (`String`). - `no_qos` - (Optional) No QoS configured (`Bool`). - `qos_policy` - (Optional) Enter QoS Policy Name (`String`). - `security_style` - (Optional) Security style for new volumes. (`String`). `snapshot_dir` - (Optional) Access to the .snapshot directory. (`Bool`). @@ -2241,19 +1069,15 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `unix_permissions` - (Optional) Unix permission mode for new volumes. All allowed 777 (`Int`). +### Storage Class Choice Storage Class List - -### Storage Class Choice Storage Class List - - Add additional custom storage classes in kubernetes for this fleet. +Add additional custom storage classes in kubernetes for this fleet. `storage_classes` - (Optional) List of custom storage classes. See [Storage Class List Storage Classes ](#storage-class-list-storage-classes) below for details. +### Storage Class List Storage Classes - -### Storage Class List Storage Classes - - List of custom storage classes. +List of custom storage classes. `advanced_storage_parameters` - (Optional) Map of parameter name and string value (`String`). @@ -2263,75 +1087,55 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `description` - (Optional) Description for this storage class (`String`). - - -###### One of the arguments from this list "netapp_trident, pure_service_orchestrator, custom_storage, hpe_storage" must be set +###### One of the arguments from this list "custom_storage, hpe_storage, netapp_trident, pure_service_orchestrator" must be set `custom_storage` - (Optional) Storage configuration for Custom Storage. See [Device Choice Custom Storage ](#device-choice-custom-storage) below for details. - `hpe_storage` - (Optional) Storage configuration for HPE Storage. See [Device Choice Hpe Storage ](#device-choice-hpe-storage) below for details. - `netapp_trident` - (Optional) Storage class Device configuration for NetApp Trident. See [Device Choice Netapp Trident ](#device-choice-netapp-trident) below for details. - `pure_service_orchestrator` - (Optional) Storage class Device configuration for Pure Service Orchestrator. See [Device Choice Pure Service Orchestrator ](#device-choice-pure-service-orchestrator) below for details. - `reclaim_policy` - (Optional) Reclaim Policy (`String`). `storage_class_name` - (Required) Name of the storage class as it will appear in K8s. (`String`). `storage_device` - (Required) Storage device that this class will use. The Device name defined at previous step. (`String`). +### Storage Device Choice Storage Device List - -### Storage Device Choice Storage Device List - - Add all storage devices belonging to this fleet. +Add all storage devices belonging to this fleet. `storage_devices` - (Optional) List of custom storage devices. See [Storage Device List Storage Devices ](#storage-device-list-storage-devices) below for details. +### Storage Device List Storage Devices - -### Storage Device List Storage Devices - - List of custom storage devices. +List of custom storage devices. `advanced_advanced_parameters` - (Optional) Map of parameter name and string value (`String`). - - -###### One of the arguments from this list "netapp_trident, pure_service_orchestrator, custom_storage, hpe_storage" must be set +###### One of the arguments from this list "custom_storage, hpe_storage, netapp_trident, pure_service_orchestrator" must be set `custom_storage` - (Optional) Device configuration for Custom Storage (`Bool`). - `hpe_storage` - (Optional) Device configuration for HPE Storage. See [Device Choice Hpe Storage ](#device-choice-hpe-storage) below for details. - `netapp_trident` - (Optional) Device configuration for NetApp Trident. See [Device Choice Netapp Trident ](#device-choice-netapp-trident) below for details. - `pure_service_orchestrator` - (Optional) Device configuration for Pure Storage Service Orchestrator. See [Device Choice Pure Service Orchestrator ](#device-choice-pure-service-orchestrator) below for details. - `storage_device` - (Required) Storage device and device unit (`String`). +### Storage Interface Choice Storage Interface List - -### Storage Interface Choice Storage Interface List - - Add all storage interfaces belonging to this fleet. +Add all storage interfaces belonging to this fleet. `interfaces` - (Required) Add all interfaces belonging to this fleet. See [ref](#ref) below for details. +### Storage Routes Nexthop - -### Storage Routes Nexthop - - Nexthop for the route. +Nexthop for the route. `interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. @@ -2339,27 +1143,19 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `type` - (Optional) Identifies the type of next-hop (`String`). +### Storage Routes Subnets - -### Storage Routes Subnets - - List of route prefixes. - - +List of route prefixes. ###### One of the arguments from this list "ipv4, ipv6" must be set `ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - `ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Storage Static Routes Storage Routes - - -### Storage Static Routes Storage Routes - - List of storage static routes. +List of storage static routes. `attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). @@ -2369,123 +1165,89 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `subnets` - (Required) List of route prefixes. See [Storage Routes Subnets ](#storage-routes-subnets) below for details. +### Storage Static Routes Choice Storage Static Routes - -### Storage Static Routes Choice Storage Static Routes - - Add all storage storage static routes. +Add all storage storage static routes. `storage_routes` - (Required) List of storage static routes. See [Storage Static Routes Storage Routes ](#storage-static-routes-storage-routes) below for details. +### Use Chap Chap Initiator Secret - -### Use Chap Chap Initiator Secret - - CHAP initiator secret. Required if useCHAP=true. +CHAP initiator secret. Required if useCHAP=true. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Chap Initiator Secret Blindfold Secret Info Internal ](#chap-initiator-secret-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Use Chap Chap Target Initiator Secret - - -### Use Chap Chap Target Initiator Secret - - CHAP target initiator secret. Required if useCHAP=true. +CHAP target initiator secret. Required if useCHAP=true. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Chap Target Initiator Secret Blindfold Secret Info Internal ](#chap-target-initiator-secret-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode - - Disable Vega Upgrade Mode. - +When enabled, vega will inform RE to stop traffic to the specific node.. +### Ver Ipv4 -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Subnet Address. +IPv4 Subnet Address. `plen` - (Optional) Prefix-length of the IPv4 subnet. Must be <= 32 (`Int`). `prefix` - (Optional) Prefix part of the IPv4 subnet in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Subnet Address. +IPv6 Subnet Address. `plen` - (Optional) Prefix length of the IPv6 subnet. Must be <= 128 (`Int`). `prefix` - (Optional) e.g. "2001:db8::2::" (`String`). +### Vm Choice Enable Vm +VMs support is enabled for this fleet. -### Vm Choice Enable Vm - - VMs support is enabled for this fleet. - - - -## Attribute Reference - -* `id` - This is the id of the configured fleet. +Attribute Reference +------------------- +- `id` - This is the id of the configured fleet. diff --git a/docs/resources/volterra_forward_proxy_policy.md b/docs/resources/volterra_forward_proxy_policy.md index a961d1d0d..aa2cf1089 100644 --- a/docs/resources/volterra_forward_proxy_policy.md +++ b/docs/resources/volterra_forward_proxy_policy.md @@ -1,671 +1,296 @@ - - - - - - - - - - - - --- + page_title: "Volterra: forward_proxy_policy" -description: "The forward_proxy_policy allows CRUD of Forward Proxy Policy resource on Volterra SaaS" +description: "The forward_proxy_policy allows CRUD of Forward Proxy Policy resource on Volterra SaaS" + --- -# Resource volterra_forward_proxy_policy -The Forward Proxy Policy allows CRUD of Forward Proxy Policy resource on Volterra SaaS +Resource volterra_forward_proxy_policy +====================================== -~> **Note:** Please refer to [Forward Proxy Policy API docs](https://docs.cloud.f5.com/docs-v2/api/views-forward-proxy-policy) to learn more +The Forward Proxy Policy allows CRUD of Forward Proxy Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Forward Proxy Policy API docs](https://docs.cloud.f5.com/docs-v2/api/views-forward-proxy-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_forward_proxy_policy" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "drp_http_connect any_proxy network_connector proxy_label_selector" must be set + // One of the arguments from this list "any_proxy drp_http_connect network_connector proxy_label_selector" must be set any_proxy = true - // One of the arguments from this list "deny_list rule_list allow_all allow_list" must be set + // One of the arguments from this list "allow_all allow_list deny_list rule_list" must be set allow_all = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "any_proxy, drp_http_connect, network_connector, proxy_label_selector" must be set `any_proxy` - (Optional) This policy is applied to all forward proxies on this site, and not drp/http-connect proxies (`Bool`). - `drp_http_connect` - (Optional) This policy is applied to attached DRP/HTTP-Connect Proxy (applicable only in App namespace) (`Bool`). - `network_connector` - (Optional) Proxy for given network connector. See [ref](#ref) below for details. - `proxy_label_selector` - (Optional) Proxy for Network Connector or HTTP connect proxy selected by Label selector. See [Proxy Choice Proxy Label Selector ](#proxy-choice-proxy-label-selector) below for details. - - - - - - +###### One of the arguments from this list "allow_all, allow_list, deny_list, rule_list" must be set `allow_all` - (Optional) Allow all connections through this forward proxy (`Bool`). - `allow_list` - (Optional) List of allowed connections. See [Rule Choice Allow List ](#rule-choice-allow-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `deny_list` - (Optional) List of denied connections. See [Rule Choice Deny List ](#rule-choice-deny-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `rule_list` - (Optional) List of custom rules. See [Rule Choice Rule List ](#rule-choice-rule-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `segment_policy` - (Optional) Skip the configuration or set option as Any to ignore corresponding segment match. See [Segment Policy ](#segment-policy) below for details. +### Segment Policy +Skip the configuration or set option as Any to ignore corresponding segment match. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Segment Policy - - Skip the configuration or set option as Any to ignore corresponding segment match. - - - - -###### One of the arguments from this list "dst_any, intra_segment, dst_segments" can be set +###### One of the arguments from this list "dst_any, dst_segments, intra_segment" can be set `dst_any` - (Optional) Traffic is not matched against any segment (`Bool`). - `dst_segments` - (Optional) Traffic is matched against destination segment in selected segments. See [Dst Segment Choice Dst Segments ](#dst-segment-choice-dst-segments) below for details. - `intra_segment` - (Optional) Traffic is matched for source and destination on the same segment (`Bool`). - - - - -###### One of the arguments from this list "src_segments, src_any" can be set +###### One of the arguments from this list "src_any, src_segments" can be set `src_any` - (Optional) Traffic is not matched against any segment (`Bool`). - `src_segments` - (Optional) Source traffic is matched against selected segments. See [Src Segment Choice Src Segments ](#src-segment-choice-src-segments) below for details. +### Allow List Dest List +L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. - -### Allow List Dest List - - L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. +`ipv6_prefixes` - (Optional) Destination IPv6 prefixes. (`String`). `port_ranges` - (Required) Each port range consists of a single port or two ports separated by "-". (`String`). -`prefixes` - (Required) Destination IPv4 prefixes. (`String`). - +`prefixes` - (Optional) Destination IPv4 prefixes. (`String`). +### Allow List Http List -### Allow List Http List +URLs for HTTP connections. - URLs for HTTP connections. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain names e.g "xyz.com" will match "*.xyz.com" (`String`). - - - -###### One of the arguments from this list "path_regex_value, any_path, path_exact_value, path_prefix_value" must be set +###### One of the arguments from this list "any_path, path_exact_value, path_prefix_value, path_regex_value" must be set `any_path` - (Optional) All paths are considered match (`Bool`). - `path_exact_value` - (Optional) Exact Path to match. (`String`). - -`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). - +`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). `path_regex_value` - (Optional) Regular Expression value for the Path to match (`String`). +### Allow List Tls List +Domains in SNI for TLS connections. - -### Allow List Tls List - - Domains in SNI for TLS connections. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name. (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Default Action Choice Default Action Allow +Allow all connections. +### Default Action Choice Default Action Deny -### Default Action Choice Default Action Allow - - Allow all connections. - - - -### Default Action Choice Default Action Deny - - Deny all connections. - - - -### Default Action Choice Default Action Next Policy +Deny all connections. - Evaluate the next forward proxy policy in the active list. +### Default Action Choice Default Action Next Policy +Evaluate the next forward proxy policy in the active list. +### Deny List Dest List -### Deny List Dest List +L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. - L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. +`ipv6_prefixes` - (Optional) Destination IPv6 prefixes. (`String`). `port_ranges` - (Required) Each port range consists of a single port or two ports separated by "-". (`String`). -`prefixes` - (Required) Destination IPv4 prefixes. (`String`). +`prefixes` - (Optional) Destination IPv4 prefixes. (`String`). +### Deny List Http List +URLs for HTTP connections. -### Deny List Http List - - URLs for HTTP connections. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain names e.g "xyz.com" will match "*.xyz.com" (`String`). - - - -###### One of the arguments from this list "path_prefix_value, path_regex_value, any_path, path_exact_value" must be set +###### One of the arguments from this list "any_path, path_exact_value, path_prefix_value, path_regex_value" must be set `any_path` - (Optional) All paths are considered match (`Bool`). - `path_exact_value` - (Optional) Exact Path to match. (`String`). - -`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). - +`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). `path_regex_value` - (Optional) Regular Expression value for the Path to match (`String`). +### Deny List Tls List +Domains in SNI for TLS connections. - -### Deny List Tls List - - Domains in SNI for TLS connections. - - - -###### One of the arguments from this list "suffix_value, regex_value, exact_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name. (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Destination Choice All Destinations +Match on all destinations. +### Destination Choice Dst Asn List -### Destination Choice All Destinations - - Match on all destinations. - - - -### Destination Choice Dst Asn List - - The ASN is obtained by performing a lookup for the destination IPv4 Address in a GeoIP DB.. +The ASN is obtained by performing a lookup for the destination IPv4 Address in a GeoIP DB.. `as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Destination Choice Dst Label Selector - -### Destination Choice Dst Label Selector - - Destination is the set of prefixes determined by the label selector expression. +Destination is the set of prefixes determined by the label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Destination Choice Dst Prefix List - -### Destination Choice Dst Prefix List - - Addresses that are covered by the given list of IPv4 prefixes. +Addresses that are covered by the given list of IPv4 prefixes. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Destination Choice Http List - -### Destination Choice Http List - - URLs for HTTP connections. +URLs for HTTP connections. `http_list` - (Optional) URLs for HTTP connections. See [Http List Http List ](#http-list-http-list) below for details. +### Destination Choice Tls List - -### Destination Choice Tls List - - Domains in SNI for TLS connections. +Domains in SNI for TLS connections. `tls_list` - (Optional) Domains in SNI for TLS connections. See [Tls List Tls List ](#tls-list-tls-list) below for details. +### Destination Choice Url Category List - -### Destination Choice Url Category List - - URL categories to choose, so that the corresponding label selector expressions can be derived from it. +URL categories to choose, so that the corresponding label selector expressions can be derived from it. `url_categories` - (Required) List of url categories to be selected (`List of Strings`). +### Dst Segment Choice Dst Any +Traffic is not matched against any segment. -### Dst Segment Choice Dst Any - - Traffic is not matched against any segment. - - +### Dst Segment Choice Dst Segments -### Dst Segment Choice Dst Segments - - Traffic is matched against destination segment in selected segments. +Traffic is matched against destination segment in selected segments. `segments` - (Required) Select list of segments. See [ref](#ref) below for details. +### Dst Segment Choice Intra Segment +Traffic is matched for source and destination on the same segment. -### Dst Segment Choice Intra Segment - - Traffic is matched for source and destination on the same segment. - +### Http Connect Choice No Http Connect Port +Ignore destination ports for connections. -### Http Connect Choice No Http Connect Port +### Http Connect Choice Port Matcher - Ignore destination ports for connections. - - - -### Http Connect Choice Port Matcher - - In case of an HTTP Connect, the destination port is extracted from the connect destination.. +In case of an HTTP Connect, the destination port is extracted from the connect destination.. `invert_matcher` - (Optional) Invert the match result. (`Bool`). `ports` - (Required) to be part of the range. (`String`). +### Http List Http List +URLs for HTTP connections. -### Http List Http List - - URLs for HTTP connections. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain names e.g "xyz.com" will match "*.xyz.com" (`String`). - - - -###### One of the arguments from this list "path_exact_value, path_prefix_value, path_regex_value, any_path" must be set +###### One of the arguments from this list "any_path, path_exact_value, path_prefix_value, path_regex_value" must be set `any_path` - (Optional) All paths are considered match (`Bool`). - `path_exact_value` - (Optional) Exact Path to match. (`String`). - -`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). - +`path_prefix_value` - (Optional) Prefix of Path e.g "/abc/xyz" will match "/abc/xyz/.*" (`String`). `path_regex_value` - (Optional) Regular Expression value for the Path to match (`String`). +### Path Choice Any Path +All paths are considered match. +### Proxy Choice Proxy Label Selector -### Path Choice Any Path - - All paths are considered match. - - - -### Proxy Choice Proxy Label Selector - - Proxy for Network Connector or HTTP connect proxy selected by Label selector. +Proxy for Network Connector or HTTP connect proxy selected by Label selector. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -675,150 +300,105 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rule Choice Allow List +List of allowed connections. -### Rule Choice Allow List - - List of allowed connections. - - - -###### One of the arguments from this list "default_action_next_policy, default_action_deny, default_action_allow" must be set +###### One of the arguments from this list "default_action_allow, default_action_deny, default_action_next_policy" must be set `default_action_allow` - (Optional) Allow all connections (`Bool`). - `default_action_deny` - (Optional) Deny all connections (`Bool`). - `default_action_next_policy` - (Optional) Evaluate the next forward proxy policy in the active list (`Bool`). - `dest_list` - (Optional) L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. See [Allow List Dest List ](#allow-list-dest-list) below for details. `http_list` - (Optional) URLs for HTTP connections. See [Allow List Http List ](#allow-list-http-list) below for details. `tls_list` - (Optional) Domains in SNI for TLS connections. See [Allow List Tls List ](#allow-list-tls-list) below for details. +### Rule Choice Deny List +List of denied connections. -### Rule Choice Deny List - - List of denied connections. - - - -###### One of the arguments from this list "default_action_deny, default_action_allow, default_action_next_policy" must be set +###### One of the arguments from this list "default_action_allow, default_action_deny, default_action_next_policy" must be set `default_action_allow` - (Optional) Allow all connections (`Bool`). - `default_action_deny` - (Optional) Deny all connections (`Bool`). - `default_action_next_policy` - (Optional) Evaluate the next forward proxy policy in the active list (`Bool`). - `dest_list` - (Optional) L4 destinations for non-HTTP and non-TLS connections and TLS connections without SNI. See [Deny List Dest List ](#deny-list-dest-list) below for details. `http_list` - (Optional) URLs for HTTP connections. See [Deny List Http List ](#deny-list-http-list) below for details. `tls_list` - (Optional) Domains in SNI for TLS connections. See [Deny List Tls List ](#deny-list-tls-list) below for details. +### Rule Choice Rule List - -### Rule Choice Rule List - - List of custom rules. +List of custom rules. `rules` - (Required) List of custom rules. See [Rule List Rules ](#rule-list-rules) below for details. +### Rule List Rules - -### Rule List Rules - - List of custom rules. +List of custom rules. `action` - (Required) Action to be enforced if the input request matches the rule. (`String`). - - -###### One of the arguments from this list "http_list, dst_ip_prefix_set, dst_prefix_list, dst_asn_set, dst_asn_list, all_destinations, tls_list, url_category_list, dst_label_selector" must be set +###### One of the arguments from this list "all_destinations, dst_asn_list, dst_asn_set, dst_ip_prefix_set, dst_label_selector, dst_prefix_list, http_list, tls_list, url_category_list" must be set `all_destinations` - (Optional) Match on all destinations (`Bool`). - `dst_asn_list` - (Optional) The ASN is obtained by performing a lookup for the destination IPv4 Address in a GeoIP DB.. See [Destination Choice Dst Asn List ](#destination-choice-dst-asn-list) below for details. - `dst_asn_set` - (Optional) The ASN is obtained by performing a lookup for the destination IPv4 Address in a GeoIP DB.. See [ref](#ref) below for details. - `dst_ip_prefix_set` - (Optional) Addresses that are covered by the prefixes in the given ip_prefix_set. See [ref](#ref) below for details. - `dst_label_selector` - (Optional) Destination is the set of prefixes determined by the label selector expression. See [Destination Choice Dst Label Selector ](#destination-choice-dst-label-selector) below for details. - `dst_prefix_list` - (Optional) Addresses that are covered by the given list of IPv4 prefixes. See [Destination Choice Dst Prefix List ](#destination-choice-dst-prefix-list) below for details. - `http_list` - (Optional) URLs for HTTP connections. See [Destination Choice Http List ](#destination-choice-http-list) below for details. - `tls_list` - (Optional) Domains in SNI for TLS connections. See [Destination Choice Tls List ](#destination-choice-tls-list) below for details. - `url_category_list` - (Optional) URL categories to choose, so that the corresponding label selector expressions can be derived from it. See [Destination Choice Url Category List ](#destination-choice-url-category-list) below for details. - - - - ###### One of the arguments from this list "no_http_connect_port, port_matcher" can be set `no_http_connect_port` - (Optional) Ignore destination ports for connections (`Bool`). - `port_matcher` - (Optional) In case of an HTTP Connect, the destination port is extracted from the connect destination.. See [Http Connect Choice Port Matcher ](#http-connect-choice-port-matcher) below for details. - `metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. `rule_description` - (Optional) Human readable description for the rule (`String`).(Deprecated) `rule_name` - (Optional) Rule Name that will be used to query metrics for this rule. (`String`).(Deprecated) - - -###### One of the arguments from this list "inside_sources, interface, namespace, label_selector, ip_prefix_set, all_sources, prefix_list" must be set +###### One of the arguments from this list "all_sources, inside_sources, interface, ip_prefix_set, label_selector, namespace, prefix_list" must be set `all_sources` - (Optional) Any source that matches 0/0 ip prefix (`Bool`). - `inside_sources` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`).(Deprecated) - `interface` - (Optional) All ip prefixes that are reachable via an interfaces are chosen as Endpoints. See [ref](#ref) below for details.(Deprecated) - `ip_prefix_set` - (Optional) All ip prefixes that are in a given ip prefix set.. See [ref](#ref) below for details. - `label_selector` - (Optional) Sources is set of prefixes determined by label selector expression. See [Source Choice Label Selector ](#source-choice-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `prefix_list` - (Optional) list is a sublist of both V4 and V6 prefix list. See [Source Choice Prefix List ](#source-choice-prefix-list) below for details. +### Rules Metadata - - -### Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -826,72 +406,51 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Source Choice All Sources +Any source that matches 0/0 ip prefix. -### Source Choice All Sources - - Any source that matches 0/0 ip prefix. - - +### Source Choice Inside Sources -### Source Choice Inside Sources +All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. - All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. +### Source Choice Label Selector - - -### Source Choice Label Selector - - Sources is set of prefixes determined by label selector expression. +Sources is set of prefixes determined by label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Source Choice Prefix List - -### Source Choice Prefix List - - list is a sublist of both V4 and V6 prefix list. +list is a sublist of both V4 and V6 prefix list. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Src Segment Choice Src Any +Traffic is not matched against any segment. -### Src Segment Choice Src Any - - Traffic is not matched against any segment. +### Src Segment Choice Src Segments - - -### Src Segment Choice Src Segments - - Source traffic is matched against selected segments. +Source traffic is matched against selected segments. `segments` - (Required) Select list of segments. See [ref](#ref) below for details. +### Tls List Tls List +Domains in SNI for TLS connections. -### Tls List Tls List - - Domains in SNI for TLS connections. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name. (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured forward_proxy_policy. - +- `id` - This is the id of the configured forward_proxy_policy. diff --git a/docs/resources/volterra_gcp_vpc_site.md b/docs/resources/volterra_gcp_vpc_site.md index e87118bc3..46b3805f1 100644 --- a/docs/resources/volterra_gcp_vpc_site.md +++ b/docs/resources/volterra_gcp_vpc_site.md @@ -1,33 +1,26 @@ - - - - - - - - - - - - --- + page_title: "Volterra: gcp_vpc_site" -description: "The gcp_vpc_site allows CRUD of Gcp Vpc Site resource on Volterra SaaS" +description: "The gcp_vpc_site allows CRUD of Gcp Vpc Site resource on Volterra SaaS" + --- -# Resource volterra_gcp_vpc_site -The Gcp Vpc Site allows CRUD of Gcp Vpc Site resource on Volterra SaaS +Resource volterra_gcp_vpc_site +============================== -~> **Note:** Please refer to [Gcp Vpc Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-gcp-vpc-site) to learn more +The Gcp Vpc Site allows CRUD of Gcp Vpc Site resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Gcp Vpc Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-gcp-vpc-site) to learn more + +Example Usage +------------- ```hcl resource "volterra_gcp_vpc_site" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "default_blocked_services block_all_services blocked_services" must be set + // One of the arguments from this list "block_all_services blocked_services default_blocked_services" must be set block_all_services = true @@ -41,15 +34,25 @@ resource "volterra_gcp_vpc_site" "example" { gcp_region = ["us-west1"] instance_type = ["n1-standard-4"] - // One of the arguments from this list "logs_streaming_disabled log_receiver" must be set + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set logs_streaming_disabled = true // One of the arguments from this list "private_connect_disabled private_connectivity" must be set - private_connect_disabled = true + private_connectivity { + cloud_link { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + + // One of the arguments from this list "inside outside" can be set + + outside = true + } - // One of the arguments from this list "ingress_gw ingress_egress_gw voltstack_cluster" must be set + // One of the arguments from this list "ingress_egress_gw ingress_gw voltstack_cluster" must be set ingress_gw { gcp_certified_hw = "gcp-byol-voltmesh" @@ -57,7 +60,7 @@ resource "volterra_gcp_vpc_site" "example" { gcp_zone_names = ["us-west1-a, us-west1-b, us-west1-c"] local_network { - // One of the arguments from this list "new_network_autogenerate new_network existing_network" must be set + // One of the arguments from this list "existing_network new_network new_network_autogenerate" must be set new_network_autogenerate { autogenerate = true @@ -65,7 +68,7 @@ resource "volterra_gcp_vpc_site" "example" { } local_subnet { - // One of the arguments from this list "new_subnet existing_subnet" must be set + // One of the arguments from this list "existing_subnet new_subnet" must be set new_subnet { primary_ipv4 = "10.1.0.0/16" @@ -87,2160 +90,1002 @@ resource "volterra_gcp_vpc_site" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `address` - (Optional) Site's geographical address that can be used determine its latitude and longitude. (`String`). +`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details. +###### One of the arguments from this list "block_all_services, blocked_services, default_blocked_services" must be set -`admin_password` - (Optional) Admin password user for accessing site through serial console .. See [Admin Password ](#admin-password) below for details.(Deprecated) +`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +`blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +###### One of the arguments from this list "cloud_credentials" must be set +`cloud_credentials` - (Optional) Reference to GCP credentials for automatic deployment. See [ref](#ref) below for details. +`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). +`gcp_labels` - (Optional) It helps to manage, identify, organize, search for, and filter resources in GCP console. (`String`). +`gcp_region` - (Required) Name for GCP Region. (`String`). - +`instance_type` - (Required) Select Instance size based on performance needed (`String`). +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`).(Deprecated) +`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. - +`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +###### One of the arguments from this list "private_connect_disabled, private_connectivity" must be set +`private_connect_disabled` - (Optional)Disable Private Connectivity to Site (`Bool`). +`private_connectivity` - (Optional) Enable Private Connectivity to Site. See [Private Connectivity Choice Private Connectivity ](#private-connectivity-choice-private-connectivity) below for details. +###### One of the arguments from this list "ingress_egress_gw, ingress_gw, voltstack_cluster" must be set +`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VPC network.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. - +`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VPC network.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. +`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. +`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). +`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. +### Admin Password +Admin password user for accessing site through serial console .. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set - +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Coordinates +Site longitude and latitude co-ordinates. +`latitude` - (Optional) Latitude of the site location (`Float`). -`block_all_services` - (Optional) Block DNS, SSH & WebUI services on Site (`Bool`). +`longitude` - (Optional) longitude of site location (`Float`). +### Custom Dns -`blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +custom dns configure to the CE site. +`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). - +`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). +`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). +`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). +### Kubernetes Upgrade Drain - +Enable Kubernetes Drain during OS or SW upgrade. +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set +`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). +`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - +### Offline Survivability Mode +Enable/Disable offline survivability mode. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). +### Os +Operating System Details. +###### One of the arguments from this list "default_os_version, operating_system_version" must be set +`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). +`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). -`default_blocked_services` - (Optional) Allow access to DNS, SSH services on Site (`Bool`). +### Sw +F5XC Software Details. +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). -`coordinates` - (Optional) Site longitude and latitude co-ordinates. See [Coordinates ](#coordinates) below for details. +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Admin Password Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). -`custom_dns` - (Optional) custom dns configure to the CE site. See [Custom Dns ](#custom-dns) below for details. +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set +`dns` - (Optional) Matches DNS port 53 (`Bool`). +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). -`cloud_credentials` - (Optional) Reference to GCP credentials for automatic deployment. See [ref](#ref) below for details. +### Blocked Services Choice Blocked Services +Use custom blocked services configuration. +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns -`disk_size` - (Optional) Disk size to be used for this instance in GiB. 80 is 80 GiB (`Int`). +Matches DNS port 53. +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". -`gcp_labels` - (Optional) It helps to manage, identify, organize, search for, and filter resources in GCP console. (`String`). +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Choice Existing Network -`gcp_region` - (Required) Name for GCP Region. (`String`). +Name of existing VPC network.. +`name` - (Required) Name for your GCP VPC Network (`String`). +### Choice Existing Subnet -`instance_type` - (Required) Select Instance size based on performance needed (`String`). +Name of existing VPC subnet.. +`subnet_name` - (Required) Name of your subnet in VPC network (`String`). +### Choice New Network -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +Create new VPC network with specified name.. +`name` - (Required) Name for your GCP VPC Network (`String`). +### Choice New Network Autogenerate +Create new VPC network with autogenerated name.. - +`autogenerate` - (Optional) Name for your GCP VPC Network will be autogenerated (`Bool`).(Deprecated) +### Choice New Subnet +Parameters for creating a new VPC Subnet. +`primary_ipv4` - (Required) IPv4 prefix for this Subnet. It has to be private address space. (`String`). - +`subnet_name` - (Optional) Name of new VPC Subnet, will be autogenerated if empty (`String`). +### Config Mode Choice Custom Static Route +Use Custom static route to configure all advanced options. +`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). +`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). +`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. +`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. +### Connection Choice Sli To Global Dr +Site local inside is connected directly to a given global network. - +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connection Choice Slo To Global Dr +Site local outside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - +### Custom Certificate Private Key +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Custom Static Route Nexthop -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +Nexthop for the route. +`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. +`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. +`type` - (Optional) Identifies the type of next-hop (`String`). -`nodes_per_az` - (Optional) Desired Worker Nodes Per AZ. Max limit is up to 21 (`Int`).(Deprecated) +### Custom Static Route Subnets +List of route prefixes. +###### One of the arguments from this list "ipv4, ipv6" must be set -`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Dc Cluster Group Choice No Dc Cluster Group +This site is not a member of dc cluster group. - +### Enable Disable Choice Disable Interception +Disable Interception. +### Enable Disable Choice Enable Interception +Enable Interception. - +### Forward Proxy Choice Active Forward Proxy Policies +Enable Forward Proxy for this site and manage policies. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Forward Proxy Choice Disable Forward Proxy +Forward Proxy is disabled for this connector. -`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +### Forward Proxy Choice Enable Forward Proxy +Forward Proxy is enabled for this connector. +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). +`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - +###### One of the arguments from this list "no_interception, tls_intercept" can be set +`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) +`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) +`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). +`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). +### Forward Proxy Choice Forward Proxy Allow All +Enable Forward Proxy for this site and allow all requests.. -`private_connect_disabled` - (Optional)Disable Private Connectivity to Site (`Bool`). +### Forward Proxy Choice No Forward Proxy +Disable Forward Proxy for this site. -`private_connectivity` - (Optional) Enable Private Connectivity to Site. See [Private Connectivity Choice Private Connectivity ](#private-connectivity-choice-private-connectivity) below for details. - +### Global Network Choice Global Network List +List of global network connections. +`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. +### Global Network Choice No Global Network +No global network to connect. - +### Global Network List Global Network Connections +Global network connections. +###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set +`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - +`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. +###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set +`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) +`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) +### Ingress Egress Gw Inside Network +Network for the inside interface of the node. +###### One of the arguments from this list "existing_network, new_network, new_network_autogenerate" must be set +`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. -`ingress_egress_gw` - (Optional) Two interface site is useful when site is used as ingress/egress gateway to the VPC network.. See [Site Type Ingress Egress Gw ](#site-type-ingress-egress-gw) below for details. - +`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. +`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. +### Ingress Egress Gw Inside Subnet +Subnet for the inside interface of the node.. +###### One of the arguments from this list "existing_subnet, new_subnet" must be set +`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - +`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. +### Ingress Egress Gw Outside Network +Network for the outside interface of the node. +###### One of the arguments from this list "existing_network, new_network, new_network_autogenerate" must be set +`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. +`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. - +`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. +### Ingress Egress Gw Outside Subnet +Subnet for the outside interface of the node.. +###### One of the arguments from this list "existing_subnet, new_subnet" must be set +`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - +`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. +### Ingress Egress Gw Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set - +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Ingress Gw Local Network +Network for the local interface of the node. +###### One of the arguments from this list "existing_network, new_network, new_network_autogenerate" must be set +`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. +`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. +`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. - +### Ingress Gw Local Subnet +Subnet for the local interface of the node.. - +###### One of the arguments from this list "existing_subnet, new_subnet" must be set +`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. +`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. +### Ingress Gw Performance Enhancement Mode - +Performance Enhancement Mode to optimize for L3 or L7 networking. +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Inside Static Route Choice Inside Static Routes - +Manage static routes for inside network.. +`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. +### Inside Static Route Choice No Inside Static Routes +Static Routes disabled for inside network.. +### Inside Static Routes Static Route List +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set - +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). +### Interception Policy Choice Enable For All Domains +Enable interception for all domains. - +### Interception Policy Choice Policy +Policy to enable/disable specific domains, with implicit enable all domains. +`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match +Domain value or regular expression to match. +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set - +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### K8s Cluster Choice No K8s Cluster - +Site Local K8s API access is disabled. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set - +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - +### Network Options Inside +CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. +### Network Options Outside +CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. +### Network Policy Choice Active Enhanced Firewall Policies +with an additional option for service insertion.. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Network Policies +Firewall Policies active for this site.. - +`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +### Network Policy Choice No Network Policy +Firewall Policy is disabled for this site.. +### Nexthop Nexthop Address - +Nexthop address when type is "Use-Configured". +###### One of the arguments from this list "ipv4, ipv6" can be set +`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. +`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling - +This is the default behavior if no choice is selected.. +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Offline Survivability Mode Choice Enable Offline Survivability Mode +x-displayName: "Enabled". +### Offline Survivability Mode Choice No Offline Survivability Mode - +x-displayName: "Disabled". +### Operating System Version Choice Default Os Version +Will assign latest available OS version. +### Outside Static Route Choice No Outside Static Routes +Static Routes disabled for outside network.. - +### Outside Static Route Choice Outside Static Routes +Manage static routes for outside network.. +`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. +### Outside Static Routes Static Route List - +List of Static routes. +###### One of the arguments from this list "custom_static_route, simple_static_route" must be set +`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. +`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - +### Perf Mode Choice Jumbo +x-displayName: "Enabled". - +### Perf Mode Choice No Jumbo +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced +Site optimized for L3 traffic processing. +###### One of the arguments from this list "jumbo, no_jumbo" must be set +`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Policy Interception Rules +List of ordered rules to enable or disable for TLS interception. +`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. +###### One of the arguments from this list "disable_interception, enable_interception" must be set +`disable_interception` - (Optional) Disable Interception (`Bool`). +`enable_interception` - (Optional) Enable Interception (`Bool`). +### Private Connectivity Choice Private Connectivity +Enable Private Connectivity to Site. +`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. +###### One of the arguments from this list "inside, outside" can be set +`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). +`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). +### Private Key Blindfold Secret Info Internal - +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Ref +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info +Clear Secret is used for the secrets that are not encrypted. +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - +Vault Secret is used for the secrets managed by Hashicorp Vault. +`key` - (Optional) If not provided entire secret will be returned. (`String`). +`location` - (Required) Path to secret in Vault. (`String`). +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). +`version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info +Secret is given as bootstrap secret in F5XC Security Sidecar. - +`name` - (Required) Name of the secret. (`String`). +### Signing Cert Choice Custom Certificate +Certificates for generating intermediate certificate for TLS interception.. +`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). +`description` - (Optional) Description for the certificate (`String`). - +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set +`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. +`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. +`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. +`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. - +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. +### Site Mesh Group Choice Sm Connection Public Ip +creating ipsec between two sites which are part of the site mesh group. +### Site Mesh Group Choice Sm Connection Pvt Ip +creating ipsec between two sites which are part of the site mesh group. +### Site Type Ingress Egress Gw - +Two interface site is useful when site is used as ingress/egress gateway to the VPC network.. +###### One of the arguments from this list "dc_cluster_group_inside_vn, dc_cluster_group_outside_vn, no_dc_cluster_group" must be set - +`dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. +`dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. +`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set - +`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. +`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). +`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). +`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). - +`gcp_zone_names` - (Required) List of zones when instances will be created, needs to match with region selected. (`String`). +###### One of the arguments from this list "global_network_list, no_global_network" must be set +`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - +`no_global_network` - (Optional) No global network to connect (`Bool`). +`inside_network` - (Optional) Network for the inside interface of the node. See [Ingress Egress Gw Inside Network ](#ingress-egress-gw-inside-network) below for details. +###### One of the arguments from this list "inside_static_routes, no_inside_static_routes" must be set +`inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - +`no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). +`inside_subnet` - (Optional) Subnet for the inside interface of the node.. See [Ingress Egress Gw Inside Subnet ](#ingress-egress-gw-inside-subnet) below for details. +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set +`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. +`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - +`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). +`node_number` - (Optional) Number of main nodes to create, either 1 or 3. (`Int`). +`outside_network` - (Optional) Network for the outside interface of the node. See [Ingress Egress Gw Outside Network ](#ingress-egress-gw-outside-network) below for details. +###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set +`no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). +`outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - +`outside_subnet` - (Optional) Subnet for the outside interface of the node.. See [Ingress Egress Gw Outside Subnet ](#ingress-egress-gw-outside-subnet) below for details. +`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Egress Gw Performance Enhancement Mode ](#ingress-egress-gw-performance-enhancement-mode) below for details. +###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set +`sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - +`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +### Site Type Ingress Gw +One interface site is useful when site is only used as ingress gateway to the VPC network.. +`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). +`gcp_zone_names` - (Required) List of zones when instances will be created, needs to match with region selected. (`String`). +`local_network` - (Optional) Network for the local interface of the node. See [Ingress Gw Local Network ](#ingress-gw-local-network) below for details. - +`local_subnet` - (Optional) Subnet for the local interface of the node.. See [Ingress Gw Local Subnet ](#ingress-gw-local-subnet) below for details. +`node_number` - (Optional) Number of main nodes to create, either 1 or 3. (`Int`). +`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Gw Performance Enhancement Mode ](#ingress-gw-performance-enhancement-mode) below for details. +### Site Type Voltstack Cluster +App Stack Cluster using single interface, useful for deploying K8s cluster.. +###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set +`dc_cluster_group` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. +`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set +`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. +`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - +`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ingress_gw` - (Optional) One interface site is useful when site is only used as ingress gateway to the VPC network.. See [Site Type Ingress Gw ](#site-type-ingress-gw) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`voltstack_cluster` - (Optional) App Stack Cluster using single interface, useful for deploying K8s cluster.. See [Site Type Voltstack Cluster ](#site-type-voltstack-cluster) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`ssh_key` - (Required) Public SSH key for accessing the site. (`String`). - - - -`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. - - - - - - - - - - - -### Admin Password - - Admin password user for accessing site through serial console .. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Coordinates - - Site longitude and latitude co-ordinates. - -`latitude` - (Optional) Latitude of the site location (`Float`). - -`longitude` - (Optional) longitude of site location (`Float`). - - - -### Custom Dns - - custom dns configure to the CE site. - -`inside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in inside network (`String`). - -`inside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in inside network (`String`). - -`outside_nameserver` - (Optional) Optional DNS server IP to be used for name resolution in outside network (`String`). - -`outside_nameserver_v6` - (Optional) Optional DNS server IPv6 to be used for name resolution in outside network (`String`). - - - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set - -`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - - -`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - - - - -### Offline Survivability Mode - - Enable/Disable offline survivability mode. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Os - - Operating System Details. - - - -###### One of the arguments from this list "default_os_version, operating_system_version" must be set - -`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - - -`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). - - - - -### Sw - - F5XC Software Details. - - - -###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set - -`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - - -`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). - - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "ssh, web_user_interface, dns" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - Use custom blocked services configuration. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Choice Existing Network - - Name of existing VPC network.. - -`name` - (Required) Name for your GCP VPC Network (`String`). - - - -### Choice Existing Subnet - - Name of existing VPC subnet.. - -`subnet_name` - (Required) Name of your subnet in VPC network (`String`). - - - -### Choice New Network - - Create new VPC network with specified name.. - -`name` - (Required) Name for your GCP VPC Network (`String`). - - - -### Choice New Network Autogenerate - - Create new VPC network with autogenerated name.. - -`autogenerate` - (Optional) Name for your GCP VPC Network will be autogenerated (`Bool`).(Deprecated) - - - -### Choice New Subnet - - Parameters for creating a new VPC Subnet. - -`primary_ipv4` - (Required) IPv4 prefix for this Subnet. It has to be private address space. (`String`). - -`subnet_name` - (Optional) Name of new VPC Subnet, will be autogenerated if empty (`String`). - - - -### Config Mode Choice Custom Static Route - - Use Custom static route to configure all advanced options. - -`attrs` - (Optional) List of route attributes associated with the static route (`List of Strings`). - -`labels` - (Optional) Add Labels for this Static Route, these labels can be used in network policy (`String`). - -`nexthop` - (Optional) Nexthop for the route. See [Custom Static Route Nexthop ](#custom-static-route-nexthop) below for details. - -`subnets` - (Required) List of route prefixes. See [Custom Static Route Subnets ](#custom-static-route-subnets) below for details. - - - -### Connection Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connection Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Custom Static Route Nexthop - - Nexthop for the route. - -`interface` - (Optional) Nexthop is network interface when type is "Network-Interface". See [ref](#ref) below for details. - -`nexthop_address` - (Optional) Nexthop address when type is "Use-Configured". See [Nexthop Nexthop Address ](#nexthop-nexthop-address) below for details. - -`type` - (Optional) Identifies the type of next-hop (`String`). - - - -### Custom Static Route Subnets - - List of route prefixes. - - - -###### One of the arguments from this list "ipv4, ipv6" must be set - -`ipv4` - (Optional) IPv4 Subnet Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Subnet Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Dc Cluster Group Choice No Dc Cluster Group - - This site is not a member of dc cluster group. - - - -### Enable Disable Choice Disable Interception - - Disable Interception. - - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site and manage policies. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Forward Proxy Choice Disable Forward Proxy - - Forward Proxy is disabled for this connector. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). - -`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - - -###### One of the arguments from this list "no_interception, tls_intercept" can be set - -`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - - -`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - - -`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). - -`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - - - -### Forward Proxy Choice Forward Proxy Allow All - - Enable Forward Proxy for this site and allow all requests.. - - - -### Forward Proxy Choice No Forward Proxy - - Disable Forward Proxy for this site. - - - -### Global Network Choice Global Network List - - List of global network connections. - -`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - - - -### Global Network Choice No Global Network - - No global network to connect. - - - -### Global Network List Global Network Connections - - Global network connections. - - - -###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - -`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - - -`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - - - - - -###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set - -`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) - - -`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) - - - - -### Ingress Egress Gw Inside Network - - Network for the inside interface of the node. - - - -###### One of the arguments from this list "new_network_autogenerate, new_network, existing_network" must be set - -`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. - - -`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. - - -`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. - - - - -### Ingress Egress Gw Inside Subnet - - Subnet for the inside interface of the node.. - - - -###### One of the arguments from this list "new_subnet, existing_subnet" must be set - -`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - - -`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. - - - - -### Ingress Egress Gw Outside Network - - Network for the outside interface of the node. - - - -###### One of the arguments from this list "new_network_autogenerate, new_network, existing_network" must be set - -`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. - - -`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. - - -`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. - - - - -### Ingress Egress Gw Outside Subnet - - Subnet for the outside interface of the node.. - - - -###### One of the arguments from this list "new_subnet, existing_subnet" must be set - -`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - - -`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. - - - - -### Ingress Egress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Ingress Gw Local Network - - Network for the local interface of the node. - - - -###### One of the arguments from this list "existing_network, new_network_autogenerate, new_network" must be set - -`existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. - - -`new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. - - -`new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. - - - - -### Ingress Gw Local Subnet - - Subnet for the local interface of the node.. - - - -###### One of the arguments from this list "new_subnet, existing_subnet" must be set - -`existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - - -`new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. - - - - -### Ingress Gw Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Inside Static Route Choice Inside Static Routes - - Manage static routes for inside network.. - -`static_route_list` - (Required) List of Static routes. See [Inside Static Routes Static Route List ](#inside-static-routes-static-route-list) below for details. - - - -### Inside Static Route Choice No Inside Static Routes - - Static Routes disabled for inside network.. - - - -### Inside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy - - Policy to enable/disable specific domains, with implicit enable all domains. - -`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. - - - -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### K8s Cluster Choice No K8s Cluster - - Site Local K8s API access is disabled. - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - - - -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - - -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - - -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - - -###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set - -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - - -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - - - - -### Network Options Inside - - CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site. - - - -### Network Options Outside - - CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site. - - - -### Network Policy Choice Active Enhanced Firewall Policies - - with an additional option for service insertion.. - -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - - - -### Network Policy Choice Active Network Policies - - Firewall Policies active for this site.. - -`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. - - - -### Network Policy Choice No Network Policy - - Firewall Policy is disabled for this site.. - - - -### Nexthop Nexthop Address - - Nexthop address when type is "Use-Configured". - - - - -###### One of the arguments from this list "ipv4, ipv6" can be set - -`ipv4` - (Optional) IPv4 Address. See [Ver Ipv4 ](#ver-ipv4) below for details. - - -`ipv6` - (Optional) IPv6 Address. See [Ver Ipv6 ](#ver-ipv6) below for details. - - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. - -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). - - - -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Offline Survivability Mode Choice Enable Offline Survivability Mode - - x-displayName: "Enabled". - - - -### Offline Survivability Mode Choice No Offline Survivability Mode - - x-displayName: "Disabled". - - - -### Operating System Version Choice Default Os Version - - Will assign latest available OS version. - - - -### Outside Static Route Choice No Outside Static Routes - - Static Routes disabled for outside network.. - - - -### Outside Static Route Choice Outside Static Routes - - Manage static routes for outside network.. - -`static_route_list` - (Required) List of Static routes. See [Outside Static Routes Static Route List ](#outside-static-routes-static-route-list) below for details. - - - -### Outside Static Routes Static Route List - - List of Static routes. - - - -###### One of the arguments from this list "simple_static_route, custom_static_route" must be set - -`custom_static_route` - (Optional) Use Custom static route to configure all advanced options. See [Config Mode Choice Custom Static Route ](#config-mode-choice-custom-static-route) below for details. - - -`simple_static_route` - (Optional) Use simple static route for prefix pointing to single interface in the network (`String`). - - - - -### Perf Mode Choice Jumbo - - x-displayName: "Enabled". - - - -### Perf Mode Choice No Jumbo - - x-displayName: "Disabled". - - - -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - - -###### One of the arguments from this list "no_jumbo, jumbo" must be set - -`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Policy Interception Rules - - List of ordered rules to enable or disable for TLS interception. - -`domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. - - - -###### One of the arguments from this list "disable_interception, enable_interception" must be set - -`disable_interception` - (Optional) Disable Interception (`Bool`). - - -`enable_interception` - (Optional) Enable Interception (`Bool`). - - - - -### Private Connectivity Choice Private Connectivity - - Enable Private Connectivity to Site. - -`cloud_link` - (Required) Reference to Cloud Link. See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "outside, inside" can be set - -`inside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Inside Network of this Site (`Bool`). - - -`outside` - (Optional) CloudLink will be associated, and routes will be propagated with the Site Local Outside Network of this Site (`Bool`). - - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. - -`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - -`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). - - - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. - -`key` - (Optional) If not provided entire secret will be returned. (`String`). - -`location` - (Required) Path to secret in Vault. (`String`). - -`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - -`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). - -`version` - (Optional) If not provided latest version will be returned. (`Int`). - - - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. - -`name` - (Required) Name of the secret. (`String`). - - - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. - -`certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). - -`description` - (Optional) Description for the certificate (`String`). - - - - -###### One of the arguments from this list "custom_hash_algorithms, use_system_defaults, disable_ocsp_stapling" can be set - -`custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - - -`disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - - -`use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - - -`private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. - - - -### Signing Cert Choice Volterra Certificate - - F5XC certificates for generating intermediate certificate for TLS interception.. - - - -### Site Mesh Group Choice Sm Connection Public Ip - - creating ipsec between two sites which are part of the site mesh group. - - - -### Site Mesh Group Choice Sm Connection Pvt Ip - - creating ipsec between two sites which are part of the site mesh group. - - - -### Site Type Ingress Egress Gw - - Two interface site is useful when site is used as ingress/egress gateway to the VPC network.. - - - -###### One of the arguments from this list "dc_cluster_group_inside_vn, no_dc_cluster_group, dc_cluster_group_outside_vn" must be set - -`dc_cluster_group_inside_vn` - (Optional) This site is member of dc cluster group connected via inside network. See [ref](#ref) below for details. - - -`dc_cluster_group_outside_vn` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - - -`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set - -`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - - -`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - - -`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - -`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). - -`gcp_zone_names` - (Required) List of zones when instances will be created, needs to match with region selected. (`String`). - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set - -`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - - -`no_global_network` - (Optional) No global network to connect (`Bool`). - - -`inside_network` - (Optional) Network for the inside interface of the node. See [Ingress Egress Gw Inside Network ](#ingress-egress-gw-inside-network) below for details. - - - -###### One of the arguments from this list "no_inside_static_routes, inside_static_routes" must be set - -`inside_static_routes` - (Optional) Manage static routes for inside network.. See [Inside Static Route Choice Inside Static Routes ](#inside-static-route-choice-inside-static-routes) below for details. - - -`no_inside_static_routes` - (Optional) Static Routes disabled for inside network. (`Bool`). - - -`inside_subnet` - (Optional) Subnet for the inside interface of the node.. See [Ingress Egress Gw Inside Subnet ](#ingress-egress-gw-inside-subnet) below for details. - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set - -`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - - -`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - - -`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - -`node_number` - (Optional) Number of main nodes to create, either 1 or 3. (`Int`). - -`outside_network` - (Optional) Network for the outside interface of the node. See [Ingress Egress Gw Outside Network ](#ingress-egress-gw-outside-network) below for details. - - - -###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set - -`no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - - -`outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - - -`outside_subnet` - (Optional) Subnet for the outside interface of the node.. See [Ingress Egress Gw Outside Subnet ](#ingress-egress-gw-outside-subnet) below for details. - -`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Egress Gw Performance Enhancement Mode ](#ingress-egress-gw-performance-enhancement-mode) below for details. - - - -###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set - -`sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - -`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - - -### Site Type Ingress Gw - - One interface site is useful when site is only used as ingress gateway to the VPC network.. - -`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). - -`gcp_zone_names` - (Required) List of zones when instances will be created, needs to match with region selected. (`String`). - -`local_network` - (Optional) Network for the local interface of the node. See [Ingress Gw Local Network ](#ingress-gw-local-network) below for details. - -`local_subnet` - (Optional) Subnet for the local interface of the node.. See [Ingress Gw Local Subnet ](#ingress-gw-local-subnet) below for details. - -`node_number` - (Optional) Number of main nodes to create, either 1 or 3. (`Int`). - -`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Ingress Gw Performance Enhancement Mode ](#ingress-gw-performance-enhancement-mode) below for details. - - - -### Site Type Voltstack Cluster - - App Stack Cluster using single interface, useful for deploying K8s cluster.. - - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group" must be set - -`dc_cluster_group` - (Optional) This site is member of dc cluster group connected via outside network. See [ref](#ref) below for details. - - -`no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - - - - -###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set - -`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - - -`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - - -`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - -`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). +`gcp_certified_hw` - (Required) Name for GCP certified hardware. (`String`). `gcp_zone_names` - (Required) List of zones when instances will be created, needs to match with region selected. (`String`). - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set +###### One of the arguments from this list "global_network_list, no_global_network" must be set `global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - `no_global_network` - (Optional) No global network to connect (`Bool`). - - - -###### One of the arguments from this list "no_k8s_cluster, k8s_cluster" must be set +###### One of the arguments from this list "k8s_cluster, no_k8s_cluster" must be set `k8s_cluster` - (Optional) Site Local K8s API access is enabled, using k8s_cluster object. See [ref](#ref) below for details. - `no_k8s_cluster` - (Optional) Site Local K8s API access is disabled (`Bool`). - - - -###### One of the arguments from this list "active_network_policies, active_enhanced_firewall_policies, no_network_policy" must be set +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - `active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - `no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - `node_number` - (Optional) Number of main nodes to create, either 1 or 3. (`Int`). - - ###### One of the arguments from this list "no_outside_static_routes, outside_static_routes" must be set `no_outside_static_routes` - (Optional) Static Routes disabled for outside network. (`Bool`). - `outside_static_routes` - (Optional) Manage static routes for outside network.. See [Outside Static Route Choice Outside Static Routes ](#outside-static-route-choice-outside-static-routes) below for details. - `site_local_network` - (Optional) Network for the local interface of the node. See [Voltstack Cluster Site Local Network ](#voltstack-cluster-site-local-network) below for details. `site_local_subnet` - (Optional) Subnet for the local interface of the node.. See [Voltstack Cluster Site Local Subnet ](#voltstack-cluster-site-local-subnet) below for details. - - -###### One of the arguments from this list "sm_connection_pvt_ip, sm_connection_public_ip" must be set +###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set `sm_connection_public_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - `sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - -###### One of the arguments from this list "storage_class_list, default_storage" must be set +###### One of the arguments from this list "default_storage, storage_class_list" must be set `default_storage` - (Optional) Use standard storage class configured as AWS EBS (`Bool`). - `storage_class_list` - (Optional) Add additional custom storage classes in kubernetes for site. See [Storage Class Choice Storage Class List ](#storage-class-choice-storage-class-list) below for details. +### Storage Class Choice Default Storage +Use standard storage class configured as AWS EBS. +### Storage Class Choice Storage Class List -### Storage Class Choice Default Storage - - Use standard storage class configured as AWS EBS. - - - -### Storage Class Choice Storage Class List - - Add additional custom storage classes in kubernetes for site. +Add additional custom storage classes in kubernetes for site. `storage_classes` - (Optional) List of custom storage classes. See [Storage Class List Storage Classes ](#storage-class-list-storage-classes) below for details. +### Storage Class List Storage Classes - -### Storage Class List Storage Classes - - List of custom storage classes. +List of custom storage classes. `default_storage_class` - (Optional) Make this storage class default storage class for the K8s cluster (`Bool`). `storage_class_name` - (Required) Name of the storage class as it will appear in K8s. (`String`). +### Tls Interception Choice No Interception +No TLS interception is enabled for this network connector. -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. - - - -### Tls Interception Choice Tls Intercept - - Specify TLS interception configuration for the network connector. - +### Tls Interception Choice Tls Intercept +Specify TLS interception configuration for the network connector. ###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - ###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode +When enabled, vega will inform RE to stop traffic to the specific node.. -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode +### Ver Ipv4 - Disable Vega Upgrade Mode. - - - -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Ver Ipv4 - - IPv4 Address. +IPv4 Address. `addr` - (Optional) IPv4 Address in string form with dot-decimal notation (`String`). +### Ver Ipv4 - -### Ver Ipv4 - - IPv4 Subnet Address. +IPv4 Subnet Address. `plen` - (Optional) Prefix-length of the IPv4 subnet. Must be <= 32 (`Int`). `prefix` - (Optional) Prefix part of the IPv4 subnet in string form with dot-decimal notation (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Address. +IPv6 Address. `addr` - (Optional) e.g. '2001:db8:0:0:0:0:2:1' becomes '2001:db8::2:1' or '2001:db8:0:0:0:2:0:0' becomes '2001:db8::2::' (`String`). +### Ver Ipv6 - -### Ver Ipv6 - - IPv6 Subnet Address. +IPv6 Subnet Address. `plen` - (Optional) Prefix length of the IPv6 subnet. Must be <= 128 (`Int`). `prefix` - (Optional) e.g. "2001:db8::2::" (`String`). +### Volterra Sw Version Choice Default Sw Version +Will assign latest available F5XC Software Version. -### Volterra Sw Version Choice Default Sw Version - - Will assign latest available F5XC Software Version. - +### Voltstack Cluster Site Local Network +Network for the local interface of the node. -### Voltstack Cluster Site Local Network - - Network for the local interface of the node. - - - -###### One of the arguments from this list "new_network_autogenerate, new_network, existing_network" must be set +###### One of the arguments from this list "existing_network, new_network, new_network_autogenerate" must be set `existing_network` - (Optional) Name of existing VPC network.. See [Choice Existing Network ](#choice-existing-network) below for details. - `new_network` - (Optional) Create new VPC network with specified name.. See [Choice New Network ](#choice-new-network) below for details. - `new_network_autogenerate` - (Optional) Create new VPC network with autogenerated name.. See [Choice New Network Autogenerate ](#choice-new-network-autogenerate) below for details. +### Voltstack Cluster Site Local Subnet +Subnet for the local interface of the node.. - -### Voltstack Cluster Site Local Subnet - - Subnet for the local interface of the node.. - - - -###### One of the arguments from this list "new_subnet, existing_subnet" must be set +###### One of the arguments from this list "existing_subnet, new_subnet" must be set `existing_subnet` - (Optional) Name of existing VPC subnet.. See [Choice Existing Subnet ](#choice-existing-subnet) below for details. - `new_subnet` - (Optional) Parameters for creating a new VPC Subnet. See [Choice New Subnet ](#choice-new-subnet) below for details. +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured gcp_vpc_site. - +- `id` - This is the id of the configured gcp_vpc_site. diff --git a/docs/resources/volterra_global_log_receiver.md b/docs/resources/volterra_global_log_receiver.md index 6e914a674..3e9e7a28a 100644 --- a/docs/resources/volterra_global_log_receiver.md +++ b/docs/resources/volterra_global_log_receiver.md @@ -1,1636 +1,609 @@ +--- +page_title: "Volterra: global_log_receiver" +description: "The global_log_receiver allows CRUD of Global Log Receiver resource on Volterra SaaS" +--- +Resource volterra_global_log_receiver +===================================== +The Global Log Receiver allows CRUD of Global Log Receiver resource on Volterra SaaS +~> **Note:** Please refer to [Global Log Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/global-log-receiver) to learn more +Example Usage +------------- +```hcl +resource "volterra_global_log_receiver" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "ns_all ns_current ns_list ns_system" must be set + ns_list { + namespaces = ["default"] + } + // One of the arguments from this list "audit_logs dns_logs request_logs security_events" must be set + dns_logs = true ---- -page_title: "Volterra: global_log_receiver" -description: "The global_log_receiver allows CRUD of Global Log Receiver resource on Volterra SaaS" ---- -# Resource volterra_global_log_receiver - -The Global Log Receiver allows CRUD of Global Log Receiver resource on Volterra SaaS - -~> **Note:** Please refer to [Global Log Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/global-log-receiver) to learn more - -## Example Usage - -```hcl -resource "volterra_global_log_receiver" "example" { - name = "acmecorp-web" - namespace = "staging" - - // One of the arguments from this list "ns_current ns_all ns_list ns_system" must be set - - ns_current = true - - // One of the arguments from this list "audit_logs dns_logs request_logs security_events" must be set - - request_logs = true - - // One of the arguments from this list "http_receiver splunk_receiver elastic_receiver azure_receiver aws_cloud_watch_receiver kafka_receiver sumo_logic_receiver s3_receiver datadog_receiver azure_event_hubs_receiver new_relic_receiver qradar_receiver gcp_bucket_receiver" must be set - - qradar_receiver { - batch { - // One of the arguments from this list "max_bytes_disabled max_bytes" can be set - - max_bytes_disabled = true - - // One of the arguments from this list "max_events_disabled max_events" can be set - - max_events_disabled = true - - // One of the arguments from this list "timeout_seconds_default timeout_seconds" can be set - - timeout_seconds_default = true - } - - compression { - // One of the arguments from this list "compression_none compression_gzip" can be set - - compression_none = true - } - - // One of the arguments from this list "no_tls use_tls" must be set - - no_tls = true - uri = "http://example.com:9000" - } -} - -``` - -## Argument Reference - -### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). - - -`description` - (Optional) Human readable description for the object (`String`). - - -`disable` - (Optional) A value of true will administratively disable the object (`Bool`). - - -`labels` - (Optional) by selector expression (`String`). - - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - - -### Spec Argument Reference - - -`ns_all` - (Optional) x-displayName: "Select logs from all namespaces" (`Bool`). - - -`ns_current` - (Optional) x-displayName: "Select logs from current namespace" (`Bool`). - - -`ns_list` - (Optional) x-displayName: "Select logs in specific namespaces". See [Filter Choice Ns List ](#filter-choice-ns-list) below for details. - - - - - -`ns_system` - (Optional) x-displayName: "Select logs from System namespace" (`Bool`).(Deprecated) - - - - - -`audit_logs` - (Optional) Send Audit Logs (corresponding to Public Audit and Authentication) (`Bool`). - - -`dns_logs` - (Optional) Send DNS Requests Logs (corresponding to DNS requests received) (`Bool`). - - -`request_logs` - (Optional) Send Request Logs (corresponding to Load Balancer access logs) (`Bool`). - - -`security_events` - (Optional) Send Security Events (corresponding to e.g. WAF blocked events or malicious requests) (`Bool`). - - - - - -`aws_cloud_watch_receiver` - (Optional) Send logs to AWS Cloudwatch. See [Receiver Aws Cloud Watch Receiver ](#receiver-aws-cloud-watch-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`azure_event_hubs_receiver` - (Optional) Send logs to Azure Event Hubs. See [Receiver Azure Event Hubs Receiver ](#receiver-azure-event-hubs-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`azure_receiver` - (Optional) Send logs to Azure Blob Storage. See [Receiver Azure Receiver ](#receiver-azure-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`datadog_receiver` - (Optional) Send logs to a Datadog service. See [Receiver Datadog Receiver ](#receiver-datadog-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`elastic_receiver` - (Optional) Send logs to an Elasticsearch endpoint. See [Receiver Elastic Receiver ](#receiver-elastic-receiver) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`gcp_bucket_receiver` - (Optional) Send logs to a GCP Bucket. See [Receiver Gcp Bucket Receiver ](#receiver-gcp-bucket-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`http_receiver` - (Optional) Send logs to a generic HTTP(s) server. See [Receiver Http Receiver ](#receiver-http-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`kafka_receiver` - (Optional) Send logs to a Kafka cluster. See [Receiver Kafka Receiver ](#receiver-kafka-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`new_relic_receiver` - (Optional) Send logs to NewRelic. See [Receiver New Relic Receiver ](#receiver-new-relic-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`qradar_receiver` - (Optional) Send logs to IBM QRadar. See [Receiver Qradar Receiver ](#receiver-qradar-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`s3_receiver` - (Optional) Send logs to an AWS S3 bucket. See [Receiver S3 Receiver ](#receiver-s3-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`splunk_receiver` - (Optional) Send logs to a Splunk HEC Logs service. See [Receiver Splunk Receiver ](#receiver-splunk-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`sumo_logic_receiver` - (Optional) Send logs to SumoLogic. See [Receiver Sumo Logic Receiver ](#receiver-sumo-logic-receiver) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Api Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Auth Basic Password - - HTTP Basic Auth Password. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Auth Choice Auth Basic - - Basic Authentication specify that HTTP Basic Authentication should be used when connecting to the Elasticsearch endpoint. - -`password` - (Optional) HTTP Basic Auth Password. See [Auth Basic Password ](#auth-basic-password) below for details. - -`user_name` - (Optional) HTTP Basic Auth User Name (`String`). - - - -### Auth Choice Auth None - - No Authentication for the Elasticsearch endpoint. - - - -### Auth Choice Auth Token - - Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). - -`token` - (Optional) F5XC Secret. URL for token, needs to be fetched from this path. See [Auth Token Token ](#auth-token-token) below for details. - - - -### Auth Token Token - - F5XC Secret. URL for token, needs to be fetched from this path. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Token Blindfold Secret Info Internal ](#token-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Aws Cloud Watch Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - - - - -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set - -`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - - -`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set - -`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - - -`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set - -`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - - -`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). - - - - -### Aws Cloud Watch Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_gzip, compression_none" can be set - -`compression_gzip` - (Optional) Gzip Compression (`Bool`). - - -`compression_none` - (Optional) No Compression (`Bool`). - - - - -### Azure Event Hubs Receiver Connection String - - Azure Event Hubs Connection String.. + // One of the arguments from this list "aws_cloud_watch_receiver azure_event_hubs_receiver azure_receiver datadog_receiver elastic_receiver gcp_bucket_receiver http_receiver kafka_receiver new_relic_receiver qradar_receiver s3_receiver splunk_receiver sumo_logic_receiver" must be set -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Connection String Blindfold Secret Info Internal ](#connection-string-blindfold-secret-info-internal) below for details.(Deprecated) + datadog_receiver { + batch { + // One of the arguments from this list "max_bytes max_bytes_disabled" can be set -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) + max_bytes_disabled = true + // One of the arguments from this list "max_events max_events_disabled" can be set + max_events_disabled = true -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set + // One of the arguments from this list "timeout_seconds timeout_seconds_default" can be set -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. + timeout_seconds_default = true + } + compression { + // One of the arguments from this list "compression_gzip compression_none" can be set -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. + compression_none = true + } + datadog_api_key { -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) + secret_encoding_type = "secret_encoding_type" + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) + wingman_secret_info { + name = "ChargeBack-API-Key" + } + } + // One of the arguments from this list "endpoint site" must be set + site = "datadoghq.com" + // One of the arguments from this list "no_tls use_tls" must be set -### Azure Receiver Batch + no_tls = true + } +} - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +``` +Argument Reference +------------------ +### Metadata Argument Reference +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +`description` - (Optional) Human readable description for the object (`String`). -`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). +`labels` - (Optional) by selector expression (`String`). -`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). +### Spec Argument Reference +###### One of the arguments from this list "ns_all, ns_current, ns_list, ns_system" must be set +`ns_all` - (Optional) x-displayName: "Select logs from all namespaces" (`Bool`). -###### One of the arguments from this list "max_events_disabled, max_events" can be set +`ns_current` - (Optional) x-displayName: "Select logs from current namespace" (`Bool`). -`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`ns_list` - (Optional) x-displayName: "Select logs in specific namespaces". See [Filter Choice Ns List ](#filter-choice-ns-list) below for details. +`ns_system` - (Optional) x-displayName: "Select logs from System namespace" (`Bool`).(Deprecated) -`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). +###### One of the arguments from this list "audit_logs, dns_logs, request_logs, security_events" must be set +`audit_logs` - (Optional) Send Audit Logs (corresponding to Public Audit and Authentication) (`Bool`). +`dns_logs` - (Optional) Send DNS Requests Logs (corresponding to DNS requests received) (`Bool`). +`request_logs` - (Optional) Send Request Logs (corresponding to Load Balancer access logs) (`Bool`). +`security_events` - (Optional) Send Security Events (corresponding to e.g. WAF blocked events or malicious requests) (`Bool`). -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "aws_cloud_watch_receiver, azure_event_hubs_receiver, azure_receiver, datadog_receiver, elastic_receiver, gcp_bucket_receiver, http_receiver, kafka_receiver, new_relic_receiver, qradar_receiver, s3_receiver, splunk_receiver, sumo_logic_receiver" must be set -`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). +`aws_cloud_watch_receiver` - (Optional) Send logs to AWS Cloudwatch. See [Receiver Aws Cloud Watch Receiver ](#receiver-aws-cloud-watch-receiver) below for details. +`azure_event_hubs_receiver` - (Optional) Send logs to Azure Event Hubs. See [Receiver Azure Event Hubs Receiver ](#receiver-azure-event-hubs-receiver) below for details. -`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +`azure_receiver` - (Optional) Send logs to Azure Blob Storage. See [Receiver Azure Receiver ](#receiver-azure-receiver) below for details. +`datadog_receiver` - (Optional) Send logs to a Datadog service. See [Receiver Datadog Receiver ](#receiver-datadog-receiver) below for details. +`elastic_receiver` - (Optional) Send logs to an Elasticsearch endpoint. See [Receiver Elastic Receiver ](#receiver-elastic-receiver) below for details.(Deprecated) +`gcp_bucket_receiver` - (Optional) Send logs to a GCP Bucket. See [Receiver Gcp Bucket Receiver ](#receiver-gcp-bucket-receiver) below for details. -### Azure Receiver Compression +`http_receiver` - (Optional) Send logs to a generic HTTP(s) server. See [Receiver Http Receiver ](#receiver-http-receiver) below for details. - Compression Options allows selection of how data should be compressed when sent to the endpoint. +`kafka_receiver` - (Optional) Send logs to a Kafka cluster. See [Receiver Kafka Receiver ](#receiver-kafka-receiver) below for details. +`new_relic_receiver` - (Optional) Send logs to NewRelic. See [Receiver New Relic Receiver ](#receiver-new-relic-receiver) below for details. +`qradar_receiver` - (Optional) Send logs to IBM QRadar. See [Receiver Qradar Receiver ](#receiver-qradar-receiver) below for details. +`s3_receiver` - (Optional) Send logs to an AWS S3 bucket. See [Receiver S3 Receiver ](#receiver-s3-receiver) below for details. -###### One of the arguments from this list "compression_none, compression_gzip" can be set +`splunk_receiver` - (Optional) Send logs to a Splunk HEC Logs service. See [Receiver Splunk Receiver ](#receiver-splunk-receiver) below for details. -`compression_gzip` - (Optional) Gzip Compression (`Bool`). +`sumo_logic_receiver` - (Optional) Send logs to SumoLogic. See [Receiver Sumo Logic Receiver ](#receiver-sumo-logic-receiver) below for details. +### Api Key Blindfold Secret Info Internal -`compression_none` - (Optional) No Compression (`Bool`). +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -### Azure Receiver Connection String +### Auth Basic Password - Azure Blob Storate Connection String. Note that this field must contain: `AccountKey`, `AccountName` and should contain `DefaultEndpointsProtocol`. +HTTP Basic Auth Password. -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Connection String Blindfold Secret Info Internal ](#connection-string-blindfold-secret-info-internal) below for details.(Deprecated) +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Auth Choice Auth Basic +Basic Authentication specify that HTTP Basic Authentication should be used when connecting to the Elasticsearch endpoint. +`password` - (Optional) HTTP Basic Auth Password. See [Auth Basic Password ](#auth-basic-password) below for details. -### Batch Bytes Max Bytes Disabled - - Batch Bytes Disabled. +`user_name` - (Optional) HTTP Basic Auth User Name (`String`). +### Auth Choice Auth None +No Authentication for the Elasticsearch endpoint. -### Batch Events Max Events Disabled +### Auth Choice Auth Token - Max Events Disabled. +Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). +`token` - (Optional) F5XC Secret. URL for token, needs to be fetched from this path. See [Auth Token Token ](#auth-token-token) below for details. +### Auth Token Token -### Batch Timeout Timeout Seconds Default +F5XC Secret. URL for token, needs to be fetched from this path. - Use Default Timeout (300 seconds). +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Token Blindfold Secret Info Internal ](#token-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set -### Ca Choice No Ca +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - Do not use a CA Certificate. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) -### Compression Choice Compression Gzip +### Aws Cloud Watch Receiver Batch - Gzip Compression. +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set +`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). -### Compression Choice Compression None +`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - No Compression. +###### One of the arguments from this list "max_events, max_events_disabled" can be set +`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). -### Connection String Blindfold Secret Info Internal +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +### Aws Cloud Watch Receiver Compression -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +Compression Options allows selection of how data should be compressed when sent to the endpoint. +###### One of the arguments from this list "compression_gzip, compression_none" can be set +`compression_gzip` - (Optional) Gzip Compression (`Bool`). -### Datadog Api Key Blindfold Secret Info Internal +`compression_none` - (Optional) No Compression (`Bool`). - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +### Azure Event Hubs Receiver Connection String -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +Azure Event Hubs Connection String.. -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Connection String Blindfold Secret Info Internal ](#connection-string-blindfold-secret-info-internal) below for details.(Deprecated) -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. -### Datadog Receiver Batch +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Azure Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Azure Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### Datadog Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Azure Receiver Connection String +Azure Blob Storate Connection String. Note that this field must contain: `AccountKey`, `AccountName` and should contain `DefaultEndpointsProtocol`. - -### Datadog Receiver Datadog Api Key - - Secret API key to access the datadog server. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Datadog Api Key Blindfold Secret Info Internal ](#datadog-api-key-blindfold-secret-info-internal) below for details.(Deprecated) +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Connection String Blindfold Secret Info Internal ](#connection-string-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Batch Bytes Max Bytes Disabled +Batch Bytes Disabled. +### Batch Events Max Events Disabled -### Elastic Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +Max Events Disabled. +### Batch Timeout Timeout Seconds Default +Use Default Timeout (300 seconds). +### Ca Choice No Ca -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +Do not use a CA Certificate. -`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). +### Compression Choice Compression Gzip +Gzip Compression. -`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). +### Compression Choice Compression None +No Compression. +### Connection String Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -###### One of the arguments from this list "max_events_disabled, max_events" can be set +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). -`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Datadog Api Key Blindfold Secret Info Internal -`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Datadog Receiver Batch -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. -`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set +`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). -`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). +###### One of the arguments from this list "max_events, max_events_disabled" can be set +`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). -### Elastic Receiver Compression +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set - Compression Options allows selection of how data should be compressed when sent to the endpoint. +`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). +`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Datadog Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Datadog Receiver Datadog Api Key +Secret API key to access the datadog server. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Datadog Api Key Blindfold Secret Info Internal ](#datadog-api-key-blindfold-secret-info-internal) below for details.(Deprecated) -### Endpoint Choice Eu - - EU Endpoint. - - - -### Endpoint Choice Us - - US Endpoint. - - - -### Filter Choice Ns List - - x-displayName: "Select logs in specific namespaces". - -`namespaces` - (Required) List of namespaces to stream logs for (`String`). +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. -### Gcp Bucket Receiver Batch +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Elastic Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. ###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Elastic Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### Gcp Bucket Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Endpoint Choice Eu + +EU Endpoint. +### Endpoint Choice Us +US Endpoint. -### Http Receiver Batch +### Filter Choice Ns List - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +x-displayName: "Select logs in specific namespaces". +`namespaces` - (Required) List of namespaces to stream logs for (`String`). +### Gcp Bucket Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - ###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Gcp Bucket Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### Http Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Http Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - -### Kafka Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - - - - -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). -`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Http Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. +###### One of the arguments from this list "compression_gzip, compression_none" can be set -### Kafka Receiver Compression +`compression_gzip` - (Optional) Gzip Compression (`Bool`). - Compression Options allows selection of how data should be compressed when sent to the endpoint. +`compression_none` - (Optional) No Compression (`Bool`). +### Kafka Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set -###### One of the arguments from this list "compression_none, compression_gzip" can be set +`max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). -`compression_gzip` - (Optional) Gzip Compression (`Bool`). +`max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). +###### One of the arguments from this list "max_events, max_events_disabled" can be set -`compression_none` - (Optional) No Compression (`Bool`). +`max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). +`max_events_disabled` - (Optional) Max Events Disabled (`Bool`). +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set +`timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). -### Key Url Blindfold Secret Info Internal +`timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +### Kafka Receiver Compression -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +Compression Options allows selection of how data should be compressed when sent to the endpoint. -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +###### One of the arguments from this list "compression_gzip, compression_none" can be set -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`compression_gzip` - (Optional) Gzip Compression (`Bool`). +`compression_none` - (Optional) No Compression (`Bool`). +### Key Url Blindfold Secret Info Internal -### Mtls Choice Mtls Disabled +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - mTLS is disabled. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -### Mtls Choice Mtls Enable +### Mtls Choice Mtls Disabled - Enable mTLS configuration. +mTLS is disabled. -`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). +### Mtls Choice Mtls Enable -`key_url` - (Optional) The data may be optionally secured using BlindFold.. See [Mtls Enable Key Url ](#mtls-enable-key-url) below for details. +Enable mTLS configuration. +`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). +`key_url` - (Optional) The data may be optionally secured using BlindFold.. See [Mtls Enable Key Url ](#mtls-enable-key-url) below for details. -### Mtls Enable Key Url +### Mtls Enable Key Url - The data may be optionally secured using BlindFold.. +The data may be optionally secured using BlindFold.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Key Url Blindfold Secret Info Internal ](#key-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### New Relic Receiver Api Key - - -### New Relic Receiver Api Key - - A New Relic License Key. +A New Relic License Key. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Api Key Blindfold Secret Info Internal ](#api-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1638,67 +611,41 @@ resource "volterra_global_log_receiver" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Qradar Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. -### Qradar Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - - - - -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Qradar Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### Qradar Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Receiver Aws Cloud Watch Receiver - - -### Receiver Aws Cloud Watch Receiver - - Send logs to AWS Cloudwatch. +Send logs to AWS Cloudwatch. `aws_cred` - (Required) Reference to AWS Cloud Credentials for access to the Cloudwatch Logs. See [ref](#ref) below for details. @@ -1712,11 +659,9 @@ resource "volterra_global_log_receiver" "example" { `stream_name` - (Required) Note that there can only be one writer to a log stream at a time (`String`). +### Receiver Azure Event Hubs Receiver - -### Receiver Azure Event Hubs Receiver - - Send logs to Azure Event Hubs. +Send logs to Azure Event Hubs. `connection_string` - (Required) Azure Event Hubs Connection String.. See [Azure Event Hubs Receiver Connection String ](#azure-event-hubs-receiver-connection-string) below for details. @@ -1724,25 +669,21 @@ resource "volterra_global_log_receiver" "example" { `namespace` - (Required) Event Hubs Namespace is namespace with instance into which logs should be stored (`String`). +### Receiver Azure Receiver - -### Receiver Azure Receiver - - Send logs to Azure Blob Storage. +Send logs to Azure Blob Storage. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Azure Receiver Batch ](#azure-receiver-batch) below for details. `compression` - (Optional) Compression Options allows selection of how data should be compressed when sent to the endpoint. See [Azure Receiver Compression ](#azure-receiver-compression) below for details. -`connection_string` - (Required) Azure Blob Storate Connection String. Note that this field must contain: `AccountKey`, `AccountName` and should contain `DefaultEndpointsProtocol`. See [Azure Receiver Connection String ](#azure-receiver-connection-string) below for details. +`connection_string` - (Required) Azure Blob Storate Connection String. Note that this field must contain: `AccountKey`, `AccountName` and should contain `DefaultEndpointsProtocol`. See [Azure Receiver Connection String ](#azure-receiver-connection-string) below for details. `container_name` - (Required) Container Name is the name of the container into which logs should be stored (`String`). +### Receiver Datadog Receiver - -### Receiver Datadog Receiver - - Send logs to a Datadog service. +Send logs to a Datadog service. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Datadog Receiver Batch ](#datadog-receiver-batch) below for details. @@ -1750,66 +691,45 @@ resource "volterra_global_log_receiver" "example" { `datadog_api_key` - (Required) Secret API key to access the datadog server. See [Datadog Receiver Datadog Api Key ](#datadog-receiver-datadog-api-key) below for details. - - ###### One of the arguments from this list "endpoint, site" must be set `endpoint` - (Optional) Datadog Endpoint, example: `example.com:9000` (`String`). - `site` - (Optional) Datadog Site, example: `datadoghq.com` (`String`). - - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Receiver Elastic Receiver +Send logs to an Elasticsearch endpoint. - -### Receiver Elastic Receiver - - Send logs to an Elasticsearch endpoint. - - - -###### One of the arguments from this list "auth_none, auth_basic, auth_aws" must be set +###### One of the arguments from this list "auth_aws, auth_basic, auth_none" must be set `auth_aws` - (Optional) Reference to AWS Cloud Credentials for Authentication when connecting to the Elasticsearch Endpoint. See [ref](#ref) below for details.(Deprecated) - `auth_basic` - (Optional) Basic Authentication specify that HTTP Basic Authentication should be used when connecting to the Elasticsearch endpoint. See [Auth Choice Auth Basic ](#auth-choice-auth-basic) below for details. - `auth_none` - (Optional) No Authentication for the Elasticsearch endpoint (`Bool`). - `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Elastic Receiver Batch ](#elastic-receiver-batch) below for details. `compression` - (Optional) Compression Options allows selection of how data should be compressed when sent to the endpoint. See [Elastic Receiver Compression ](#elastic-receiver-compression) below for details. `endpoint` - (Required) Elasticsearch Endpoint URL, example `http://10.9.8.7:9000` (`String`). - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Receiver Gcp Bucket Receiver - - -### Receiver Gcp Bucket Receiver - - Send logs to a GCP Bucket. +Send logs to a GCP Bucket. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Gcp Bucket Receiver Batch ](#gcp-bucket-receiver-batch) below for details. @@ -1819,46 +739,33 @@ resource "volterra_global_log_receiver" "example" { `gcp_cred` - (Required) Reference to GCP Cloud Credentials for access to the GCP bucket. See [ref](#ref) below for details. +### Receiver Http Receiver +Send logs to a generic HTTP(s) server. -### Receiver Http Receiver - - Send logs to a generic HTTP(s) server. - - - -###### One of the arguments from this list "auth_token, auth_none, auth_basic" must be set +###### One of the arguments from this list "auth_basic, auth_none, auth_token" must be set `auth_basic` - (Optional) Use HTTP Basic Auth for authentication to the HTPP(s) server. See [Auth Choice Auth Basic ](#auth-choice-auth-basic) below for details. - `auth_none` - (Optional) No Authentication (`Bool`). - `auth_token` - (Optional) Configure an Access Token for authentication to the HTTP(s) server (such as a Bearer Token). See [Auth Choice Auth Token ](#auth-choice-auth-token) below for details. - `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Http Receiver Batch ](#http-receiver-batch) below for details. `compression` - (Optional) Compression Options allows selection of how data should be compressed when sent to the endpoint. See [Http Receiver Compression ](#http-receiver-compression) below for details. - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. - `uri` - (Required) HTTP Uri is the Uri of the HTTP endpoint to send logs to, example: `http://example.com:9000/logs` (`String`). +### Receiver Kafka Receiver - -### Receiver Kafka Receiver - - Send logs to a Kafka cluster. +Send logs to a Kafka cluster. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Kafka Receiver Batch ](#kafka-receiver-batch) below for details. @@ -1868,61 +775,43 @@ resource "volterra_global_log_receiver" "example" { `kafka_topic` - (Required) The Kafka topic name to write events to (`String`). - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Receiver New Relic Receiver - - -### Receiver New Relic Receiver - - Send logs to NewRelic. +Send logs to NewRelic. `api_key` - (Required) A New Relic License Key. See [New Relic Receiver Api Key ](#new-relic-receiver-api-key) below for details. - - ###### One of the arguments from this list "eu, us" must be set `eu` - (Optional) EU Endpoint (`Bool`). - `us` - (Optional) US Endpoint (`Bool`). +### Receiver Qradar Receiver - - -### Receiver Qradar Receiver - - Send logs to IBM QRadar. +Send logs to IBM QRadar. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Qradar Receiver Batch ](#qradar-receiver-batch) below for details. `compression` - (Optional) Compression Options allows selection of how data should be compressed when sent to the endpoint. See [Qradar Receiver Compression ](#qradar-receiver-compression) below for details. - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. - `uri` - (Required) Log Source Collector URL is the URL of the IBM QRadar Log Source Collector to send logs to, example: `http://example.com:9000` (`String`). +### Receiver S3 Receiver - -### Receiver S3 Receiver - - Send logs to an AWS S3 bucket. +Send logs to an AWS S3 bucket. `aws_cred` - (Required) Reference to AWS Cloud Credentials for access to the S3 bucket. See [ref](#ref) below for details. @@ -1934,11 +823,9 @@ resource "volterra_global_log_receiver" "example" { `compression` - (Optional) Compression Options allows selection of how data should be compressed when sent to the endpoint. See [S3 Receiver Compression ](#s3-receiver-compression) below for details. +### Receiver Splunk Receiver - -### Receiver Splunk Receiver - - Send logs to a Splunk HEC Logs service. +Send logs to a Splunk HEC Logs service. `batch` - (Optional) Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. See [Splunk Receiver Batch ](#splunk-receiver-batch) below for details. @@ -1948,28 +835,19 @@ resource "volterra_global_log_receiver" "example" { `splunk_hec_token` - (Required) Splunk HEC Logs secret Token. See [Splunk Receiver Splunk Hec Token ](#splunk-receiver-splunk-hec-token) below for details. - - ###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) Do not use TLS for the client connection (`Bool`). - `use_tls` - (Optional) Use TLS for client connections to the endpoint. See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +### Receiver Sumo Logic Receiver - - -### Receiver Sumo Logic Receiver - - Send logs to SumoLogic. +Send logs to SumoLogic. `url` - (Required) The HTTP Source Address URL for the desired SumoLogic HTTP Collector. See [Sumo Logic Receiver Url ](#sumo-logic-receiver-url) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -1979,67 +857,41 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### S3 Receiver Batch - -### S3 Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - - - +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. ###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### S3 Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### S3 Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Secret Info Oneof Blindfold Secret Info - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2047,21 +899,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2073,19 +921,15 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Splunk Hec Token Blindfold Secret Info Internal - -### Splunk Hec Token Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2093,173 +937,109 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Splunk Receiver Batch +Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. -### Splunk Receiver Batch - - Batch Options allow tuning of the conditions for how batches of logs are sent to the endpoint. - - - - -###### One of the arguments from this list "max_bytes_disabled, max_bytes" can be set +###### One of the arguments from this list "max_bytes, max_bytes_disabled" can be set `max_bytes` - (Optional) Send batch to endpoint after the batch is equal to or larger than this many bytes (`Int`). - `max_bytes_disabled` - (Optional) Batch Bytes Disabled (`Bool`). - - - - -###### One of the arguments from this list "max_events_disabled, max_events" can be set +###### One of the arguments from this list "max_events, max_events_disabled" can be set `max_events` - (Optional) Send batch to endpoint after this many log messages are in the batch (`Int`). - `max_events_disabled` - (Optional) Max Events Disabled (`Bool`). - - - - -###### One of the arguments from this list "timeout_seconds_default, timeout_seconds" can be set +###### One of the arguments from this list "timeout_seconds, timeout_seconds_default" can be set `timeout_seconds` - (Optional) Send batch to the endpoint after this many seconds (`Int`). - `timeout_seconds_default` - (Optional) Use Default Timeout (300 seconds) (`Bool`). +### Splunk Receiver Compression +Compression Options allows selection of how data should be compressed when sent to the endpoint. - -### Splunk Receiver Compression - - Compression Options allows selection of how data should be compressed when sent to the endpoint. - - - - -###### One of the arguments from this list "compression_none, compression_gzip" can be set +###### One of the arguments from this list "compression_gzip, compression_none" can be set `compression_gzip` - (Optional) Gzip Compression (`Bool`). - `compression_none` - (Optional) No Compression (`Bool`). +### Splunk Receiver Splunk Hec Token - - -### Splunk Receiver Splunk Hec Token - - Splunk HEC Logs secret Token. +Splunk HEC Logs secret Token. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Splunk Hec Token Blindfold Secret Info Internal ](#splunk-hec-token-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Sumo Logic Receiver Url - - -### Sumo Logic Receiver Url - - The HTTP Source Address URL for the desired SumoLogic HTTP Collector. +The HTTP Source Address URL for the desired SumoLogic HTTP Collector. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Url Blindfold Secret Info Internal ](#url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Choice No Tls +Do not use TLS for the client connection. +### Tls Choice Use Tls -### Tls Choice No Tls - - Do not use TLS for the client connection. - - - -### Tls Choice Use Tls - - Use TLS for client connections to the endpoint. - - +Use TLS for client connections to the endpoint. ###### One of the arguments from this list "no_ca, trusted_ca_url" must be set `no_ca` - (Optional) Do not use a CA Certificate (`Bool`). - `trusted_ca_url` - (Optional) Certificates in PEM format including the PEM headers. (`String`). - - - ###### One of the arguments from this list "mtls_disabled, mtls_enable" must be set `mtls_disabled` - (Optional) mTLS is disabled (`Bool`). - `mtls_enable` - (Optional) Enable mTLS configuration. See [Mtls Choice Mtls Enable ](#mtls-choice-mtls-enable) below for details. - - - - -###### One of the arguments from this list "enable_verify_certificate, disable_verify_certificate" can be set +###### One of the arguments from this list "disable_verify_certificate, enable_verify_certificate" can be set `disable_verify_certificate` - (Optional) x-displayName: "Skip Server Certificate Verification" (`Bool`). - `enable_verify_certificate` - (Optional) x-displayName: "Perform Server Certificate Verification" (`Bool`). - - - - -###### One of the arguments from this list "enable_verify_hostname, disable_verify_hostname" can be set +###### One of the arguments from this list "disable_verify_hostname, enable_verify_hostname" can be set `disable_verify_hostname` - (Optional) x-displayName: "Skip Server Hostname Verification" (`Bool`). - `enable_verify_hostname` - (Optional) x-displayName: "Enable Server Hostname Verification" (`Bool`). +### Token Blindfold Secret Info Internal - - -### Token Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2267,11 +1047,9 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Url Blindfold Secret Info Internal - -### Url Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2279,33 +1057,23 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Verify Certificate Disable Verify Certificate +x-displayName: "Skip Server Certificate Verification". -### Verify Certificate Disable Verify Certificate - - x-displayName: "Skip Server Certificate Verification". - - - -### Verify Certificate Enable Verify Certificate - - x-displayName: "Perform Server Certificate Verification". - - - -### Verify Hostname Disable Verify Hostname - - x-displayName: "Skip Server Hostname Verification". - - +### Verify Certificate Enable Verify Certificate -### Verify Hostname Enable Verify Hostname +x-displayName: "Perform Server Certificate Verification". - x-displayName: "Enable Server Hostname Verification". +### Verify Hostname Disable Verify Hostname +x-displayName: "Skip Server Hostname Verification". +### Verify Hostname Enable Verify Hostname -## Attribute Reference +x-displayName: "Enable Server Hostname Verification". -* `id` - This is the id of the configured global_log_receiver. +Attribute Reference +------------------- +- `id` - This is the id of the configured global_log_receiver. diff --git a/docs/resources/volterra_healthcheck.md b/docs/resources/volterra_healthcheck.md index 312ce8149..d16f85d71 100644 --- a/docs/resources/volterra_healthcheck.md +++ b/docs/resources/volterra_healthcheck.md @@ -1,161 +1,84 @@ - - - - - - - - - - - - --- + page_title: "Volterra: healthcheck" -description: "The healthcheck allows CRUD of Healthcheck resource on Volterra SaaS" +description: "The healthcheck allows CRUD of Healthcheck resource on Volterra SaaS" + --- -# Resource volterra_healthcheck -The Healthcheck allows CRUD of Healthcheck resource on Volterra SaaS +Resource volterra_healthcheck +============================= + +The Healthcheck allows CRUD of Healthcheck resource on Volterra SaaS -~> **Note:** Please refer to [Healthcheck API docs](https://docs.cloud.f5.com/docs-v2/api/healthcheck) to learn more +~> **Note:** Please refer to [Healthcheck API docs](https://docs.cloud.f5.com/docs-v2/api/healthcheck) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_healthcheck" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "dns_proxy_icmp_health_check http_health_check tcp_health_check dns_proxy_tcp_health_check dns_proxy_udp_health_check dns_health_check" must be set - - http_health_check { - expected_status_codes = ["200-250"] - - headers = { - "key1" = "value1" - } - - // One of the arguments from this list "host_header use_origin_server_name" must be set + // One of the arguments from this list "dns_health_check dns_proxy_icmp_health_check dns_proxy_tcp_health_check dns_proxy_udp_health_check http_health_check tcp_health_check" must be set - use_origin_server_name = true - path = "/healthcheck" - request_headers_to_remove = ["user-agent"] - use_http2 = true - } - healthy_threshold = ["2"] - interval = ["10"] - timeout = ["1"] - unhealthy_threshold = ["5"] + dns_proxy_icmp_health_check = true + healthy_threshold = ["2"] + interval = ["10"] + timeout = ["1"] + unhealthy_threshold = ["5"] } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "dns_health_check, dns_proxy_icmp_health_check, dns_proxy_tcp_health_check, dns_proxy_udp_health_check, http_health_check, tcp_health_check" must be set `dns_health_check` - (Optional) 4. Expected IP Address. See [Health Check Dns Health Check ](#health-check-dns-health-check) below for details.(Deprecated) - - - - - - - - - `dns_proxy_icmp_health_check` - (Optional) Specifies ICMP HealthCheck (`Bool`).(Deprecated) - `dns_proxy_tcp_health_check` - (Optional) Specifies send string and expected response payload pattern for TCP health Check. See [Health Check Dns Proxy Tcp Health Check ](#health-check-dns-proxy-tcp-health-check) below for details.(Deprecated) - - - - - `dns_proxy_udp_health_check` - (Optional) Specifies send string and expected response payload pattern for UDP health Check. See [Health Check Dns Proxy Udp Health Check ](#health-check-dns-proxy-udp-health-check) below for details.(Deprecated) - - - - - `http_health_check` - (Optional) 4. Request headers to remove. See [Health Check Http Health Check ](#health-check-http-health-check) below for details. - - - - - - - - - - - - - - - - `tcp_health_check` - (Optional) Specifies send payload and expected response payload. See [Health Check Tcp Health Check ](#health-check-tcp-health-check) below for details. - - - - - - - `healthy_threshold` - (Required) required to mark a host healthy. (`Int`). - - `interval` - (Required) Time interval in seconds between two healthcheck requests. (`Int`). - - `jitter_percent` - (Optional) Add a random amount of time as a percent value to the interval between successive healthcheck requests. (`Int`). - - `timeout` - (Required) health check attempt will be considered a failure. (`Int`). - - `unhealthy_threshold` - (Required) this threshold is ignored and the host is considered unhealthy immediately. (`Int`). +### Health Check Dns Health Check +1. Expected IP Address. -### Health Check Dns Health Check - - 4. Expected IP Address. - -`expected_rcode` - (Required) Specifies an expected Rcode in the answer section of DNS Response, option [no-error, any] (`String`). +`expected_rcode` - (Required) Specifies an expected Rcode in the answer section of DNS Response, option [no-error, any](`String`). `expected_record_type` - (Required) options: [REQUESTED_QUERY_TYPE, RECORD_TYPE_ANY] when REQUESTED_QUERY_TYPE is set, health monitor expects record type same as requested query type (`String`). @@ -167,71 +90,55 @@ resource "volterra_healthcheck" "example" { `reverse` - (Optional) string match marks the monitored object down instead of up. (`Bool`). +### Health Check Dns Proxy Tcp Health Check - -### Health Check Dns Proxy Tcp Health Check - - Specifies send string and expected response payload pattern for TCP health Check. +Specifies send string and expected response payload pattern for TCP health Check. `expected_response` - (Required) Specifies a regular expression pattern which will be matched against response payload (`String`). -`send_payload` - (Required) Text string sent in the request (`String`). - - +`send_payload` - (Required) Text string sent in the request (`String`). -### Health Check Dns Proxy Udp Health Check +### Health Check Dns Proxy Udp Health Check - Specifies send string and expected response payload pattern for UDP health Check. +Specifies send string and expected response payload pattern for UDP health Check. `expected_response` - (Required) Specifies a regular expression pattern which will be matched against response payload (`String`). -`send_payload` - (Required) Text string sent in the request (`String`). - - +`send_payload` - (Required) Text string sent in the request (`String`). -### Health Check Http Health Check +### Health Check Http Health Check - 4. Request headers to remove. +1. Request headers to remove. `expected_status_codes` - (Optional) of which is single HTTP status code or a range with start and end values separated by "-". (`String`). `headers` - (Optional) health checked cluster. This is a list of key-value pairs. (`String`). - - -###### One of the arguments from this list "use_origin_server_name, host_header" must be set +###### One of the arguments from this list "host_header, use_origin_server_name" must be set `host_header` - (Optional) The value of the host header. (`String`). - `use_origin_server_name` - (Optional) Use the origin server name. (`Bool`). - `path` - (Required) Specifies the HTTP path that will be requested during health checking. (`String`). `request_headers_to_remove` - (Optional) health checked cluster. This is a list of keys of headers. (`String`). `use_http2` - (Optional) If set, health checks will be made using http/2. (`Bool`). +### Health Check Tcp Health Check - -### Health Check Tcp Health Check - - Specifies send payload and expected response payload. +Specifies send payload and expected response payload. `expected_response` - (Optional) Hex encoded payload. (`String`). `send_payload` - (Optional) Hex encoded payload. (`String`). +### Host Header Choice Use Origin Server Name +Use the origin server name.. -### Host Header Choice Use Origin Server Name - - Use the origin server name.. - - - -## Attribute Reference - -* `id` - This is the id of the configured healthcheck. +Attribute Reference +------------------- +- `id` - This is the id of the configured healthcheck. diff --git a/docs/resources/volterra_http_loadbalancer.md b/docs/resources/volterra_http_loadbalancer.md index 05f495715..20fad6cab 100644 --- a/docs/resources/volterra_http_loadbalancer.md +++ b/docs/resources/volterra_http_loadbalancer.md @@ -1,61 +1,60 @@ +--- +page_title: "Volterra: http_loadbalancer" +description: "The http_loadbalancer allows CRUD of Http Loadbalancer resource on Volterra SaaS" +--- +Resource volterra_http_loadbalancer +=================================== +The Http Loadbalancer allows CRUD of Http Loadbalancer resource on Volterra SaaS +~> **Note:** Please refer to [Http Loadbalancer API docs](https://docs.cloud.f5.com/docs-v2/api/views-http-loadbalancer) to learn more +Example Usage +------------- +```hcl +resource "volterra_http_loadbalancer" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "advertise_custom advertise_on_public advertise_on_public_default_vip do_not_advertise" must be set + do_not_advertise = true + // One of the arguments from this list "api_definition api_definitions api_specification disable_api_definition" must be set + api_specification { + api_definition { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } ---- -page_title: "Volterra: http_loadbalancer" -description: "The http_loadbalancer allows CRUD of Http Loadbalancer resource on Volterra SaaS" ---- -# Resource volterra_http_loadbalancer - -The Http Loadbalancer allows CRUD of Http Loadbalancer resource on Volterra SaaS - -~> **Note:** Please refer to [Http Loadbalancer API docs](https://docs.cloud.f5.com/docs-v2/api/views-http-loadbalancer) to learn more - -## Example Usage + // One of the arguments from this list "validation_all_spec_endpoints validation_custom_list validation_disabled" must be set -```hcl -resource "volterra_http_loadbalancer" "example" { - name = "acmecorp-web" - namespace = "staging" + validation_disabled = true + } - // One of the arguments from this list "do_not_advertise advertise_on_public_default_vip advertise_on_public advertise_custom" must be set + // One of the arguments from this list "disable_api_discovery enable_api_discovery" must be set - advertise_custom { - advertise_where { - // One of the arguments from this list "site_segment cloud_edge_segment advertise_on_public site vk8s_service virtual_network segment virtual_site virtual_site_with_vip virtual_site_segment" must be set + enable_api_discovery { + api_discovery_from_code_scan { + code_base_integrations { + // One of the arguments from this list "all_repos selected_repos" must be set - virtual_site { - network = "network" + all_repos = true - virtual_site { + code_base_integration { name = "test1" namespace = "staging" tenant = "acmecorp" } } - - // One of the arguments from this list "port_ranges use_default_port port" must be set - - port = "port" } - } - - // One of the arguments from this list "disable_api_definition api_definition api_specification api_definitions" must be set - disable_api_definition = true - - // One of the arguments from this list "enable_api_discovery disable_api_discovery" must be set - - enable_api_discovery { discovered_api_settings { purge_duration_for_inactive_discovered_apis = "2" } @@ -74,11 +73,11 @@ resource "volterra_http_loadbalancer" "example" { } sensitive_data_detection_config { - // One of the arguments from this list "specific_domain any_domain" must be set + // One of the arguments from this list "any_domain specific_domain" must be set any_domain = true - // One of the arguments from this list "key_value_pattern key_pattern value_pattern" must be set + // One of the arguments from this list "key_pattern key_value_pattern value_pattern" must be set key_pattern { // One of the arguments from this list "exact_value regex_value" must be set @@ -86,15 +85,13 @@ resource "volterra_http_loadbalancer" "example" { exact_value = "x-volt-header" } - // One of the arguments from this list "all_sections all_request_sections all_response_sections custom_sections" must be set + // One of the arguments from this list "all_request_sections all_response_sections all_sections custom_sections" must be set - custom_sections { - custom_sections = ["custom_sections"] - } + all_sections = true - // One of the arguments from this list "any_target api_endpoint_target base_path api_group" must be set + // One of the arguments from this list "any_target api_endpoint_target api_group base_path" must be set - any_target = true + api_group = "oas-all-operations" } sensitive_data_type { @@ -108,26 +105,20 @@ resource "volterra_http_loadbalancer" "example" { } } - // One of the arguments from this list "policy_based_challenge no_challenge enable_challenge js_challenge captcha_challenge" must be set + // One of the arguments from this list "captcha_challenge enable_challenge js_challenge no_challenge policy_based_challenge" must be set - js_challenge { - cookie_expiry = "1000" - - custom_page = "string:///PHA+IFBsZWFzZSBXYWl0IDwvcD4=" - - js_script_delay = "1000" - } + no_challenge = true domains = ["www.foo.com"] - // One of the arguments from this list "round_robin least_active random source_ip_stickiness cookie_stickiness ring_hash" must be set + // One of the arguments from this list "cookie_stickiness least_active random ring_hash round_robin source_ip_stickiness" must be set - least_active = true + round_robin = true - // One of the arguments from this list "l7_ddos_action_default l7_ddos_action_block l7_ddos_action_js_challenge l7_ddos_action_none" must be set + // One of the arguments from this list "l7_ddos_action_block l7_ddos_action_default l7_ddos_action_js_challenge l7_ddos_action_none" must be set - l7_ddos_action_default = true + l7_ddos_action_none = true - // One of the arguments from this list "http https_auto_cert https" must be set + // One of the arguments from this list "http https https_auto_cert" must be set http { dns_volterra_managed = true @@ -137,21 +128,21 @@ resource "volterra_http_loadbalancer" "example" { port = "80" } - // One of the arguments from this list "enable_malicious_user_detection disable_malicious_user_detection" must be set + // One of the arguments from this list "disable_malicious_user_detection enable_malicious_user_detection" must be set enable_malicious_user_detection = true - // One of the arguments from this list "disable_rate_limit api_rate_limit rate_limit" must be set + // One of the arguments from this list "api_rate_limit disable_rate_limit rate_limit" must be set disable_rate_limit = true - // One of the arguments from this list "sensitive_data_policy default_sensitive_data_policy" must be set + // One of the arguments from this list "default_sensitive_data_policy sensitive_data_policy" must be set default_sensitive_data_policy = true - // One of the arguments from this list "service_policies_from_namespace no_service_policies active_service_policies" must be set + // One of the arguments from this list "active_service_policies no_service_policies service_policies_from_namespace" must be set - service_policies_from_namespace = true + no_service_policies = true // One of the arguments from this list "disable_threat_mesh enable_threat_mesh" must be set @@ -159,11589 +150,5277 @@ resource "volterra_http_loadbalancer" "example" { // One of the arguments from this list "disable_trust_client_ip_headers enable_trust_client_ip_headers" must be set - enable_trust_client_ip_headers { - client_ip_headers = ["Client-IP-Header"] - } + disable_trust_client_ip_headers = true // One of the arguments from this list "user_id_client_ip user_identification" must be set - user_id_client_ip = true + user_identification { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } - // One of the arguments from this list "disable_waf app_firewall" must be set + // One of the arguments from this list "app_firewall disable_waf" must be set disable_waf = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `add_location` - (Optional) is ignored on CE sites. (`Bool`). - - +###### One of the arguments from this list "advertise_custom, advertise_on_public, advertise_on_public_default_vip, do_not_advertise" must be set `advertise_custom` - (Optional) Advertise this load balancer on specific sites. See [Advertise Choice Advertise Custom ](#advertise-choice-advertise-custom) below for details. - +`advertise_on_public` - (Optional) Advertise this load balancer on public network. See [Advertise Choice Advertise On Public ](#advertise-choice-advertise-on-public) below for details. - +`advertise_on_public_default_vip` - (Optional) Advertise this load balancer on public network with default VIP (`Bool`). +`do_not_advertise` - (Optional) Do not advertise this load balancer (`Bool`). +###### One of the arguments from this list "api_definition, api_definitions, api_specification, disable_api_definition" must be set +`api_definition` - (Optional) DEPRECATED by 'api_specification'. See [ref](#ref) below for details.(Deprecated) - +`api_definitions` - (Optional) DEPRECATED by 'api_definition'. See [Api Definition Choice Api Definitions ](#api-definition-choice-api-definitions) below for details.(Deprecated) +`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details. +`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`). +###### One of the arguments from this list "disable_api_discovery, enable_api_discovery" must be set +`disable_api_discovery` - (Optional) x-displayName: "Disable" (`Bool`). - +`enable_api_discovery` - (Optional) x-displayName: "Enable". See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details. +`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Rules ](#api-protection-rules) below for details. +`api_rate_limit_legacy` - (Optional) Legacy value only temporary pre-migration. This value will be copied over to api_rate_limit and removed later.. See [Api Rate Limit Legacy ](#api-rate-limit-legacy) below for details.(Deprecated) +`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Blocked Clients ](#blocked-clients) below for details. +###### One of the arguments from this list "bot_defense, bot_defense_advanced, disable_bot_defense" can be set +`bot_defense` - (Optional) Select Bot Defense Standard. See [Bot Defense Choice Bot Defense ](#bot-defense-choice-bot-defense) below for details. +`bot_defense_advanced` - (Optional) Select Bot Defense Advanced. See [Bot Defense Choice Bot Defense Advanced ](#bot-defense-choice-bot-defense-advanced) below for details.(Deprecated) +`disable_bot_defense` - (Optional) No Bot Defense configuration for this load balancer (`Bool`). - +###### One of the arguments from this list "captcha_challenge, enable_challenge, js_challenge, no_challenge, policy_based_challenge" must be set +`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. +`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. +`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. +`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). +`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. +###### One of the arguments from this list "client_side_defense, disable_client_side_defense" can be set +`client_side_defense` - (Optional) Client-Side Defense configuration for JavaScript insertion. See [Client Side Defense Choice Client Side Defense ](#client-side-defense-choice-client-side-defense) below for details. - +`disable_client_side_defense` - (Optional) No Client-Side Defense configuration for this load balancer (`Bool`). +`cors_policy` - (Optional) resources from a server at a different origin. See [Cors Policy ](#cors-policy) below for details. +`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Csrf Policy ](#csrf-policy) below for details. +`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Data Guard Rules ](#data-guard-rules) below for details. - +`ddos_mitigation_rules` - (Optional) Define manual mitigation rules to block L7 DDoS attacks.. See [Ddos Mitigation Rules ](#ddos-mitigation-rules) below for details. +`default_route_pools` - (Optional) Origin Pools used when no route is specified (default route). See [Default Route Pools ](#default-route-pools) below for details. +`domains` - (Required) Domains also indicate the list of names for which DNS resolution will be done by VER (`List of String`). +`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Graphql Rules ](#graphql-rules) below for details. +###### One of the arguments from this list "cookie_stickiness, least_active, random, ring_hash, round_robin, source_ip_stickiness" must be set +`cookie_stickiness` - (Optional) Consistent hashing algorithm, ring hash, is used to select origin server. See [Hash Policy Choice Cookie Stickiness ](#hash-policy-choice-cookie-stickiness) below for details. +`least_active` - (Optional) Request are sent to origin server that has least active requests (`Bool`). - +`random` - (Optional) Request are sent to all eligible origin servers in random fashion (`Bool`). +`ring_hash` - (Optional) Request are sent to all eligible origin servers using hash of request based on hash policy. Consistent hashing algorithm, ring hash, is used to select origin server. See [Hash Policy Choice Ring Hash ](#hash-policy-choice-ring-hash) below for details. +`round_robin` - (Optional) Request are sent to all eligible origin servers in round robin fashion (`Bool`). +`source_ip_stickiness` - (Optional) Request are sent to all eligible origin servers using hash of source ip. Consistent hashing algorithm, ring hash, is used to select origin server (`Bool`). +###### One of the arguments from this list "disable_ip_reputation, enable_ip_reputation" can be set +`disable_ip_reputation` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_ip_reputation` - (Optional) x-displayName: "Enable". See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. +`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Jwt Validation ](#jwt-validation) below for details. - +###### One of the arguments from this list "l7_ddos_action_block, l7_ddos_action_default, l7_ddos_action_js_challenge, l7_ddos_action_none" must be set +`l7_ddos_action_block` - (Optional) Block suspicious sources (`Bool`). +`l7_ddos_action_default` - (Optional) Block suspicious sources (`Bool`). +`l7_ddos_action_js_challenge` - (Optional) Serve JavaScript challenge to suspicious sources. See [L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge ](#l7-ddos-auto-mitigation-action-l7-ddos-action-js-challenge) below for details. +`l7_ddos_action_none` - (Optional) Disable auto mitigation (`Bool`).(Deprecated) +###### One of the arguments from this list "http, https, https_auto_cert" must be set - +`http` - (Optional) HTTP Load Balancer.. See [Loadbalancer Type Http ](#loadbalancer-type-http) below for details. +`https` - (Optional) User is responsible for managing DNS to this load balancer.. See [Loadbalancer Type Https ](#loadbalancer-type-https) below for details. +`https_auto_cert` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal(only for Domains not managed by F5 Distributed Cloud).. See [Loadbalancer Type Https Auto Cert ](#loadbalancer-type-https-auto-cert) below for details. +###### One of the arguments from this list "disable_malicious_user_detection, enable_malicious_user_detection" must be set +`disable_malicious_user_detection` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_malicious_user_detection` - (Optional) x-displayName: "Enable" (`Bool`). +`malicious_user_mitigation` - (Optional) The settings defined in malicious user mitigation specify what mitigation actions to take for users determined to be at different threat levels.. See [ref](#ref) below for details.(Deprecated) +###### One of the arguments from this list "multi_lb_app, single_lb_app" can be set - +`multi_lb_app` - (Optional) It should be configured externally using app type feature and label should be added to the HTTP load balancer. (`Bool`).(Deprecated) +`single_lb_app` - (Optional) ML Config applied on this load balancer. See [Ml Config Choice Single Lb App ](#ml-config-choice-single-lb-app) below for details.(Deprecated) +`more_option` - (Optional) More options like header manipulation, compression etc.. See [More Option ](#more-option) below for details. +###### One of the arguments from this list "default_pool, default_pool_list" can be set +`default_pool` - (Optional) Single Origin Pool. See [Origin Pool Choice Default Pool ](#origin-pool-choice-default-pool) below for details.(Deprecated) +`default_pool_list` - (Optional) Multiple Origin Pools with weights and priorities. See [Origin Pool Choice Default Pool List ](#origin-pool-choice-default-pool-list) below for details.(Deprecated) +`origin_server_subset_rule_list` - (Optional) When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. See [Origin Server Subset Rule List ](#origin-server-subset-rule-list) below for details. +`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Protected Cookies ](#protected-cookies) below for details. +###### One of the arguments from this list "api_rate_limit, disable_rate_limit, rate_limit" must be set +`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints.. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. +`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). +`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. - +`routes` - (Optional) to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic. See [Routes ](#routes) below for details. +`sensitive_data_disclosure_rules` - (Optional) Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses. See [Sensitive Data Disclosure Rules ](#sensitive-data-disclosure-rules) below for details.(Deprecated) +###### One of the arguments from this list "default_sensitive_data_policy, sensitive_data_policy" must be set +`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`). +`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details. -`advertise_on_public` - (Optional) Advertise this load balancer on public network. See [Advertise Choice Advertise On Public ](#advertise-choice-advertise-on-public) below for details. - +###### One of the arguments from this list "active_service_policies, no_service_policies, service_policies_from_namespace" must be set +`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. +`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). +`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). -`advertise_on_public_default_vip` - (Optional) Advertise this load balancer on public network with default VIP (`Bool`). +###### One of the arguments from this list "slow_ddos_mitigation, system_default_timeouts" can be set +`slow_ddos_mitigation` - (Optional) Custom Settings for Slow DDoS Mitigation. See [Slow Ddos Mitigation Choice Slow Ddos Mitigation ](#slow-ddos-mitigation-choice-slow-ddos-mitigation) below for details. -`do_not_advertise` - (Optional) Do not advertise this load balancer (`Bool`). +`system_default_timeouts` - (Optional) Default Settings for Slow DDoS Mitigation (`Bool`). +###### One of the arguments from this list "disable_threat_mesh, enable_threat_mesh" must be set +`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "disable_trust_client_ip_headers, enable_trust_client_ip_headers" must be set -`api_definition` - (Optional) DEPRECATED by 'api_specification'. See [ref](#ref) below for details.(Deprecated) +`disable_trust_client_ip_headers` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_trust_client_ip_headers` - (Optional) x-displayName: "Enable". See [Trust Client Ip Headers Choice Enable Trust Client Ip Headers ](#trust-client-ip-headers-choice-enable-trust-client-ip-headers) below for details. -`api_definitions` - (Optional) DEPRECATED by 'api_definition'. See [Api Definition Choice Api Definitions ](#api-definition-choice-api-definitions) below for details.(Deprecated) - +`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Trusted Clients ](#trusted-clients) below for details. +###### One of the arguments from this list "user_id_client_ip, user_identification" must be set +`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). +`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. -`api_specification` - (Optional) Specify API definition and OpenAPI Validation. See [Api Definition Choice Api Specification ](#api-definition-choice-api-specification) below for details. - +###### One of the arguments from this list "app_firewall, disable_waf" must be set +`app_firewall` - (Optional) Reference to App Firewall configuration object. See [ref](#ref) below for details. +`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). +`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Waf Exclusion Rules ](#waf-exclusion-rules) below for details. +### Api Protection Rules - +Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. +`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. - +`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. +### Api Rate Limit Legacy +Legacy value only temporary pre-migration. This value will be copied over to api_rate_limit and removed later.. +`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Legacy Api Endpoint Rules ](#api-rate-limit-legacy-api-endpoint-rules) below for details. - +###### One of the arguments from this list "bypass_rate_limiting_rules, custom_ip_allowed_list, ip_allowed_list, no_ip_allowed_list" must be set +`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. +`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. +`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - +`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). +`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Legacy Server Url Rules ](#api-rate-limit-legacy-server-url-rules) below for details. - +### Blocked Clients +Define rules to block IP Prefixes or AS numbers.. +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set - +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. +### Cors Policy +resources from a server at a different origin. +`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). +`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - +`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). +`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). +`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) +`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). +### Csrf Policy - +Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. +###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set +`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). +`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. +`disabled` - (Optional) Allow all source origin domains. (`Bool`). +### Data Guard Rules +Note: App Firewall should be enabled, to use Data Guard feature.. +###### One of the arguments from this list "apply_data_guard, skip_data_guard" must be set +`apply_data_guard` - (Optional) x-displayName: "Apply" (`Bool`). - +`skip_data_guard` - (Optional) x-displayName: "Skip" (`Bool`). +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set +`any_domain` - (Optional) Enable Data Guard for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). - +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Data Guard Rules Metadata ](#data-guard-rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Data Guard Rules Path ](#data-guard-rules-path) below for details. +### Ddos Mitigation Rules - +Define manual mitigation rules to block L7 DDoS attacks.. +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Ddos Mitigation Rules Metadata ](#ddos-mitigation-rules-metadata) below for details. +###### One of the arguments from this list "block" must be set - +`block` - (Optional) Block user for a duration determined by the expiration time (`Bool`). +###### One of the arguments from this list "ddos_client_source, ip_prefix_list" must be set +`ddos_client_source` - (Optional) Combination of Region, ASN and TLS Fingerprints. See [Mitigation Choice Ddos Client Source ](#mitigation-choice-ddos-client-source) below for details. +`ip_prefix_list` - (Optional) IPv4 prefix string.. See [Mitigation Choice Ip Prefix List ](#mitigation-choice-ip-prefix-list) below for details. - +### Default Route Pools +Origin Pools used when no route is specified (default route). +`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). +###### One of the arguments from this list "cluster, pool" must be set +`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. +`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. +`priority` - (Optional) made active as per the increasing priority. (`Int`). +`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). +### Graphql Rules +queries and prevent GraphQL tailored attacks.. +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set +`any_domain` - (Optional) Enable GraphQL inspection for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - +`exact_path` - (Required) Specifies the exact path to GraphQL endpoint. Default value is /graphql. (`String`). +`graphql_settings` - (Optional) GraphQL configuration.. See [Graphql Rules Graphql Settings ](#graphql-rules-graphql-settings) below for details. - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Graphql Rules Metadata ](#graphql-rules-metadata) below for details. +###### One of the arguments from this list "method_get, method_post" must be set +`method_get` - (Optional) x-displayName: "GET" (`Bool`). +`method_post` - (Optional) x-displayName: "POST" (`Bool`). - +### Jwt Validation +tokens or tokens that are not yet valid.. +`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. +###### One of the arguments from this list "auth_server_uri, jwks, jwks_config" must be set - +`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) +`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) +`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. +`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. - +`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. +`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. +`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. +### More Option - +More options like header manipulation, compression etc.. +`buffer_policy` - (Optional) specify the maximum buffer size and buffer interval with this config.. See [More Option Buffer Policy ](#more-option-buffer-policy) below for details. +`compression_params` - (Optional) Only GZIP compression is supported. See [More Option Compression Params ](#more-option-compression-params) below for details. +`cookies_to_modify` - (Optional) List of cookies to be modified from the HTTP response being sent towards downstream.. See [More Option Cookies To Modify ](#more-option-cookies-to-modify) below for details.(Deprecated) - +`custom_errors` - (Optional) matches for a request. (`String`). +`disable_default_error_pages` - (Optional) Disable the use of default F5XC error pages. (`Bool`). +`idle_timeout` - (Optional) received, otherwise the stream is reset. (`Int`). +`javascript_info` - (Optional) Custom JavaScript Configuration. Custom JavaScript code can be executed at various stages of request processing.. See [More Option Javascript Info ](#more-option-javascript-info) below for details.(Deprecated) +`jwt` - (Optional) audiences and issuer. See [ref](#ref) below for details.(Deprecated) +`max_request_header_size` - (Optional) such load balancers is used for all the load balancers in question. (`Int`). - +###### One of the arguments from this list "disable_path_normalize, enable_path_normalize" can be set +`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`).(Deprecated) +`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`).(Deprecated) +`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [More Option Request Headers To Add ](#more-option-request-headers-to-add) below for details. - +`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [More Option Response Headers To Add ](#more-option-response-headers-to-add) below for details. +`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +###### One of the arguments from this list "additional_domains, enable_strict_sni_host_header_check" can be set - +`additional_domains` - (Optional) Wildcard names are supported in the suffix or prefix form. See [Strict Sni Host Header Check Choice Additional Domains ](#strict-sni-host-header-check-choice-additional-domains) below for details.(Deprecated) +`enable_strict_sni_host_header_check` - (Optional) Enable strict SNI and Host header check (`Bool`).(Deprecated) +### Origin Server Subset Rule List +When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. +`origin_server_subset_rules` - (Optional) When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. See [Origin Server Subset Rule List Origin Server Subset Rules ](#origin-server-subset-rule-list-origin-server-subset-rules) below for details. - +### Protected Cookies +Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. +###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set +`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). - +`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set +`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). +###### One of the arguments from this list "ignore_max_age, max_age_value" can be set +`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - +`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) +`name` - (Required) Name of the Cookie (`String`). +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). - +### Routes +to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic. +###### One of the arguments from this list "custom_route_object, direct_response_route, redirect_route, simple_route" must be set +`custom_route_object` - (Optional) A custom route uses a route object created outside of this view.. See [Choice Custom Route Object ](#choice-custom-route-object) below for details. +`direct_response_route` - (Optional) A direct response route matches on path and/or HTTP method and responds directly to the matching traffic. See [Choice Direct Response Route ](#choice-direct-response-route) below for details. +`redirect_route` - (Optional) A redirect route matches on path and/or HTTP method and redirects the matching traffic to a different URL. See [Choice Redirect Route ](#choice-redirect-route) below for details. +`simple_route` - (Optional) A simple route matches on path and/or HTTP method and forwards the matching traffic to the associated pools. See [Choice Simple Route ](#choice-simple-route) below for details. +### Sensitive Data Disclosure Rules +Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses. +`sensitive_data_types_in_response` - (Optional) Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses . See [Sensitive Data Disclosure Rules Sensitive Data Types In Response ](#sensitive-data-disclosure-rules-sensitive-data-types-in-response) below for details. +### Trusted Clients +Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. +###### One of the arguments from this list "bot_skip_processing, skip_processing, waf_skip_processing" can be set +`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) +`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - +`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) +`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - +###### One of the arguments from this list "as_number, http_header, ip_prefix, user_identifier" must be set +`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). +`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. +`ip_prefix` - (Optional) IPv4 prefix string. (`String`). +`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. +### Waf Exclusion Rules +When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. +###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - +`any_domain` - (Optional) Apply this WAF exclusion rule for any domain (`Bool`). +`exact_value` - (Optional) Exact domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Waf Exclusion Rules Metadata ](#waf-exclusion-rules-metadata) below for details. +`methods` - (Optional) methods to be matched (`List of Strings`). +###### One of the arguments from this list "any_path, path_prefix, path_regex" must be set +`any_path` - (Optional) Match all paths (`Bool`). +`path_prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`path_regex` - (Optional) Define the regex for the path. For example, the regex ^/.*$ will match on all paths (`String`). +###### One of the arguments from this list "app_firewall_detection_control, waf_skip_processing" can be set - +`app_firewall_detection_control` - (Optional) Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. See [Waf Advanced Configuration App Firewall Detection Control ](#waf-advanced-configuration-app-firewall-detection-control) below for details. +`waf_skip_processing` - (Optional) Skip all App Firewall processing for this request (`Bool`). +### Action Allow +Allow the request to proceed.. +### Action Deny +Deny the request.. - +### Action Choice Action Block +Block the request and issue an API security event. +### Action Choice Action Report +Continue processing the request and issue an API security event. +### Action Choice Action Skip +Continue processing the request. +### Action Choice Apply Data Guard +x-displayName: "Apply". +### Action Choice Block +Block the request and report the issue. +### Action Choice Bot Skip Processing +Skip Bot Defense processing for clients matching this rule.. +### Action Choice Report +Allow the request and report the issue. +### Action Choice Skip Data Guard +x-displayName: "Skip". +### Action Choice Skip Processing +Skip both WAF and Bot Defense processing for clients matching this rule.. +### Action Choice Waf Skip Processing +Skip WAF processing for clients matching this rule.. +### Action Type Block +Block bot request and send response with custom content.. +`body` - (Optional) E.g. "

Your request was blocked

". Base64 encoded string for this html is "LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==" (`String`). +`body_hash` - (Optional) Represents the corresponding MD5 Hash for the body message. (`String`).(Deprecated) +`status` - (Optional) HTTP Status code to respond with (`String`). +### Action Type Flag - +Flag the request while not taking any invasive actions.. +###### One of the arguments from this list "append_headers, no_headers" can be set +`append_headers` - (Optional) Append mitigation headers.. See [Send Headers Choice Append Headers ](#send-headers-choice-append-headers) below for details. +`no_headers` - (Optional) No mitigation headers. (`Bool`). +### Action Type None +No mitigation actions.. +### Action Type Redirect +Redirect bot request to a custom URI.. +`uri` - (Required) URI location for redirect may be relative or absolute. (`String`). +### Additional Headers Choice Allow Additional Headers +Allow extra headers (on top of what specified in the OAS documentation). +### Additional Headers Choice Disallow Additional Headers +Disallow extra headers (on top of what specified in the OAS documentation). +### Additional Parameters Choice Allow Additional Parameters +Allow extra query parameters (on top of what specified in the OAS documentation). +### Additional Parameters Choice Disallow Additional Parameters +Disallow extra query parameters (on top of what specified in the OAS documentation). +### Advanced Options Cors Policy +resources from a server at a different origin. +`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). +`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). +`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). +`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). +`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) +`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - +### Advanced Options Csrf Policy +Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. +###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set +`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). +`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. -`disable_api_definition` - (Optional) API Definition is not currently used for this load balancer (`Bool`). +`disabled` - (Optional) Allow all source origin domains. (`Bool`). +### Advanced Options Header Transformation Type +Settings to normalize the headers of upstream requests.. +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set +`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). -`disable_api_discovery` - (Optional) x-displayName: "Disable" (`Bool`). +`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). +`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). -`enable_api_discovery` - (Optional) x-displayName: "Enable". See [Api Discovery Choice Enable Api Discovery ](#api-discovery-choice-enable-api-discovery) below for details. - +`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Advanced Options Request Headers To Add - +Headers are key-value pairs to be added to HTTP request being routed towards upstream.. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - +`value` - (Optional) Value of the HTTP header. (`String`). +### Advanced Options Response Headers To Add +Headers are key-value pairs to be added to HTTP response being sent towards downstream.. +`append` - (Optional) Default value is do not append (`Bool`). - +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). - +### Advertise Choice Advertise Custom +Advertise this load balancer on specific sites. - +`advertise_where` - (Required) Where should this load balancer be available. See [Advertise Custom Advertise Where ](#advertise-custom-advertise-where) below for details. +### Advertise Choice Advertise On Public - +Advertise this load balancer on public network. +`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Advertise Custom Advertise Where +Where should this load balancer be available. +###### One of the arguments from this list "advertise_on_public, cloud_edge_segment, segment, site, site_segment, virtual_network, virtual_site, virtual_site_segment, virtual_site_with_vip, vk8s_service" must be set - +`advertise_on_public` - (Optional) Advertise this load balancer on public network. See [Choice Advertise On Public ](#choice-advertise-on-public) below for details. +`site` - (Optional) Advertise on a customer site and a given network.. See [Choice Site ](#choice-site) below for details. +`site_segment` - (Optional) Advertise on a segment on a site. See [Choice Site Segment ](#choice-site-segment) below for details. +`virtual_network` - (Optional) Advertise on a virtual network. See [Choice Virtual Network ](#choice-virtual-network) below for details. +`virtual_site` - (Optional) Advertise on a customer virtual site and a given network.. See [Choice Virtual Site ](#choice-virtual-site) below for details. +`virtual_site_with_vip` - (Optional) Advertise on a customer virtual site and a given network and IP.. See [Choice Virtual Site With Vip ](#choice-virtual-site-with-vip) below for details. +`vk8s_service` - (Optional) Advertise on vK8s Service Network on RE.. See [Choice Vk8s Service ](#choice-vk8s-service) below for details. +###### One of the arguments from this list "port, port_ranges, use_default_port" must be set +`port` - (Optional) TCP port to Listen. (`Int`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - +`use_default_port` - (Optional) For HTTP, default is 80. For HTTPS/SNI, default is 443. (`Bool`). +### Allow Introspection Queries Choice Disable Introspection +Disable introspection queries for the load balancer.. +### Allow Introspection Queries Choice Enable Introspection +Enable introspection queries for the load balancer.. +### Allowed Domains All Load Balancer Domains +Add All load balancer domains to source origin (allow) list.. +### Allowed Domains Custom Domain List - +Add one or more domains to source origin (allow) list.. +`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - +### Allowed Domains Disabled +Allow all source origin domains.. +### Api Definition Choice Api Definitions +DEPRECATED by 'api_definition'. +`api_definitions` - (Optional) API Definitions using OpenAPI specification files. See [ref](#ref) below for details. +### Api Definition Choice Api Specification - +Specify API definition and OpenAPI Validation. +`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. +###### One of the arguments from this list "validation_all_spec_endpoints, validation_custom_list, validation_disabled" must be set +`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. +`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. +`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). +### Api Discovery Choice Disable Discovery +x-displayName: "Disable". - +### Api Discovery Choice Enable Api Discovery +x-displayName: "Enable". +`api_discovery_from_code_scan` - (Optional) Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. See [Enable Api Discovery Api Discovery From Code Scan ](#enable-api-discovery-api-discovery-from-code-scan) below for details. +`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Api Discovery Discovered Api Settings ](#enable-api-discovery-discovered-api-settings) below for details. +###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set +`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Api Discovery Sensitive Data Detection Rules ](#enable-api-discovery-sensitive-data-detection-rules) below for details.(Deprecated) +### Api Discovery Choice Enable Discovery +x-displayName: "Enable". - +`api_discovery_from_code_scan` - (Optional) Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. See [Enable Discovery Api Discovery From Code Scan ](#enable-discovery-api-discovery-from-code-scan) below for details. +`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Discovery Discovered Api Settings ](#enable-discovery-discovered-api-settings) below for details. +###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set +`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - +`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). +`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Discovery Sensitive Data Detection Rules ](#enable-discovery-sensitive-data-detection-rules) below for details.(Deprecated) +### Api Discovery From Code Scan Code Base Integrations +x-required. - +###### One of the arguments from this list "all_repos, selected_repos" must be set +`all_repos` - (Optional) x-displayName: "All API Repositories" (`Bool`). +`selected_repos` - (Optional) x-displayName: "Selected API Repositories". See [Api Repos Choice Selected Repos ](#api-repos-choice-selected-repos) below for details. +`code_base_integration` - (Required) Select the code base integration for use in code-based API discovery. See [ref](#ref) below for details. - +### Api Endpoint Rules Action +The action to take if the input request matches the rule.. +###### One of the arguments from this list "allow, deny" must be set +`allow` - (Optional) Allow the request to proceed. (`Bool`). +`deny` - (Optional) Deny the request. (`Bool`). +### Api Endpoint Rules Api Endpoint Method +The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. - +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). +### Api Endpoint Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - +### Api Endpoint Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Api Endpoint Rules Request Matcher -`api_protection_rules` - (Optional) Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. See [Api Protection Rules ](#api-protection-rules) below for details. +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Api Groups Rules Action +The action to take if the input request matches the rule.. +###### One of the arguments from this list "allow, deny" must be set - +`allow` - (Optional) Allow the request to proceed. (`Bool`). +`deny` - (Optional) Deny the request. (`Bool`). +### Api Groups Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Api Groups Rules Metadata +Common attributes for the rule including name and description.. - +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Api Groups Rules Request Matcher - +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - +### Api Protection Rules Api Endpoint Rules +If request matches any of these rules, skipping second category rules.. +`action` - (Required) The action to take if the input request matches the rule.. See [Api Endpoint Rules Action ](#api-endpoint-rules-action) below for details. +`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. +`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set - +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) For example: api.example.com (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Endpoint Rules Metadata ](#api-endpoint-rules-metadata) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - +### Api Protection Rules Api Groups Rules +For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. +`action` - (Required) The action to take if the input request matches the rule.. See [Api Groups Rules Action ](#api-groups-rules-action) below for details. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). +`base_path` - (Required) For example: /v1 (`String`). - +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Groups Rules Client Matcher ](#api-groups-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) For example: api.example.com (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Groups Rules Metadata ](#api-groups-rules-metadata) below for details. - +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Groups Rules Request Matcher ](#api-groups-rules-request-matcher) below for details. +### Api Rate Limit Api Endpoint Rules +For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. +`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. +`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). +`base_path` - (Optional) The request base path. (`String`).(Deprecated) - +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - +`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. +### Api Rate Limit Server Url Rules +For matching also specific endpoints you can use the API endpoint rules set bellow.. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). +`base_path` - (Required) Prefix of the request path. (`String`). +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set - +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. +`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. +### Api Rate Limit Legacy Api Endpoint Rules +For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. - +`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. +`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - +`base_path` - (Optional) The request base path. (`String`).(Deprecated) +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. +`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - +### Api Rate Limit Legacy Server Url Rules +For matching also specific endpoints you can use the API endpoint rules set bellow.. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). +`base_path` - (Required) Prefix of the request path. (`String`). - +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). +###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set +`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. +`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. +### Api Repos Choice All Repos - +x-displayName: "All API Repositories". +### Api Repos Choice Selected Repos +x-displayName: "Selected API Repositories". +`api_code_repo` - (Required) Code repository which contain API endpoints (`String`). +### App Firewall Detection Control Exclude Attack Type Contexts +Attack Types to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). +`exclude_attack_type` - (Required) x-required (`String`). +### App Firewall Detection Control Exclude Bot Name Contexts +Bot Names to be excluded for the defined match criteria. +`bot_name` - (Required) x-example: "Hydra" (`String`). +### App Firewall Detection Control Exclude Signature Contexts +Signature IDs to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). - +`signature_id` - (Required) 0 implies that all signatures will be excluded for the specified context. (`Int`). +### App Firewall Detection Control Exclude Violation Contexts +Violations to be excluded for the defined match criteria. +`context` - (Required) x-required (`String`). +`context_name` - (Optional) with an wildcard asterisk (*). (`String`). +`exclude_violation` - (Required) x-required (`String`). +### App Traffic Type Choice Mobile +Mobile traffic channel.. +### App Traffic Type Choice Mobile Client +Mobile traffic channel.. +### App Traffic Type Choice Web +Web traffic channel.. +### App Traffic Type Choice Web Client +Web traffic channel.. +### App Traffic Type Choice Web Mobile - +Web and mobile traffic channel.. +`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Header ](#web-mobile-header) below for details.(Deprecated) +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Headers ](#web-mobile-headers) below for details.(Deprecated) +`mobile_identifier` - (Optional) Mobile identifier type (`String`). +### App Traffic Type Choice Web Mobile Client +Web and mobile traffic channel.. +`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Client Header ](#web-mobile-client-header) below for details.(Deprecated) +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Client Headers ](#web-mobile-client-headers) below for details.(Deprecated) +`mobile_identifier` - (Optional) Mobile identifier type (`String`). +### Asn Choice Any Asn +any_asn. +### Asn Choice Asn List +asn_list. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Asn Choice Asn Matcher +asn_matcher. - +`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Audience Validation Audience - +x-displayName: "Exact Match". +`audiences` - (Required) x-required (`String`). +### Audience Validation Audience Disable +x-displayName: "Disable". +### Blocked Clients Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Bot Defense Policy +Bot Defense Policy.. +###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set - +`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). +`js_insert_all_pages` - (Optional) Insert Bot Defense JavaScript in all pages.. See [Java Script Choice Js Insert All Pages ](#java-script-choice-js-insert-all-pages) below for details. +`js_insert_all_pages_except` - (Optional) Insert Bot Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. +`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. +`javascript_mode` - (Required) The larger chunk can be loaded asynchronously or synchronously. It can also be cacheable or non-cacheable on the browser. (`String`). +`js_download_path` - (Optional) Customize Bot Defense Client JavaScript path. If not specified, default `/common.js` (`String`). +###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set +`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). +`mobile_sdk_config` - (Optional) Mobile SDK configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. +`protected_app_endpoints` - (Required) List of protected application endpoints (max 128 items).. See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. +### Bot Defense Advanced Policy +Bot Defense Advanced Policy.. +`js_download_path` - (Required) Customize Bot Defense Web Client JavaScript path (`String`). +###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set +`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). +`mobile_sdk_config` - (Optional) Enable Mobile SDK Configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. +`protected_app_endpoints` - (Required) List of protected endpoints (max 128 items). See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. +### Bot Defense Choice Bot Defense +Select Bot Defense Standard. +###### One of the arguments from this list "disable_cors_support, enable_cors_support" must be set +`disable_cors_support` - (Optional) protect against Bot Attacks. (`Bool`).(Deprecated) +`enable_cors_support` - (Optional) Allows Bot Defense to work with your existing CORS policies. (`Bool`).(Deprecated) +`policy` - (Required) Bot Defense Policy.. See [Bot Defense Policy ](#bot-defense-policy) below for details. +`regional_endpoint` - (Required) x-required (`String`). +`timeout` - (Optional) The timeout for the inference check, in milliseconds. (`Int`). +### Bot Defense Choice Bot Defense Advanced +Select Bot Defense Advanced. +`mobile` - (Optional) Select infrastructure for mobile.. See [ref](#ref) below for details. +`policy` - (Required) Bot Defense Advanced Policy.. See [Bot Defense Advanced Policy ](#bot-defense-advanced-policy) below for details. +`web` - (Optional) Select infrastructure for web.. See [ref](#ref) below for details. +### Bot Defense Javascript Injection Javascript Tags +Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. +`javascript_url` - (Required) Please enter the full URL (include domain and path), or relative path. (`String`). +`tag_attributes` - (Optional) Add the tag attributes you want to include in your Javascript tag.. See [Javascript Tags Tag Attributes ](#javascript-tags-tag-attributes) below for details. +### Bot Defense Javascript Injection Choice Bot Defense Javascript Injection +Configuration for Bot Defense JavaScript Injection. +`javascript_location` - (Optional) Select the location where you would like to insert the Javascript tag(s). (`String`). - +`javascript_tags` - (Required) Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. See [Bot Defense Javascript Injection Javascript Tags ](#bot-defense-javascript-injection-javascript-tags) below for details. +### Bot Defense Javascript Injection Choice Inherited Bot Defense Javascript Injection +Hence no custom configuration is applied on the route. +### Buffer Choice Buffer Policy +Route level buffer configuration overrides any configuration at VirtualHost level.. - +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). +`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) +### Buffer Choice Common Buffering +Use common buffering configuration. +### Bypass Rate Limiting Rules Bypass Rate Limiting Rules +This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. -`api_rate_limit_legacy` - (Optional) Legacy value only temporary pre-migration. This value will be copied over to api_rate_limit and removed later.. See [Api Rate Limit Legacy ](#api-rate-limit-legacy) below for details.(Deprecated) +`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Bypass Rate Limiting Rules Client Matcher ](#bypass-rate-limiting-rules-client-matcher) below for details. +###### One of the arguments from this list "any_url, api_endpoint, api_groups, base_path" must be set - +`any_url` - (Optional) Any URL (`Bool`). +`api_endpoint` - (Required) The endpoint (path) of the request.. See [Destination Type Api Endpoint ](#destination-type-api-endpoint) below for details. +`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Destination Type Api Groups ](#destination-type-api-groups) below for details. +`base_path` - (Optional) The base path which this validation applies to (`String`). +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). +`specific_domain` - (Optional) For example: api.example.com (`String`). +`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Bypass Rate Limiting Rules Request Matcher ](#bypass-rate-limiting-rules-request-matcher) below for details. +### Bypass Rate Limiting Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Bypass Rate Limiting Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Captcha Challenge Parameters Choice Captcha Challenge Parameters +Configure captcha challenge parameters. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - +### Captcha Challenge Parameters Choice Default Captcha Challenge Parameters +Use default parameters. - +### Challenge Action Disable Challenge +Disable the challenge type selected in PolicyBasedChallenge. - +### Challenge Action Enable Captcha Challenge +Enable captcha challenge. +### Challenge Action Enable Javascript Challenge +Enable javascript challenge. +### Challenge Choice Always Enable Captcha Challenge +Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests.. +### Challenge Choice Always Enable Js Challenge +Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests.. +### Challenge Choice No Challenge +Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests.. +### Challenge Type Captcha Challenge +Configure Captcha challenge on this load balancer. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +### Challenge Type Enable Challenge +Configure auto mitigation i.e risk based challenges for malicious users. +###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set +`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. +`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). +###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set +`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). +`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. +###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set +`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). +`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. +### Challenge Type Js Challenge +Configure JavaScript challenge on this load balancer. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). +### Challenge Type Policy Based Challenge +Specifies the settings for policy rule based challenge. +###### One of the arguments from this list "captcha_challenge_parameters, default_captcha_challenge_parameters" can be set - +`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. +`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). +###### One of the arguments from this list "always_enable_captcha_challenge, always_enable_js_challenge, no_challenge" must be set +`always_enable_captcha_challenge` - (Optional) Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests. (`Bool`). - +`always_enable_js_challenge` - (Optional) Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests. (`Bool`). +`no_challenge` - (Optional) Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests. (`Bool`). +###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set +`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). +`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. +###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set - +`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). +`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. +`rule_list` - (Optional) list challenge rules to be used in policy based challenge. See [Policy Based Challenge Rule List ](#policy-based-challenge-rule-list) below for details. +###### One of the arguments from this list "default_temporary_blocking_parameters, temporary_user_blocking" can be set +`default_temporary_blocking_parameters` - (Optional) Use default parameters (`Bool`).(Deprecated) +`temporary_user_blocking` - (Optional) Specifies configuration for temporary user blocking resulting from malicious user detection. See [Temporary Blocking Parameters Choice Temporary User Blocking ](#temporary-blocking-parameters-choice-temporary-user-blocking) below for details.(Deprecated) +### Choice Advertise On Public +Advertise this load balancer on public network. +`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Choice Consul Service +Specify origin server with Hashi Corp Consul service name and site information. +###### One of the arguments from this list "inside_network, outside_network" must be set - +`inside_network` - (Optional) Inside network on the site (`Bool`). +`outside_network` - (Optional) Outside network on the site (`Bool`). +`service_name` - (Required) cluster-id is optional. (`String`). +`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Consul Service Site Locator ](#consul-service-site-locator) below for details. +### Choice Custom Endpoint Object +Specify origin server with a reference to endpoint object. +`endpoint` - (Required) Reference to an endpoint object. See [ref](#ref) below for details. +### Choice Custom Route Object - +A custom route uses a route object created outside of this view.. +`route_ref` - (Optional) Reference to a custom route object. See [ref](#ref) below for details. +### Choice Custom Security +Custom selection of TLS versions and cipher suites. +`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - +`max_version` - (Optional) Maximum TLS protocol version. (`String`). +`min_version` - (Optional) Minimum TLS protocol version. (`String`). +### Choice Default Security +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. +### Choice Direct Response Route +A direct response route matches on path and/or HTTP method and responds directly to the matching traffic. - +`headers` - (Optional) List of (key, value) headers. See [Direct Response Route Headers ](#direct-response-route-headers) below for details. +`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). +`incoming_port` - (Optional) The port on which the request is received. See [Direct Response Route Incoming Port ](#direct-response-route-incoming-port) below for details. +`path` - (Required) URI path of route. See [Direct Response Route Path ](#direct-response-route-path) below for details. - +`route_direct_response` - (Optional) Send direct response. See [Direct Response Route Route Direct Response ](#direct-response-route-route-direct-response) below for details. +### Choice K8s Service +Specify origin server with K8s service name and site information. +###### One of the arguments from this list "inside_network, outside_network, vk8s_networks" must be set - +`inside_network` - (Optional) Inside network on the site (`Bool`). +`outside_network` - (Optional) Outside network on the site (`Bool`). +`vk8s_networks` - (Optional) origin server are on vK8s network on the site (`Bool`). +###### One of the arguments from this list "service_name, service_selector" must be set +`service_name` - (Optional) Both namespace and cluster-id are optional. (`String`). +`service_selector` - (Optional) discovery has to happen. This implicit label is added to service_selector. See [Service Info Service Selector ](#service-info-service-selector) below for details.(Deprecated) +`site_locator` - (Required) Site or Virtual site where this origin server is located. See [K8s Service Site Locator ](#k8s-service-site-locator) below for details. +### Choice Low Security +TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. +### Choice Medium Security +TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. +### Choice Private Ip +Specify origin server with private or public IP address and site information. +###### One of the arguments from this list "inside_network, outside_network, segment" must be set +`inside_network` - (Optional) Inside network on the site (`Bool`). +`outside_network` - (Optional) Outside network on the site (`Bool`). +`segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. +###### One of the arguments from this list "ip, ipv6" must be set +`ip` - (Optional) Private IPV4 address (`String`). +`ipv6` - (Optional) Private IPV6 address (`String`). +`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Ip Site Locator ](#private-ip-site-locator) below for details. +### Choice Private Name +Specify origin server with private or public DNS name and site information. +`dns_name` - (Required) DNS Name (`String`). +###### One of the arguments from this list "inside_network, outside_network, segment" must be set +`inside_network` - (Optional) Inside network on the site (`Bool`). +`outside_network` - (Optional) Outside network on the site (`Bool`). +`segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. +`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). +`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Name Site Locator ](#private-name-site-locator) below for details. +### Choice Public Ip +Specify origin server with public IP. +###### One of the arguments from this list "ip, ipv6" must be set +`ip` - (Optional) Public IPV4 address (`String`). +`ipv6` - (Optional) Public IPV6 address (`String`). +### Choice Public Name +Specify origin server with public DNS name. +`dns_name` - (Required) DNS Name (`String`). +`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). +### Choice Redirect Route +A redirect route matches on path and/or HTTP method and redirects the matching traffic to a different URL. +`headers` - (Optional) List of (key, value) headers. See [Redirect Route Headers ](#redirect-route-headers) below for details. +`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). - +`incoming_port` - (Optional) The port on which the request is received. See [Redirect Route Incoming Port ](#redirect-route-incoming-port) below for details. +`path` - (Required) URI path of route. See [Redirect Route Path ](#redirect-route-path) below for details. +`route_redirect` - (Optional) Send redirect response. See [Redirect Route Route Redirect ](#redirect-route-route-redirect) below for details. +### Choice Simple Route +A simple route matches on path and/or HTTP method and forwards the matching traffic to the associated pools. +`advanced_options` - (Optional) Configure Advanced per route options. See [Simple Route Advanced Options ](#simple-route-advanced-options) below for details. +`headers` - (Optional) List of (key, value) headers. See [Simple Route Headers ](#simple-route-headers) below for details. -`blocked_clients` - (Optional) Define rules to block IP Prefixes or AS numbers.. See [Blocked Clients ](#blocked-clients) below for details. +###### One of the arguments from this list "auto_host_rewrite, disable_host_rewrite, host_rewrite" must be set +`auto_host_rewrite` - (Optional) Host header will be swapped with hostname of upstream host chosen by the cluster (`Bool`). +`disable_host_rewrite` - (Optional) Host header is not modified (`Bool`). +`host_rewrite` - (Optional) Host header will be swapped with this value (`String`). - +`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). +`incoming_port` - (Optional) The port on which the request is received. See [Simple Route Incoming Port ](#simple-route-incoming-port) below for details. +`origin_pools` - (Required) Origin Pools for this route. See [Simple Route Origin Pools ](#simple-route-origin-pools) below for details. +`path` - (Required) URI path of route. See [Simple Route Path ](#simple-route-path) below for details. - +### Choice Site +Advertise on a customer site and a given network.. +`ip` - (Optional) Use given IP address as VIP on the site (`String`). +`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). - +`network` - (Required) By default VIP chosen as ip address of primary network interface in the network (`String`). +`site` - (Required) Reference to site object. See [ref](#ref) below for details. +### Choice Site Segment +Advertise on a segment on a site. +`ip` - (Required) Use given IP address as VIP on the site (`String`). +`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). +`segment` - (Required) x-required. See [ref](#ref) below for details. +`site` - (Required) x-required. See [ref](#ref) below for details. - +### Choice Virtual Network +Advertise on a virtual network. - +###### One of the arguments from this list "default_v6_vip, specific_v6_vip" can be set +`default_v6_vip` - (Optional) Use the default VIP, system allocated or configured in the virtual network (`Bool`). +`specific_v6_vip` - (Optional) Use given IPV6 address as VIP on virtual Network (`String`). +###### One of the arguments from this list "default_vip, specific_vip" can be set +`default_vip` - (Optional) Use the default VIP, system allocated or configured in the virtual network (`Bool`). +`specific_vip` - (Optional) Use given IPV4 address as VIP on virtual Network (`String`). +`virtual_network` - (Required) Select network reference. See [ref](#ref) below for details. +### Choice Virtual Site +Advertise on a customer virtual site and a given network.. +`network` - (Required) IP address of primary network interface in the network (`String`). +`virtual_site` - (Required) Reference to virtual site object. See [ref](#ref) below for details. +### Choice Virtual Site With Vip +Advertise on a customer virtual site and a given network and IP.. +`ip` - (Optional) Use given IP address as VIP on the site (`String`). - +`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). +`network` - (Required) IP address of primary network interface in the network (`String`). +`virtual_site` - (Required) Reference to virtual site object. See [ref](#ref) below for details. +### Choice Vk8s Service +Advertise on vK8s Service Network on RE.. +###### One of the arguments from this list "site, virtual_site" must be set +`site` - (Optional) Reference to site object. See [ref](#ref) below for details. -`bot_defense` - (Optional) Select Bot Defense Standard. See [Bot Defense Choice Bot Defense ](#bot-defense-choice-bot-defense) below for details. - +`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Choice Vn Private Ip +Specify origin server IP address on virtual network other than inside or outside network. +`virtual_network` - (Required) Virtual Network where this IP will be present. See [ref](#ref) below for details. - +###### One of the arguments from this list "ip, ipv6" must be set +`ip` - (Optional) IPV4 address (`String`). +`ipv6` - (Optional) IPV6 address (`String`). +### Choice Vn Private Name - +Specify origin server name on virtual network other than inside or outside network. +`dns_name` - (Required) DNS Name (`String`). +`private_network` - (Required) Virtual Network where this Name will be present. See [ref](#ref) below for details. +### Circuit Breaker Choice Circuit Breaker - +allows to apply back pressure on downstream quickly.. +`connection_limit` - (Optional) Remove endpoint out of load balancing decision, if number of connections reach connection limit. (`Int`). +`max_requests` - (Optional) Remove endpoint out of load balancing decision, if requests exceed this count. (`Int`). +`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). - +`priority` - (Optional) matched with priority of CircuitBreaker to select the CircuitBreaker (`String`). +`retries` - (Optional) Remove endpoint out of load balancing decision, if retries for request exceed this count. (`Int`). +### Circuit Breaker Choice Default Circuit Breaker +requests are 1024 and the default value for retries is 3. - +### Circuit Breaker Choice Disable Circuit Breaker +Circuit Breaker is disabled. +### Client Choice Any Client +Any Client. +### Client Choice Client Name Matcher - +client_name_matcher. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Client Choice Client Selector +The predicate evaluates to true if the expressions in the label selector are true for the client labels.. - +`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Client Choice Ip Threat Category List +IP threat categories to choose from. +`ip_threat_categories` - (Required) The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions (`List of Strings`). - +### Client Matcher Tls Fingerprint Matcher +The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). +### Client Side Defense Policy +Please ensure that the same domains are configured in the Client-Side Defense configuration.. +###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set +`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). - +`js_insert_all_pages` - (Optional) Insert Client-Side Defense JavaScript in all pages. (`Bool`). +`js_insert_all_pages_except` - (Optional) Insert Client-Side Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. +`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. +### Client Side Defense Choice Client Side Defense +Client-Side Defense configuration for JavaScript insertion. - +`policy` - (Required) Please ensure that the same domains are configured in the Client-Side Defense configuration.. See [Client Side Defense Policy ](#client-side-defense-policy) below for details. +### Client Source Choice Http Header +Request header name and value pairs. +`headers` - (Required) List of HTTP header name and value pairs. See [Http Header Headers ](#http-header-headers) below for details. +### Cluster Retract Choice Do Not Retract Cluster +configuration.. +### Cluster Retract Choice Retract Cluster +for route. +### Condition Type Choice Api Endpoint +The API endpoint (Path + Method) which this validation applies to. - +`methods` - (Optional) Methods to be matched (`List of Strings`). +`path` - (Required) Path to be matched (`String`). - +### Consul Service Site Locator +Site or Virtual site where this origin server is located. +###### One of the arguments from this list "site, virtual_site" must be set +`site` - (Optional) Reference to site object. See [ref](#ref) below for details. +`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Cookie Tampering Disable Tampering Protection +x-displayName: "Disable". +### Cookie Tampering Enable Tampering Protection +x-displayName: "Enable". +### Cors Support Choice Disable Cors Support +protect against Bot Attacks.. +### Cors Support Choice Enable Cors Support - +Allows Bot Defense to work with your existing CORS policies.. +### Count By Choice Use Http Lb User Id +Defined in HTTP-LB Security Configuration -> User Identifier.. +### Crl Choice No Crl +Client certificate revocation status is not verified. +### Custom Sensitive Data Detection Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Custom Sensitive Data Detection Rules Sensitive Data Detection Config - +The custom data detection config specifies targets, scopes & the pattern to be detected.. +###### One of the arguments from this list "any_domain, specific_domain" must be set +`any_domain` - (Optional) The rule will apply for all domains. (`Bool`).(Deprecated) +`specific_domain` - (Optional) For example: api.example.com (`String`).(Deprecated) +###### One of the arguments from this list "key_pattern, key_value_pattern, value_pattern" must be set - +`key_pattern` - (Optional) Search for pattern across all field names in the specified sections.. See [Pattern Choice Key Pattern ](#pattern-choice-key-pattern) below for details. +`key_value_pattern` - (Optional) Search for specific field and value patterns in the specified sections.. See [Pattern Choice Key Value Pattern ](#pattern-choice-key-value-pattern) below for details. +`value_pattern` - (Optional) Search for pattern across all field values in the specified sections.. See [Pattern Choice Value Pattern ](#pattern-choice-value-pattern) below for details. +###### One of the arguments from this list "all_request_sections, all_response_sections, all_sections, custom_sections" must be set +`all_request_sections` - (Optional) x-displayName: "All Request" (`Bool`). +`all_response_sections` - (Optional) x-displayName: "All Response" (`Bool`). +`all_sections` - (Optional) x-displayName: "All Request & Response" (`Bool`). +`custom_sections` - (Optional) x-displayName: "Custom Sections". See [Section Choice Custom Sections ](#section-choice-custom-sections) below for details. +###### One of the arguments from this list "any_target, api_endpoint_target, api_group, base_path" must be set +`any_target` - (Optional) The rule will be applied for all requests on this LB. (`Bool`). +`api_endpoint_target` - (Optional) The rule is applied only for the specified api endpoints.. See [Target Choice Api Endpoint Target ](#target-choice-api-endpoint-target) below for details. +`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`).(Deprecated) +`base_path` - (Optional) The rule is applied only for the requests matching the specified base path. (`String`).(Deprecated) - +### Custom Sensitive Data Detection Rules Sensitive Data Type +If the pattern is detected, the request is labeled with specified sensitive data type.. +`type` - (Required) The request is labeled as specified sensitive data type. (`String`). +### Data Guard Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). - +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - +### Data Guard Rules Path +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Ddos Client Source Asn List +The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Ddos Client Source Tls Fingerprint Matcher +The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). +### Ddos Mitigation Rules Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). - +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Default Lb Choice Default Loadbalancer +x-displayName: "Yes". - +### Default Lb Choice Non Default Loadbalancer +x-displayName: "No". +### Default Pool Advanced Options +Advanced options configuration like timeouts, circuit breaker, subset load balancing. - +###### One of the arguments from this list "circuit_breaker, default_circuit_breaker, disable_circuit_breaker" must be set +`circuit_breaker` - (Optional) allows to apply back pressure on downstream quickly.. See [Circuit Breaker Choice Circuit Breaker ](#circuit-breaker-choice-circuit-breaker) below for details. +`default_circuit_breaker` - (Optional) requests are 1024 and the default value for retries is 3 (`Bool`). +`disable_circuit_breaker` - (Optional) Circuit Breaker is disabled (`Bool`). - +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2 seconds (`Int`). +`header_transformation_type` - (Optional) Settings to normalize the headers of upstream requests.. See [Advanced Options Header Transformation Type ](#advanced-options-header-transformation-type) below for details.(Deprecated) - +`http_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 5 minutes. (`Int`). +###### One of the arguments from this list "auto_http_config, http1_config, http2_options" must be set +`auto_http_config` - (Optional) and will use whichever protocol is negotiated by ALPN with the upstream. (`Bool`). +`http1_config` - (Optional) Enable HTTP/1.1 for upstream connections. See [Http Protocol Type Http1 Config ](#http-protocol-type-http1-config) below for details. +`http2_options` - (Optional) Enable HTTP/2 for upstream connections.. See [Http Protocol Type Http2 Options ](#http-protocol-type-http2-options) below for details. +###### One of the arguments from this list "disable_lb_source_ip_persistance, enable_lb_source_ip_persistance" can be set +`disable_lb_source_ip_persistance` - (Optional) Disable LB source IP persistence (`Bool`). +`enable_lb_source_ip_persistance` - (Optional) Enable LB source IP persistence (`Bool`). +###### One of the arguments from this list "disable_outlier_detection, outlier_detection" must be set +`disable_outlier_detection` - (Optional) Outlier detection is disabled (`Bool`). +`outlier_detection` - (Optional) healthy load balancing set. Outlier detection is a form of passive health checking.. See [Outlier Detection Choice Outlier Detection ](#outlier-detection-choice-outlier-detection) below for details. +###### One of the arguments from this list "no_panic_threshold, panic_threshold" must be set +`no_panic_threshold` - (Optional) Disable panic threshold. Only healthy endpoints are considered for load balancing. (`Bool`). +`panic_threshold` - (Optional) all endpoints will be considered for load balancing ignoring its health status. (`Int`). - +###### One of the arguments from this list "disable_proxy_protocol, proxy_protocol_v1, proxy_protocol_v2" can be set +`disable_proxy_protocol` - (Optional) Disable Proxy Protocol for upstream connections (`Bool`). +`proxy_protocol_v1` - (Optional) Enable Proxy Protocol Version 1 for upstream connections (`Bool`). +`proxy_protocol_v2` - (Optional) Enable Proxy Protocol Version 2 for upstream connections (`Bool`). +###### One of the arguments from this list "disable_subsets, enable_subsets" must be set +`disable_subsets` - (Optional) Subset load balancing is disabled. All eligible origin servers will be considered for load balancing. (`Bool`). +`enable_subsets` - (Optional) Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. See [Subset Choice Enable Subsets ](#subset-choice-enable-subsets) below for details. +### Default Pool Origin Servers +List of origin servers in this pool. +###### One of the arguments from this list "consul_service, custom_endpoint_object, k8s_service, private_ip, private_name, public_ip, public_name, vn_private_ip, vn_private_name" must be set +`consul_service` - (Optional) Specify origin server with Hashi Corp Consul service name and site information. See [Choice Consul Service ](#choice-consul-service) below for details. +`custom_endpoint_object` - (Optional) Specify origin server with a reference to endpoint object. See [Choice Custom Endpoint Object ](#choice-custom-endpoint-object) below for details. +`k8s_service` - (Optional) Specify origin server with K8s service name and site information. See [Choice K8s Service ](#choice-k8s-service) below for details. +`private_ip` - (Optional) Specify origin server with private or public IP address and site information. See [Choice Private Ip ](#choice-private-ip) below for details. +`private_name` - (Optional) Specify origin server with private or public DNS name and site information. See [Choice Private Name ](#choice-private-name) below for details. +`public_ip` - (Optional) Specify origin server with public IP. See [Choice Public Ip ](#choice-public-ip) below for details. +`public_name` - (Optional) Specify origin server with public DNS name. See [Choice Public Name ](#choice-public-name) below for details. +`vn_private_ip` - (Optional) Specify origin server IP address on virtual network other than inside or outside network. See [Choice Vn Private Ip ](#choice-vn-private-ip) below for details. +`vn_private_name` - (Optional) Specify origin server name on virtual network other than inside or outside network. See [Choice Vn Private Name ](#choice-vn-private-name) below for details. +`labels` - (Optional) Add Labels for this origin server, these labels can be used to form subset. (`String`). +### Default Pool List Pools +List of Origin Pools. +`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). +###### One of the arguments from this list "cluster, pool" must be set +`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. +`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. +`priority` - (Optional) made active as per the increasing priority. (`Int`). - +`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). +### Destination Type Any Url +Any URL . +### Destination Type Api Endpoint - +The endpoint (path) of the request.. +`methods` - (Optional) Methods to be matched (`List of Strings`). +`path` - (Required) Path to be matched (`String`). +### Destination Type Api Groups - +Validation will be performed for the endpoints mentioned in the API Groups. +`api_groups` - (Required) x-required (`String`). +### Direct Response Route Headers +List of (key, value) headers. - +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). +`name` - (Required) Name of the header (`String`). +###### One of the arguments from this list "exact, presence, regex" can be set +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). +`regex` - (Optional) Regex match of the header value in re2 format (`String`). - +### Direct Response Route Incoming Port +The port on which the request is received. +###### One of the arguments from this list "no_port_match, port, port_ranges" can be set +`no_port_match` - (Optional) Disable matching of ports (`Bool`). - +`port` - (Optional) Exact Port to match (`Int`). +`port_ranges` - (Optional) Port range to match (`String`). +### Direct Response Route Path +URI path of route. - +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - +### Direct Response Route Route Direct Response +Send direct response. - +`response_body` - (Optional) response body to send (`String`). +`response_code` - (Optional) response code to send (`Int`). +### Domain Choice Any Domain +The rule will apply for all domains.. +### Domain Matcher Choice Any Domain - +Any Domain.. +### Domain Matcher Choice Domain +Domain matcher.. +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Enable Api Discovery Api Discovery From Code Scan +Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. - +`code_base_integrations` - (Required) x-required. See [Api Discovery From Code Scan Code Base Integrations ](#api-discovery-from-code-scan-code-base-integrations) below for details. +### Enable Api Discovery Discovered Api Settings +Configure Discovered API Settings.. +`purge_duration_for_inactive_discovered_apis` - (Optional) Inactive discovered API will be deleted after configured duration. (`Int`). - +### Enable Api Discovery Sensitive Data Detection Rules +Manage rules to detect sensitive data in requests and/or response sections.. +`custom_sensitive_data_detection_rules` - (Optional) Rules to detect custom sensitive data in requests and/or responses sections.. See [Sensitive Data Detection Rules Custom Sensitive Data Detection Rules ](#sensitive-data-detection-rules-custom-sensitive-data-detection-rules) below for details. +`disabled_built_in_rules` - (Optional) List of disabled built-in sensitive data detection rules.. See [Sensitive Data Detection Rules Disabled Built In Rules ](#sensitive-data-detection-rules-disabled-built-in-rules) below for details. - +### Enable Discovery Api Discovery From Code Scan +Select API code repositories to the load balancer to use them as a source for API endpoint discovery.. +`code_base_integrations` - (Required) x-required. See [Api Discovery From Code Scan Code Base Integrations ](#api-discovery-from-code-scan-code-base-integrations) below for details. +### Enable Discovery Discovered Api Settings - +Configure Discovered API Settings.. +`purge_duration_for_inactive_discovered_apis` - (Optional) Inactive discovered API will be deleted after configured duration. (`Int`). +### Enable Discovery Sensitive Data Detection Rules +Manage rules to detect sensitive data in requests and/or response sections.. +`custom_sensitive_data_detection_rules` - (Optional) Rules to detect custom sensitive data in requests and/or responses sections.. See [Sensitive Data Detection Rules Custom Sensitive Data Detection Rules ](#sensitive-data-detection-rules-custom-sensitive-data-detection-rules) below for details. +`disabled_built_in_rules` - (Optional) List of disabled built-in sensitive data detection rules.. See [Sensitive Data Detection Rules Disabled Built In Rules ](#sensitive-data-detection-rules-disabled-built-in-rules) below for details. - +### Enable Subsets Endpoint Subsets +List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. +`keys` - (Required) List of keys that define a cluster subset class. (`String`). +### Exclude List Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - +### Exclude List Path +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - +### Fail Configuration Fail Close +Handle the transaction as it failed the OpenAPI specification validation (Block or Report). +### Fail Configuration Fail Open +Continue to process the transaction without enforcing OpenAPI specification (Allow). - +### Fall Through Mode Choice Fall Through Mode Allow +Allow any unprotected end point. +### Fall Through Mode Choice Fall Through Mode Custom +Custom rules for any unprotected end point. +`open_api_validation_rules` - (Required) x-displayName: "Custom Fall Through Rule List". See [Fall Through Mode Custom Open Api Validation Rules ](#fall-through-mode-custom-open-api-validation-rules) below for details. +### Fall Through Mode Custom Open Api Validation Rules - +x-displayName: "Custom Fall Through Rule List". +###### One of the arguments from this list "action_block, action_report, action_skip" must be set +`action_block` - (Optional) Block the request and issue an API security event (`Bool`). +`action_report` - (Optional) Continue processing the request and issue an API security event (`Bool`). +`action_skip` - (Optional) Continue processing the request (`Bool`). +###### One of the arguments from this list "api_endpoint, api_group, base_path" must be set +`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. - +`api_group` - (Optional) The API group which this validation applies to (`String`). +`base_path` - (Optional) The base path which this validation applies to (`String`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. +### Fallback Policy Choice Any Endpoint - +Select any origin server from available healthy origin servers in this pool. +### Fallback Policy Choice Default Subset +Use the default subset provided here. Select endpoints matching default subset.. +`default_subset` - (Optional) which gets used when route specifies no metadata or no subset matching the metadata exists. (`String`). +### Fallback Policy Choice Fail Request +Request will be failed and error returned, as if cluster has no origin servers.. - +### Flow Label Choice Account Management +x-displayName: "Account Management". +###### One of the arguments from this list "create, password_reset" must be set +`create` - (Optional) x-displayName: "Account Creation" (`Bool`). - +`password_reset` - (Optional) x-displayName: "Password Reset" (`Bool`). +### Flow Label Choice Authentication +x-displayName: "Authentication". +###### One of the arguments from this list "login, login_mfa, login_partner, logout, token_refresh" must be set - +`login` - (Optional) x-displayName: "Login". See [Label Choice Login ](#label-choice-login) below for details. +`login_mfa` - (Optional) x-displayName: "Login MFA" (`Bool`). +`login_partner` - (Optional) x-displayName: "Login for a Channel Partner" (`Bool`). +`logout` - (Optional) x-displayName: "Logout" (`Bool`). - +`token_refresh` - (Optional) x-displayName: "Token Refresh" (`Bool`). +### Flow Label Choice Financial Services +x-displayName: "Financial Services". +###### One of the arguments from this list "apply, money_transfer" must be set - +`apply` - (Optional) x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)" (`Bool`). +`money_transfer` - (Optional) x-displayName: "Money Transfer" (`Bool`). +### Flow Label Choice Flight +x-displayName: "Flight". +###### One of the arguments from this list "checkin" must be set +`checkin` - (Optional) x-displayName: "Check into Flight" (`Bool`). - +### Flow Label Choice Flow Label +x-displayName: "Specify Endpoint label category". +###### One of the arguments from this list "account_management, authentication, financial_services, flight, profile_management, search, shopping_gift_cards" must be set +`account_management` - (Optional) x-displayName: "Account Management". See [Flow Label Choice Account Management ](#flow-label-choice-account-management) below for details. - +`authentication` - (Optional) x-displayName: "Authentication". See [Flow Label Choice Authentication ](#flow-label-choice-authentication) below for details. +`financial_services` - (Optional) x-displayName: "Financial Services". See [Flow Label Choice Financial Services ](#flow-label-choice-financial-services) below for details. +`flight` - (Optional) x-displayName: "Flight". See [Flow Label Choice Flight ](#flow-label-choice-flight) below for details. +`profile_management` - (Optional) x-displayName: "Profile Management". See [Flow Label Choice Profile Management ](#flow-label-choice-profile-management) below for details. - +`search` - (Optional) x-displayName: "Search". See [Flow Label Choice Search ](#flow-label-choice-search) below for details. +`shopping_gift_cards` - (Optional) x-displayName: "Shopping & Gift Cards". See [Flow Label Choice Shopping Gift Cards ](#flow-label-choice-shopping-gift-cards) below for details. +### Flow Label Choice Profile Management +x-displayName: "Profile Management". - +###### One of the arguments from this list "create, update, view" must be set +`create` - (Optional) x-displayName: "Profile Creation" (`Bool`). +`update` - (Optional) x-displayName: "Profile Update" (`Bool`). +`view` - (Optional) x-displayName: "Profile View" (`Bool`). - +### Flow Label Choice Search +x-displayName: "Search". +###### One of the arguments from this list "flight_search, product_search, reservation_search, room_search" can be set +`flight_search` - (Optional) x-displayName: "Flight Search" (`Bool`). - +`product_search` - (Optional) x-displayName: "Product Search" (`Bool`). +`reservation_search` - (Optional) x-displayName: "Reservation Search (e.g., sporting events, concerts)" (`Bool`). +`room_search` - (Optional) x-displayName: "Room Search" (`Bool`). +### Flow Label Choice Shopping Gift Cards - +x-displayName: "Shopping & Gift Cards". +###### One of the arguments from this list "gift_card_make_purchase_with_gift_card, gift_card_validation, shop_add_to_cart, shop_checkout, shop_choose_seat, shop_enter_drawing_submission, shop_make_payment, shop_order, shop_price_inquiry, shop_promo_code_validation, shop_purchase_gift_card, shop_update_quantity" can be set +`gift_card_make_purchase_with_gift_card` - (Optional) x-displayName: "Purchase with Gift Card" (`Bool`). +`gift_card_validation` - (Optional) x-displayName: "Gift Card Validation" (`Bool`). - +`shop_add_to_cart` - (Optional) x-displayName: "Add to Cart" (`Bool`). +`shop_checkout` - (Optional) x-displayName: "Checkout" (`Bool`). +`shop_choose_seat` - (Optional) x-displayName: "Select Seat(s)" (`Bool`). +`shop_enter_drawing_submission` - (Optional) x-displayName: "Enter Drawing Submission" (`Bool`). - +`shop_make_payment` - (Optional) x-displayName: "Payment / Billing" (`Bool`). +`shop_order` - (Optional) x-displayName: "Order Submit" (`Bool`). +`shop_price_inquiry` - (Optional) x-displayName: "Price Inquiry" (`Bool`). +`shop_promo_code_validation` - (Optional) x-displayName: "Promo Code Validation" (`Bool`). - +`shop_purchase_gift_card` - (Optional) x-displayName: "Purchase a Gift Card" (`Bool`). +`shop_update_quantity` - (Optional) x-displayName: "Update Quantity" (`Bool`). +### Flow Label Choice Undefined Flow Label +x-displayName: "Undefined". - +### Goodbot Choice Allow Good Bots +System flags Good Bot traffic and allow it to continue to the origin. +### Goodbot Choice Mitigate Good Bots +System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above. - +### Graphql Rules Graphql Settings +GraphQL configuration.. +###### One of the arguments from this list "disable_introspection, enable_introspection" must be set +`disable_introspection` - (Optional) Disable introspection queries for the load balancer. (`Bool`). - +`enable_introspection` - (Optional) Enable introspection queries for the load balancer. (`Bool`). +`max_batched_queries` - (Required) Specify maximum number of queries in a single batched request. (`Int`). +`max_depth` - (Required) Specify maximum depth for the GraphQL query. (`Int`). +`max_total_length` - (Required) Specify maximum length in bytes for the GraphQL query. (`Int`). +`max_value_length` - (Required) Specify maximum value length in bytes for the GraphQL query. (`Int`).(Deprecated) +`policy_name` - (Optional) Sets the BD Policy to use (`String`).(Deprecated) +### Graphql Rules Metadata +Common attributes for the rule including name and description.. - +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Hash Policy Choice Common Hash Policy +Use load balancer hash policy for this route. +### Hash Policy Choice Cookie Stickiness - +Consistent hashing algorithm, ring hash, is used to select origin server. +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set +`add_httponly` - (Optional) Add httponly attribute (`Bool`). +`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). - +`name` - (Required) produced (`String`). +`path` - (Optional) will be set for the cookie (`String`). +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) Add secure attribute (`Bool`). +`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). - +`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). +### Hash Policy Choice Ring Hash +Request are sent to all eligible origin servers using hash of request based on hash policy. Consistent hashing algorithm, ring hash, is used to select origin server. +`hash_policy` - (Required) route the request. See [Ring Hash Hash Policy ](#ring-hash-hash-policy) below for details. - +### Hash Policy Choice Specific Hash Policy +Configure hash policy specific for this route. +`hash_policy` - (Required) route the request. See [Specific Hash Policy Hash Policy ](#specific-hash-policy-hash-policy) below for details. +### Header Transformation Choice Default Header Transformation +Normalize the headers to lower case. +### Header Transformation Choice Legacy Header Transformation +Use old header transformation if configured earlier. - +### Header Transformation Choice Preserve Case Header Transformation +Preserves the original case of headers without any modifications.. +### Header Transformation Choice Proper Case Header Transformation +For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. - +### Health Check Port Choice Same As Endpoint Port +Health check is performed on endpoint port itself. +### Host Rewrite Params Auto Host Rewrite +Host header will be swapped with hostname of upstream host chosen by the cluster. +### Host Rewrite Params Disable Host Rewrite +Host header is not modified. - +### Http1 Config Header Transformation +the stateful formatter will take effect, and the stateless formatter will be disregarded.. +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set +`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). +`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). +`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - +`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Http Header Headers +List of HTTP header name and value pairs. +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - +`name` - (Required) Name of the header (`String`). +###### One of the arguments from this list "exact, presence, regex" can be set +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). +`regex` - (Optional) Regex match of the header value in re2 format (`String`). - +### Http Protocol Choice Http Protocol Enable V1 Only +Enable HTTP/1.1 for downstream connections. +`header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http Protocol Enable V1 Only Header Transformation ](#http-protocol-enable-v1-only-header-transformation) below for details. +### Http Protocol Choice Http Protocol Enable V1 V2 +Enable both HTTP/1.1 and HTTP/2 for downstream connections. +### Http Protocol Choice Http Protocol Enable V2 Only +Enable HTTP/2 for downstream connections. +### Http Protocol Enable V1 Only Header Transformation +the stateful formatter will take effect, and the stateless formatter will be disregarded.. +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set +`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). -`bot_defense_advanced` - (Optional) Select Bot Defense Advanced. See [Bot Defense Choice Bot Defense Advanced ](#bot-defense-choice-bot-defense-advanced) below for details.(Deprecated) - +`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). +`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). +`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - +### Http Protocol Type Auto Http Config +and will use whichever protocol is negotiated by ALPN with the upstream.. +### Http Protocol Type Http1 Config +Enable HTTP/1.1 for upstream connections. +`header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http1 Config Header Transformation ](#http1-config-header-transformation) below for details. +### Http Protocol Type Http2 Options +Enable HTTP/2 for upstream connections.. +`enabled` - (Optional) Enable/disable HTTP2 Protocol for upstream connections (`Bool`). - +### Httponly Add Httponly +Add httponly attribute. +### Httponly Ignore Httponly +Ignore httponly attribute. +### Https Header Transformation Type - +Header transformation options for response headers to the client. +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set +`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). +`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - +`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). +`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Https Http Protocol Options +HTTP protocol configuration options for downstream connections.. - +###### One of the arguments from this list "http_protocol_enable_v1_only, http_protocol_enable_v1_v2, http_protocol_enable_v2_only" must be set +`http_protocol_enable_v1_only` - (Optional) Enable HTTP/1.1 for downstream connections. See [Http Protocol Choice Http Protocol Enable V1 Only ](#http-protocol-choice-http-protocol-enable-v1-only) below for details. +`http_protocol_enable_v1_v2` - (Optional) Enable both HTTP/1.1 and HTTP/2 for downstream connections (`Bool`). +`http_protocol_enable_v2_only` - (Optional) Enable HTTP/2 for downstream connections (`Bool`). - +### Https Auto Cert Header Transformation Type +Header transformation options for response headers to the client. - +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set +`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). +`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). +`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). +`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Https Auto Cert Http Protocol Options +HTTP protocol configuration options for downstream connections.. +###### One of the arguments from this list "http_protocol_enable_v1_only, http_protocol_enable_v1_v2, http_protocol_enable_v2_only" must be set +`http_protocol_enable_v1_only` - (Optional) Enable HTTP/1.1 for downstream connections. See [Http Protocol Choice Http Protocol Enable V1 Only ](#http-protocol-choice-http-protocol-enable-v1-only) below for details. +`http_protocol_enable_v1_v2` - (Optional) Enable both HTTP/1.1 and HTTP/2 for downstream connections (`Bool`). +`http_protocol_enable_v2_only` - (Optional) Enable HTTP/2 for downstream connections (`Bool`). +### Https Auto Cert Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set - +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Ip Allowed List Choice Bypass Rate Limiting Rules +This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. +`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Bypass Rate Limiting Rules Bypass Rate Limiting Rules ](#bypass-rate-limiting-rules-bypass-rate-limiting-rules) below for details. +### Ip Allowed List Choice Custom Ip Allowed List +IP Allowed list using existing ip_prefix_set objects.. +`rate_limiter_allowed_prefixes` - (Required) Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.. See [ref](#ref) below for details. +### Ip Allowed List Choice Ip Allowed List +List of IP(s) for which rate limiting will be disabled.. +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +`prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Ip Allowed List Choice No Ip Allowed List +There is no ip allowed list for rate limiting, all clients go through rate limiting.. +### Ip Asn Choice Any Ip +Any Source IP. +### Ip Asn Choice Asn List +The predicate evaluates to true if the origin ASN is present in the ASN list.. +`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). +### Ip Asn Choice Asn Matcher +The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. +`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Ip Asn Choice Ip Matcher +The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Ip Asn Choice Ip Prefix List +The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Choice Any Ip +any_ip. +### Ip Choice Ip Matcher - +ip_matcher. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Ip Choice Ip Prefix List +ip_prefix_list. - +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ip Reputation Choice Enable Ip Reputation +x-displayName: "Enable". +`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). - +### Issuer Validation Issuer Disable +x-displayName: "Disable". +### Java Script Choice Disable Js Insert +Disable JavaScript insertion.. +### Java Script Choice Js Insert All Pages +Insert Client-Side Defense JavaScript in all pages.. +### Java Script Choice Js Insert All Pages +Insert Bot Defense JavaScript in all pages.. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). -`disable_bot_defense` - (Optional) No Bot Defense configuration for this load balancer (`Bool`). +### Java Script Choice Js Insert All Pages Except +Insert Client-Side Defense JavaScript in all pages with the exceptions.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. +### Java Script Choice Js Insert All Pages Except +Insert Bot Defense JavaScript in all pages with the exceptions.. -`captcha_challenge` - (Optional) Configure Captcha challenge on this load balancer. See [Challenge Type Captcha Challenge ](#challenge-type-captcha-challenge) below for details. - +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). +### Java Script Choice Js Insertion Rules +Specify custom JavaScript insertion rules.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. -`enable_challenge` - (Optional) Configure auto mitigation i.e risk based challenges for malicious users. See [Challenge Type Enable Challenge ](#challenge-type-enable-challenge) below for details. - +`rules` - (Required) Required list of pages to insert Client-Side Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. +### Java Script Choice Js Insertion Rules +Specify custom JavaScript insertion rules.. +`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. - +`rules` - (Required) Required list of pages to insert Bot Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. +### Javascript Tags Tag Attributes +Add the tag attributes you want to include in your Javascript tag.. +`javascript_tag` - (Optional) Select from one of the predefined tag attibutes. (`String`). +`tag_value` - (Optional) Add the tag attribute value. (`String`). +### Js Challenge Parameters Choice Default Js Challenge Parameters - +Use default parameters. +### Js Challenge Parameters Choice Js Challenge Parameters +Configure JavaScript challenge parameters. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - +### Js Insert All Pages Except Exclude List +Optional JavaScript insertions exclude list of domain and path matchers.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). - +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. +`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. +### Js Insertion Rules Exclude List +Optional JavaScript insertions exclude list of domain and path matchers.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. - +`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. +### Js Insertion Rules Rules +Required list of pages to insert Client-Side Defense client JavaScript.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. -`js_challenge` - (Optional) Configure JavaScript challenge on this load balancer. See [Challenge Type Js Challenge ](#challenge-type-js-challenge) below for details. - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. +### Js Insertion Rules Rules +Required list of pages to insert Bot Defense client JavaScript.. +###### One of the arguments from this list "any_domain, domain" must be set +`any_domain` - (Optional) Any Domain. (`Bool`). -`no_challenge` - (Optional) No challenge is enabled for this load balancer (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). -`policy_based_challenge` - (Optional) Specifies the settings for policy rule based challenge. See [Challenge Type Policy Based Challenge ](#challenge-type-policy-based-challenge) below for details. - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. +### Jwks Configuration Jwks Config +The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. +`cleartext` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`). +### Jwt Validation Action +x-required. +###### One of the arguments from this list "block, report" must be set +`block` - (Optional) Block the request and report the issue (`Bool`). +`report` - (Optional) Allow the request and report the issue (`Bool`). +### Jwt Validation Mandatory Claims +If the claim does not exist JWT token validation will fail.. - +`claim_names` - (Optional) x-displayName: "Claim Names" (`String`). +### Jwt Validation Reserved Claims +the token validation of these claims should be disabled.. +###### One of the arguments from this list "audience, audience_disable" must be set - +`audience` - (Optional) x-displayName: "Exact Match". See [Audience Validation Audience ](#audience-validation-audience) below for details. +`audience_disable` - (Optional) x-displayName: "Disable" (`Bool`). +###### One of the arguments from this list "issuer, issuer_disable" must be set +`issuer` - (Optional) x-displayName: "Exact Match" (`String`). - +`issuer_disable` - (Optional) x-displayName: "Disable" (`Bool`). +###### One of the arguments from this list "validate_period_disable, validate_period_enable" must be set +`validate_period_disable` - (Optional) x-displayName: "Disable" (`Bool`). +`validate_period_enable` - (Optional) x-displayName: "Enable" (`Bool`). +### Jwt Validation Target +Define endpoints for which JWT token validation will be performed. +###### One of the arguments from this list "all_endpoint, api_groups, base_paths" must be set +`all_endpoint` - (Optional) Validation will be performed for all requests on this LB (`Bool`). +`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Target Api Groups ](#target-api-groups) below for details. +`base_paths` - (Optional) Validation will be performed for selected path prefixes. See [Target Base Paths ](#target-base-paths) below for details. +### Jwt Validation Token Location +Define where in the HTTP request the JWT token will be extracted. +###### One of the arguments from this list "bearer_token, cookie, header, query_param" must be set +`bearer_token` - (Optional) Token is found in Authorization HTTP header with Bearer authentication scheme (`Bool`). +`cookie` - (Optional) Token is found in the cookie (`String`).(Deprecated) +`header` - (Optional) Token is found in the header (`String`).(Deprecated) +`query_param` - (Optional) Token is found in the query string parameter (`String`).(Deprecated) +### K8s Service Site Locator - +Site or Virtual site where this origin server is located. +###### One of the arguments from this list "site, virtual_site" must be set - +`site` - (Optional) Reference to site object. See [ref](#ref) below for details. +`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Key Value Pattern Key Pattern - +Pattern for key/field.. +###### One of the arguments from this list "exact_value, regex_value" must be set - +`exact_value` - (Optional) Search for values with exact match. (`String`). +`regex_value` - (Optional) Search for values matching this regular expression. (`String`). +### Key Value Pattern Value Pattern +Pattern for value.. +###### One of the arguments from this list "exact_value, regex_value" must be set +`exact_value` - (Optional) Pattern value to be detected. (`String`). +`regex_value` - (Optional) Regular expression for this pattern. (`String`). +### L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge +Serve JavaScript challenge to suspicious sources. +`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). +`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). +### Label Choice Apply +x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)". +### Label Choice Checkin +x-displayName: "Check into Flight". +### Label Choice Create +x-displayName: "Account Creation". - +### Label Choice Flight Search +x-displayName: "Flight Search". +### Label Choice Gift Card Make Purchase With Gift Card +x-displayName: "Purchase with Gift Card". - +### Label Choice Gift Card Validation +x-displayName: "Gift Card Validation". +### Label Choice Login +x-displayName: "Login". +### Label Choice Login Mfa - +x-displayName: "Login MFA". +### Label Choice Login Partner +x-displayName: "Login for a Channel Partner". +### Label Choice Logout +x-displayName: "Logout". - +### Label Choice Money Transfer +x-displayName: "Money Transfer". +### Label Choice Password Reset +x-displayName: "Password Reset". +### Label Choice Product Search +x-displayName: "Product Search". +### Label Choice Reservation Search - +x-displayName: "Reservation Search (e.g., sporting events, concerts)". +### Label Choice Room Search +x-displayName: "Room Search". +### Label Choice Shop Add To Cart - +x-displayName: "Add to Cart". +### Label Choice Shop Checkout +x-displayName: "Checkout". +### Label Choice Shop Choose Seat - +x-displayName: "Select Seat(s)". +### Label Choice Shop Enter Drawing Submission +x-displayName: "Enter Drawing Submission". +### Label Choice Shop Make Payment +x-displayName: "Payment / Billing". +### Label Choice Shop Order +x-displayName: "Order Submit". +### Label Choice Shop Price Inquiry +x-displayName: "Price Inquiry". +### Label Choice Shop Promo Code Validation - +x-displayName: "Promo Code Validation". +### Label Choice Shop Purchase Gift Card +x-displayName: "Purchase a Gift Card". +### Label Choice Shop Update Quantity +x-displayName: "Update Quantity". +### Label Choice Token Refresh +x-displayName: "Token Refresh". +### Label Choice Update +x-displayName: "Profile Update". +### Label Choice View - +x-displayName: "Profile View". +### Lb Source Ip Persistance Choice Disable Lb Source Ip Persistance +Disable LB source IP persistence. +### Lb Source Ip Persistance Choice Enable Lb Source Ip Persistance +Enable LB source IP persistence. +### Learn From Redirect Traffic Disable Learn From Redirect Traffic +Disable learning API patterns from traffic with redirect response codes 3xx. +### Learn From Redirect Traffic Enable Learn From Redirect Traffic +Enable learning API patterns from traffic with redirect response codes 3xx. +### Loadbalancer Type Http +HTTP Load Balancer.. +`dns_volterra_managed` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal. (`Bool`). +###### One of the arguments from this list "port, port_ranges" must be set +`port` - (Optional) HTTP port to Listen. (`Int`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). +### Loadbalancer Type Https - +User is responsible for managing DNS to this load balancer.. +`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). +`connection_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 2 minutes. (`Int`). +###### One of the arguments from this list "default_loadbalancer, non_default_loadbalancer" can be set +`default_loadbalancer` - (Optional) x-displayName: "Yes" (`Bool`). - +`non_default_loadbalancer` - (Optional) x-displayName: "No" (`Bool`). +`header_transformation_type` - (Optional) Header transformation options for response headers to the client. See [Https Header Transformation Type ](#https-header-transformation-type) below for details.(Deprecated) +`http_protocol_options` - (Optional) HTTP protocol configuration options for downstream connections.. See [Https Http Protocol Options ](#https-http-protocol-options) below for details. +`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). +###### One of the arguments from this list "disable_path_normalize, enable_path_normalize" must be set +`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "port, port_ranges" must be set +`port` - (Optional) HTTPS port to Listen. (`Int`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). +###### One of the arguments from this list "append_server_name, default_header, pass_through, server_name" can be set +`append_server_name` - (Optional) If header value is already present, it is not overwritten and passed as-is. (`String`). +`default_header` - (Optional) Response header name is “server” and value is “volt-adc” (`Bool`). +`pass_through` - (Optional) Pass existing server header as is. If server header is absent, a new header is not appended. (`Bool`). +`server_name` - (Optional) This will overwrite existing values, if any, for the server header. (`String`). +###### One of the arguments from this list "tls_cert_params, tls_parameters" must be set - +`tls_cert_params` - (Optional) Select/Add one or more TLS Certificate objects to associate with this Load Balancer. See [Tls Certificates Choice Tls Cert Params ](#tls-certificates-choice-tls-cert-params) below for details. +`tls_parameters` - (Optional) Upload a TLS certificate covering all domain names for this Load Balancer. See [Tls Certificates Choice Tls Parameters ](#tls-certificates-choice-tls-parameters) below for details. +### Loadbalancer Type Https Auto Cert +or a DNS CNAME record should be created in your DNS provider's portal(only for Domains not managed by F5 Distributed Cloud).. +`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). +`connection_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 2 minutes. (`Int`). - +###### One of the arguments from this list "default_loadbalancer, non_default_loadbalancer" can be set +`default_loadbalancer` - (Optional) For traffic terminating at this load balancer, the certificate associated with the first configured domain will be used for TLS termination. (`Bool`). +`non_default_loadbalancer` - (Optional) x-displayName: "No" (`Bool`). +`header_transformation_type` - (Optional) Header transformation options for response headers to the client. See [Https Auto Cert Header Transformation Type ](#https-auto-cert-header-transformation-type) below for details.(Deprecated) - +`http_protocol_options` - (Optional) HTTP protocol configuration options for downstream connections.. See [Https Auto Cert Http Protocol Options ](#https-auto-cert-http-protocol-options) below for details. +`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +###### One of the arguments from this list "disable_path_normalize, enable_path_normalize" must be set - +`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "port, port_ranges" can be set +`port` - (Optional) HTTPS port to Listen. (`Int`). +`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). +###### One of the arguments from this list "append_server_name, default_header, pass_through, server_name" can be set - +`append_server_name` - (Optional) If header value is already present, it is not overwritten and passed as-is. (`String`). +`default_header` - (Optional) Response header name is “server” and value is “volt-adc” (`Bool`). +`pass_through` - (Optional) Pass existing server header as is. If server header is absent, a new header is not appended. (`Bool`). +`server_name` - (Optional) This will overwrite existing values, if any, for the server header. (`String`). +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Https Auto Cert Tls Config ](#https-auto-cert-tls-config) below for details. +### Malicious User Detection Choice Disable Malicious User Detection +x-displayName: "Disable". +### Malicious User Detection Choice Enable Malicious User Detection - +x-displayName: "Enable". +### Malicious User Mitigation Choice Default Mitigation Settings +For high level, users will be temporarily blocked.. +### Masking Mode Choice Mask +x-displayName: "Mask Sensitive Data". +### Masking Mode Choice Report +x-displayName: "Report Sensitive Data". +### Match Check Not Present +Check that the cookie is not present.. +### Match Check Present +Check that the cookie is present.. +### Match Item +Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - +### Max Age Ignore Max Age +Ignore max age attribute. +### Max Session Keys Type Default Session Key Caching +Default session key caching. Only one session key will be cached.. +### Max Session Keys Type Disable Session Key Caching +Disable session key caching. This will disable TLS session resumption.. +### Method Choice Method Get - +x-displayName: "GET". +### Method Choice Method Post +x-displayName: "POST". +### Mirror Policy Percent - +Percentage of requests to be mirrored. +`denominator` - (Required) Samples per denominator. numerator part per 100 or 10000 ro 1000000 (`String`). +`numerator` - (Required) sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 (`Int`). +### Mirroring Choice Disable Mirroring +Disable Mirroring of request. +### Mirroring Choice Mirror Policy +useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. +`origin_pool` - (Required) referred here must be present.. See [ref](#ref) below for details. +`percent` - (Required) Percentage of requests to be mirrored. See [Mirror Policy Percent ](#mirror-policy-percent) below for details. -`client_side_defense` - (Optional) Client-Side Defense configuration for JavaScript insertion. See [Client Side Defense Choice Client Side Defense ](#client-side-defense-choice-client-side-defense) below for details. - +### Mitigation Action Block +Block user for a duration determined by the expiration time. - +### Mitigation Choice Ddos Client Source +Combination of Region, ASN and TLS Fingerprints. +`asn_list` - (Optional) The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. See [Ddos Client Source Asn List ](#ddos-client-source-asn-list) below for details. +`country_list` - (Optional) Sources that are located in one of the countries in the given list (`List of Strings`). +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Ddos Client Source Tls Fingerprint Matcher ](#ddos-client-source-tls-fingerprint-matcher) below for details. +### Mitigation Choice Ip Prefix List +IPv4 prefix string.. - +`invert_match` - (Optional) Invert the match result. (`Bool`). +`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Ml Config Choice Single Lb App - +ML Config applied on this load balancer. +###### One of the arguments from this list "disable_discovery, enable_discovery" must be set +`disable_discovery` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_discovery` - (Optional) x-displayName: "Enable". See [Api Discovery Choice Enable Discovery ](#api-discovery-choice-enable-discovery) below for details. +###### One of the arguments from this list "disable_malicious_user_detection, enable_malicious_user_detection" must be set - +`disable_malicious_user_detection` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_malicious_user_detection` - (Optional) x-displayName: "Enable" (`Bool`). +### Mobile Identifier Headers - +Headers that can be used to identify mobile traffic.. +###### One of the arguments from this list "check_not_present, check_present, item" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). +`check_present` - (Optional) Check that the header is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`name` - (Required) A case-insensitive HTTP header name. (`String`). +### Mobile Sdk Choice Disable Mobile Sdk +Disable Mobile SDK.. +### Mobile Sdk Choice Mobile Sdk Config +Enable Mobile SDK Configuration. +`mobile_identifier` - (Optional) Mobile Request Identifier Headers Type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. +### Mobile Sdk Choice Mobile Sdk Config +Mobile SDK configuration. +`mobile_identifier` - (Optional) Mobile traffic identifier type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. +`reload_header_name` - (Optional) Header that is used for SDK configuration sync. (`String`).(Deprecated) -`disable_client_side_defense` - (Optional) No Client-Side Defense configuration for this load balancer (`Bool`). +### Mobile Sdk Config Mobile Identifier +Mobile traffic identifier type.. +`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Mobile Identifier Headers ](#mobile-identifier-headers) below for details. +### More Option Buffer Policy -`cors_policy` - (Optional) resources from a server at a different origin. See [Cors Policy ](#cors-policy) below for details. +specify the maximum buffer size and buffer interval with this config.. +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). +`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) +### More Option Compression Params +Only GZIP compression is supported. +`content_length` - (Optional) Minimum response length, in bytes, which will trigger compression. The default value is 30. (`Int`). +`content_type` - (Optional) "text/xml" (`String`). +`disable_on_etag_header` - (Optional) weak etags will be preserved and the ones that require strong validation will be removed. (`Bool`). +`remove_accept_encoding_header` - (Optional) so that responses do not get compressed before reaching the filter. (`Bool`). +### More Option Cookies To Modify +List of cookies to be modified from the HTTP response being sent towards downstream.. -`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Csrf Policy ](#csrf-policy) below for details. +###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set +`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). +`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set - +`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). +###### One of the arguments from this list "ignore_max_age, max_age_value" can be set +`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - +`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) +`name` - (Required) Name of the Cookie (`String`). +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) x-displayName: "Add" (`Bool`). +`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). -`data_guard_rules` - (Optional) Note: App Firewall should be enabled, to use Data Guard feature.. See [Data Guard Rules ](#data-guard-rules) below for details. +### More Option Javascript Info +Custom JavaScript Configuration. Custom JavaScript code can be executed at various stages of request processing.. +`cache_prefix` - (Optional) KeyValue store referred by script. (`String`). +`custom_script_url` - (Optional) URL of JavaScript that gets executed (`String`). - +`script_config` - (Optional) Input passed to the script (`String`). +### More Option Request Headers To Add +Headers specified at this level are applied after headers from matched Route are applied. +`append` - (Optional) Default value is do not append (`Bool`). - +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). +### More Option Response Headers To Add +Headers specified at this level are applied after headers from matched Route are applied. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). - +### Mtls Choice No Mtls +x-displayName: "Disable". +### Mtls Choice Use Mtls +x-displayName: "Enable". +`client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). - +###### One of the arguments from this list "crl, no_crl" can be set +`crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. +`no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. +`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). +###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set +`xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). -`ddos_mitigation_rules` - (Optional) Define manual mitigation rules to block L7 DDoS attacks.. See [Ddos Mitigation Rules ](#ddos-mitigation-rules) below for details. +`xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. +### Mtls Choice Use Mtls +x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". - +`tls_certificates` - (Required) mTLS Client Certificate. See [Use Mtls Tls Certificates ](#use-mtls-tls-certificates) below for details. +### Network Choice Inside Network +Inside network on the site. +### Network Choice Outside Network +Outside network on the site. +### Network Choice Vk8s Networks +origin server are on vK8s network on the site. - +### Ocsp Stapling Choice Custom Hash Algorithms +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. +### Ocsp Stapling Choice Use System Defaults - +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Open Api Validation Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - +### Open Api Validation Rules Validation Mode +When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). +###### One of the arguments from this list "response_validation_mode_active, skip_response_validation" must be set +`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. +`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). +###### One of the arguments from this list "skip_validation, validation_mode_active" must be set +`skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - +`validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. +### Origin Pool Choice Default Pool +Single Origin Pool. +`advanced_options` - (Optional) Advanced options configuration like timeouts, circuit breaker, subset load balancing. See [Default Pool Advanced Options ](#default-pool-advanced-options) below for details. +`endpoint_selection` - (Required) Policy for selection of endpoints from local site or remote site or both (`String`). +###### One of the arguments from this list "health_check_port, same_as_endpoint_port" can be set +`health_check_port` - (Optional) Port used for performing health check (`Int`). -`default_route_pools` - (Optional) Origin Pools used when no route is specified (default route). See [Default Route Pools ](#default-route-pools) below for details. +`same_as_endpoint_port` - (Optional) Health check is performed on endpoint port itself (`Bool`). +`healthcheck` - (Optional) Reference to healthcheck configuration objects. See [ref](#ref) below for details. +`loadbalancer_algorithm` - (Required) loadbalancer_algorithm to determine which host is selected. (`String`). +`origin_servers` - (Required) List of origin servers in this pool. See [Default Pool Origin Servers ](#default-pool-origin-servers) below for details. +###### One of the arguments from this list "automatic_port, lb_port, port" must be set +`automatic_port` - (Optional) For other origin server types, port will be automatically set as 443 if TLS is enabled at Origin Pool and 80 if TLS is disabled (`Bool`). +`lb_port` - (Optional) Endpoint port is selected based on loadbalancer port (`Bool`). +`port` - (Optional) Endpoint service is available on this port (`Int`). +###### One of the arguments from this list "no_tls, use_tls" must be set +`no_tls` - (Optional) x-displayName: "Disable" (`Bool`). -`domains` - (Required) Domains also indicate the list of names for which DNS resolution will be done by VER (`List of String`). +`use_tls` - (Optional) x-displayName: "Enable". See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. +`view_internal` - (Optional) Reference to view internal object. See [ref](#ref) below for details. +### Origin Pool Choice Default Pool List -`graphql_rules` - (Optional) queries and prevent GraphQL tailored attacks.. See [Graphql Rules ](#graphql-rules) below for details. +Multiple Origin Pools with weights and priorities. +`pools` - (Optional) List of Origin Pools. See [Default Pool List Pools ](#default-pool-list-pools) below for details. +### Origin Server Subset Rule List Origin Server Subset Rules +When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. +###### One of the arguments from this list "any_asn, asn_list, asn_matcher" must be set +`any_asn` - (Optional) Any origin ASN. (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. +`body_matcher` - (Optional) The actual request body value is extracted from the request API as a string.. See [Origin Server Subset Rules Body Matcher ](#origin-server-subset-rules-body-matcher) below for details.(Deprecated) +`country_codes` - (Optional) List of Country Codes (`List of Strings`). - +###### One of the arguments from this list "any_ip, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`ip_matcher` - (Optional) The predicate evaluates to true if the client IPv4 Address is covered by one or more of the IPv4 Prefixes in the IP Prefix Sets.. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IPv4 Address is covered by one or more of the IPv4 Prefixes from the list.. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Origin Server Subset Rules Metadata ](#origin-server-subset-rules-metadata) below for details. +`origin_server_subsets_action` - (Required) 2. Enable subset load balancing in the Origin Server Subsets section and configure keys in origin server subsets classes (`String`). +`re_name_list` - (Optional) List of RE names for match (`String`). +###### One of the arguments from this list "client_selector, none" must be set - +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Selector Choice Client Selector ](#selector-choice-client-selector) below for details. +`none` - (Optional) No Label Selector (`Bool`). +### Origin Server Subset Rules Body Matcher +The actual request body value is extracted from the request API as a string.. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Origin Server Subset Rules Metadata +Common attributes for the rule including name and description.. - +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Outlier Detection Choice Disable Outlier Detection +Outlier detection is disabled. +### Outlier Detection Choice Outlier Detection +healthy load balancing set. Outlier detection is a form of passive health checking.. - +`base_ejection_time` - (Optional) Defaults to 30000ms or 30s. Specified in milliseconds. (`Int`). +`consecutive_5xx` - (Optional) a consecutive 5xx ejection occurs. Defaults to 5. (`Int`). +`consecutive_gateway_failure` - (Optional) before a consecutive gateway failure ejection occurs. Defaults to 5. (`Int`). +`interval` - (Optional) to 10000ms or 10s. Specified in milliseconds. (`Int`). - +`max_ejection_percent` - (Optional) detection. Defaults to 10% but will eject at least one host regardless of the value. (`Int`). +### Oversized Body Choice Oversized Body Fail Validation +Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb). +### Oversized Body Choice Oversized Body Skip Validation +Skip body validation when the body length is too long to verify (default 64Kb). +### Panic Threshold Type No Panic Threshold -`cookie_stickiness` - (Optional) Consistent hashing algorithm, ring hash, is used to select origin server. See [Hash Policy Choice Cookie Stickiness ](#hash-policy-choice-cookie-stickiness) below for details. - +Disable panic threshold. Only healthy endpoints are considered for load balancing.. +### Path Choice Any Path +Match all paths. +### Path Normalize Choice Disable Path Normalize - +x-displayName: "Disable". +### Path Normalize Choice Enable Path Normalize +x-displayName: "Enable". +### Pattern Choice Key Pattern - +Search for pattern across all field names in the specified sections.. +###### One of the arguments from this list "exact_value, regex_value" must be set +`exact_value` - (Optional) Search for values with exact match. (`String`). +`regex_value` - (Optional) Search for values matching this regular expression. (`String`). +### Pattern Choice Key Value Pattern +Search for specific field and value patterns in the specified sections.. +`key_pattern` - (Required) Pattern for key/field.. See [Key Value Pattern Key Pattern ](#key-value-pattern-key-pattern) below for details. +`value_pattern` - (Required) Pattern for value.. See [Key Value Pattern Value Pattern ](#key-value-pattern-value-pattern) below for details. - +### Pattern Choice Value Pattern +Search for pattern across all field values in the specified sections.. +###### One of the arguments from this list "exact_value, regex_value" must be set +`exact_value` - (Optional) Pattern value to be detected. (`String`). - +`regex_value` - (Optional) Regular expression for this pattern. (`String`). +### Policy Protected App Endpoints +List of protected application endpoints (max 128 items).. +###### One of the arguments from this list "mobile, web, web_mobile" must be set - +`mobile` - (Optional) Mobile traffic channel. (`Bool`). +`web` - (Optional) Web traffic channel. (`Bool`). +`web_mobile` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile ](#app-traffic-type-choice-web-mobile) below for details. +###### One of the arguments from this list "any_domain, domain" can be set - +`any_domain` - (Optional) Any Domain. (`Bool`). +`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. +###### One of the arguments from this list "flow_label, undefined_flow_label" must be set +`flow_label` - (Optional) x-displayName: "Specify Endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. +`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). +###### One of the arguments from this list "allow_good_bots, mitigate_good_bots" must be set - +`allow_good_bots` - (Optional) System flags Good Bot traffic and allow it to continue to the origin (`Bool`). +`mitigate_good_bots` - (Optional) System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above (`Bool`). +`http_methods` - (Required) List of HTTP methods. (`List of Strings`). +`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. - +`mitigation` - (Required) Mitigation action.. See [Protected App Endpoints Mitigation ](#protected-app-endpoints-mitigation) below for details. +`path` - (Required) Matching URI path of the route.. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. +`protocol` - (Optional) Protocol. (`String`). +### Policy Protected App Endpoints +List of protected endpoints (max 128 items). +###### One of the arguments from this list "mobile_client, web_client, web_mobile_client" must be set -`least_active` - (Optional) Request are sent to origin server that has least active requests (`Bool`). +`mobile_client` - (Optional) Mobile traffic channel. (`Bool`). +`web_client` - (Optional) Web traffic channel. (`Bool`). -`random` - (Optional) Request are sent to all eligible origin servers in random fashion (`Bool`). +`web_mobile_client` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile Client ](#app-traffic-type-choice-web-mobile-client) below for details. +###### One of the arguments from this list "any_domain, domain" can be set -`ring_hash` - (Optional) Request are sent to all eligible origin servers using hash of request based on hash policy. Consistent hashing algorithm, ring hash, is used to select origin server. See [Hash Policy Choice Ring Hash ](#hash-policy-choice-ring-hash) below for details. - +`any_domain` - (Optional) Any Domain (`Bool`). +`domain` - (Optional) Select Domain matcher. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - +###### One of the arguments from this list "flow_label, undefined_flow_label" can be set +`flow_label` - (Optional) x-displayName: "Specify endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. +`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). +`http_methods` - (Required) List of HTTP methods. (`List of Strings`). - +`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. +`path` - (Required) Accepts wildcards * to match multiple characters or ? to match a single character. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. +`query` - (Optional) Enter a regular expression or exact value to match your query parameters of interest. See [Protected App Endpoints Query ](#protected-app-endpoints-query) below for details. +`request_body` - (Optional) Request Body. See [Protected App Endpoints Request Body ](#protected-app-endpoints-request-body) below for details. +### Policy Based Challenge Rule List +list challenge rules to be used in policy based challenge. +`rules` - (Optional) these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. See [Rule List Rules ](#rule-list-rules) below for details. +### Policy Choice No Policies +Do not apply additional rate limiter policies.. +### Policy Choice Policies +to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. +`policies` - (Required) Ordered list of rate limiter policies.. See [ref](#ref) below for details. +### Policy Specifier Cookie +Hash based on cookie. +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set +`add_httponly` - (Optional) Add httponly attribute (`Bool`). +`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). +`name` - (Required) produced (`String`). +`path` - (Optional) will be set for the cookie (`String`). +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) Add secure attribute (`Bool`). +`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). +`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). +### Port Choice Automatic Port +For other origin server types, port will be automatically set as 443 if TLS is enabled at Origin Pool and 80 if TLS is disabled. +### Port Choice Lb Port +Endpoint port is selected based on loadbalancer port. +### Port Choice Use Default Port +For HTTP, default is 80. For HTTPS/SNI, default is 443.. +### Port Match No Port Match +Disable matching of ports. +### Private Ip Site Locator +Site or Virtual site where this origin server is located. +###### One of the arguments from this list "site, virtual_site" must be set +`site` - (Optional) Reference to site object. See [ref](#ref) below for details. +`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. -`round_robin` - (Optional) Request are sent to all eligible origin servers in round robin fashion (`Bool`). +### Private Key Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. -`source_ip_stickiness` - (Optional) Request are sent to all eligible origin servers using hash of source ip. Consistent hashing algorithm, ring hash, is used to select origin server (`Bool`). +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Private Name Site Locator +Site or Virtual site where this origin server is located. -`disable_ip_reputation` - (Optional) x-displayName: "Disable" (`Bool`). +###### One of the arguments from this list "site, virtual_site" must be set +`site` - (Optional) Reference to site object. See [ref](#ref) below for details. -`enable_ip_reputation` - (Optional) x-displayName: "Enable". See [Ip Reputation Choice Enable Ip Reputation ](#ip-reputation-choice-enable-ip-reputation) below for details. - +`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Property Validation Settings Choice Property Validation Settings Custom +Use custom settings with Open API specification validation. +`headers` - (Optional) Custom settings for headers validation. See [Property Validation Settings Custom Headers ](#property-validation-settings-custom-headers) below for details.(Deprecated) +`queryParameters` - (Optional) Custom settings for query parameters validation. See [Property Validation Settings Custom QueryParameters ](#property-validation-settings-custom-queryParameters) below for details. +### Property Validation Settings Choice Property Validation Settings Default -`jwt_validation` - (Optional) tokens or tokens that are not yet valid.. See [Jwt Validation ](#jwt-validation) below for details. +Keep the default settings of OpenAPI specification validation. +### Property Validation Settings Custom Headers - +Custom settings for headers validation. +###### One of the arguments from this list "allow_additional_headers, disallow_additional_headers" must be set +`allow_additional_headers` - (Optional) Allow extra headers (on top of what specified in the OAS documentation) (`Bool`). +`disallow_additional_headers` - (Optional) Disallow extra headers (on top of what specified in the OAS documentation) (`Bool`). - +### Property Validation Settings Custom QueryParameters +Custom settings for query parameters validation. +###### One of the arguments from this list "allow_additional_parameters, disallow_additional_parameters" must be set +`allow_additional_parameters` - (Optional) Allow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - +`disallow_additional_parameters` - (Optional) Disallow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). +### Protected App Endpoints Metadata +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Protected App Endpoints Mitigation +Mitigation action.. - +###### One of the arguments from this list "block, flag, none, redirect" can be set +`block` - (Optional) Block bot request and send response with custom content.. See [Action Type Block ](#action-type-block) below for details. +`flag` - (Optional) Flag the request while not taking any invasive actions.. See [Action Type Flag ](#action-type-flag) below for details. +`none` - (Optional) No mitigation actions. (`Bool`).(Deprecated) +`redirect` - (Optional) Redirect bot request to a custom URI.. See [Action Type Redirect ](#action-type-redirect) below for details. - +### Protected App Endpoints Path +Matching URI path of the route.. +###### One of the arguments from this list "path, prefix, regex" must be set - +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Protected App Endpoints Query - +Enter a regular expression or exact value to match your query parameters of interest. +`name` - (Optional) Enter query parameter name (`String`). +###### One of the arguments from this list "check_presence, exact_value, regex_value" must be set +`check_presence` - (Optional) Parameter name taken which is exist in the query parameter (`Bool`). +`exact_value` - (Optional) Exact query value to match (`String`). - +`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). +### Protected App Endpoints Request Body +Request Body. +`name` - (Optional) Enter request body parameter name (`String`). +###### One of the arguments from this list "exact_value, regex_value" must be set +`exact_value` - (Optional) Exact query value to match (`String`). +`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). - +### Proxy Protocol Choice Disable Proxy Protocol +Disable Proxy Protocol for upstream connections. +### Proxy Protocol Choice Proxy Protocol V1 +Enable Proxy Protocol Version 1 for upstream connections. +### Proxy Protocol Choice Proxy Protocol V2 +Enable Proxy Protocol Version 2 for upstream connections. - +### Query Params Remove All Params +x-displayName: "Remove All Parameters". +### Query Params Retain All Params +x-displayName: "Retain All Parameters". - +### Query Params Strip Query Params +Specifies the list of query params to be removed. Not supported. +`query_params` - (Optional) Query params keys to strip while manipulating the HTTP request (`String`). +### Rate Limit Rate Limiter - +Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. +`burst_multiplier` - (Optional) The maximum burst of requests to accommodate, expressed as a multiple of the rate. (`Int`). +`total_number` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). +`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - +### Rate Limit Choice Api Rate Limit +Define rate limiting for one or more API endpoints.. +`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Api Endpoint Rules ](#api-rate-limit-api-endpoint-rules) below for details. +###### One of the arguments from this list "bypass_rate_limiting_rules, custom_ip_allowed_list, ip_allowed_list, no_ip_allowed_list" must be set - +`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. +`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. +`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. +`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). +`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Server Url Rules ](#api-rate-limit-server-url-rules) below for details. - +### Rate Limit Choice Rate Limit +Define custom rate limiting parameters for this load balancer. +###### One of the arguments from this list "custom_ip_allowed_list, ip_allowed_list, no_ip_allowed_list" must be set +`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. +`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - +`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). +###### One of the arguments from this list "no_policies, policies" must be set +`no_policies` - (Optional) Do not apply additional rate limiter policies. (`Bool`). +`policies` - (Optional) to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. See [Policy Choice Policies ](#policy-choice-policies) below for details. - +`rate_limiter` - (Optional) Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. See [Rate Limit Rate Limiter ](#rate-limit-rate-limiter) below for details. +### Rate Limiter Choice Inline Rate Limiter +Specify rate values for the rule.. +###### One of the arguments from this list "ref_user_id, use_http_lb_user_id" must be set +`ref_user_id` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.. See [ref](#ref) below for details. +`use_http_lb_user_id` - (Optional) Defined in HTTP-LB Security Configuration -> User Identifier. (`Bool`). +`threshold` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). +`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). +### Redirect Route Headers -`l7_ddos_action_block` - (Optional) Block suspicious sources (`Bool`). +List of (key, value) headers. +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). -`l7_ddos_action_default` - (Optional) Block suspicious sources (`Bool`). +`name` - (Required) Name of the header (`String`). +###### One of the arguments from this list "exact, presence, regex" can be set -`l7_ddos_action_js_challenge` - (Optional) Serve JavaScript challenge to suspicious sources. See [L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge ](#l7-ddos-auto-mitigation-action-l7-ddos-action-js-challenge) below for details. - +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). +`regex` - (Optional) Regex match of the header value in re2 format (`String`). +### Redirect Route Incoming Port +The port on which the request is received. +###### One of the arguments from this list "no_port_match, port, port_ranges" can be set -`l7_ddos_action_none` - (Optional) Disable auto mitigation (`Bool`).(Deprecated) +`no_port_match` - (Optional) Disable matching of ports (`Bool`). +`port` - (Optional) Exact Port to match (`Int`). +`port_ranges` - (Optional) Port range to match (`String`). +### Redirect Route Path +URI path of route. -`http` - (Optional) HTTP Load Balancer.. See [Loadbalancer Type Http ](#loadbalancer-type-http) below for details. - +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Redirect Route Route Redirect +Send redirect response. +`host_redirect` - (Optional) swap host part of incoming URL in redirect URL (`String`). +`port_redirect` - (Optional) Specify the port value to redirect to a URL with non default port(443) (`Int`).(Deprecated) -`https` - (Optional) User is responsible for managing DNS to this load balancer.. See [Loadbalancer Type Https ](#loadbalancer-type-https) below for details. - +`proto_redirect` - (Optional) When incoming-proto option is specified, swapping of protocol is not done. (`String`). +###### One of the arguments from this list "all_params, remove_all_params, replace_params, retain_all_params, strip_query_params" can be set +`all_params` - (Optional) be removed. Default value is false, which means query portion of the URL will NOT be removed (`Bool`).(Deprecated) +`remove_all_params` - (Optional) x-displayName: "Remove All Parameters" (`Bool`). +`replace_params` - (Optional) x-displayName: "Replace All Parameters" (`String`). +`retain_all_params` - (Optional) x-displayName: "Retain All Parameters" (`Bool`). - +`strip_query_params` - (Optional) Specifies the list of query params to be removed. Not supported. See [Query Params Strip Query Params ](#query-params-strip-query-params) below for details.(Deprecated) +###### One of the arguments from this list "path_redirect, prefix_rewrite" can be set +`path_redirect` - (Optional) swap path part of incoming URL in redirect URL (`String`). +`prefix_rewrite` - (Optional) This option allows redirect URLs be dynamically created based on the request (`String`). - +`response_code` - (Optional) The HTTP status code to use in the redirect response. (`Int`). +### Ref +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Request Matcher Cookie Matchers +Note that all specified cookie matcher predicates must evaluate to true.. - +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). +`check_present` - (Optional) Check that the cookie is present. (`Bool`). - +`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive cookie name. (`String`). +### Request Matcher Headers - +Note that all specified header predicates must evaluate to true.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - +`check_present` - (Optional) Check that the header is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-insensitive HTTP header name. (`String`). - +### Request Matcher Jwt Claims +Note that this feature only works on LBs with JWT Validation feature enabled.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item" must be set - +`check_not_present` - (Optional) Check that the JWT Claim is not present. (`Bool`). +`check_present` - (Optional) Check that the JWT Claim is present. (`Bool`). - +`item` - (Optional) Criteria for matching the values for the JWT Claim. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`name` - (Required) JWT claim name. (`String`). +### Request Matcher Query Params +Note that all specified query parameter predicates must evaluate to true.. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). +`check_present` - (Optional) Check that the query parameter is present. (`Bool`). +`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) +### Request Timeout Choice Disable Request Timeout +x-displayName: "No Timeout". +### Response Validation Mode Choice Response Validation Mode Active +Enforce OpenAPI validation processing for this event. +`response_validation_properties` - (Required) List of properties of the response to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). +###### One of the arguments from this list "enforcement_block, enforcement_report" must be set +`enforcement_block` - (Optional) Block the response, trigger an API security event (`Bool`). - +`enforcement_report` - (Optional) Allow the response, trigger an API security event (`Bool`). +### Response Validation Mode Choice Skip Response Validation +Skip OpenAPI validation processing for this event. +### Retry Policy Back Off - +10 times the base interval. +`base_interval` - (Optional) Specifies the base interval between retries in milliseconds (`Int`). +`max_interval` - (Optional) to the base_interval if set. The default is 10 times the base_interval. (`Int`). +### Retry Policy Choice Default Retry Policy +Use system default retry policy. +### Retry Policy Choice No Retry Policy +Do not configure retry policy. - +### Retry Policy Choice Retry Policy +Configure custom retry policy. +`back_off` - (Optional) 10 times the base interval. See [Retry Policy Back Off ](#retry-policy-back-off) below for details. +`num_retries` - (Optional) is used between each retry (`Int`). - +`per_try_timeout` - (Optional) Specifies a non-zero timeout per retry attempt. In milliseconds (`Int`). +`retriable_status_codes` - (Optional) HTTP status codes that should trigger a retry in addition to those specified by retry_on. (`Int`). +`retry_condition` - (Required) (disconnect/reset/read timeout.) (`String`). +`retry_on` - (Optional) matching one defined in retriable_status_codes field (`String`).(Deprecated) +### Rewrite Choice Disable Prefix Rewrite +Do not rewrite any path portion.. +### Rewrite Choice Regex Rewrite +with the substitution value.. +`pattern` - (Optional) The regular expression used to find portions of a string that should be replaced. (`String`). +`substitution` - (Optional) substitution operation to produce a new string. (`String`). +### Ring Hash Hash Policy - +route the request. +###### One of the arguments from this list "cookie, header_name, source_ip" must be set +`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. +`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). - +`source_ip` - (Optional) Hash based on source IP address (`Bool`). +`terminal` - (Optional) Specify if its a terminal policy (`Bool`). +### Rule List Rules +these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. +`spec` - (Required) Specification for the rule including match predicates and actions.. See [Rules Spec ](#rules-spec) below for details. +### Rules Metadata - +Common attributes for the rule including name and description.. +`description` - (Optional) Human readable description. (`String`). +`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Rules Path - +URI path matcher.. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Rules Spec +Specification for the rule including match predicates and actions.. +`arg_matchers` - (Optional)arg_matchers. See [Spec Arg Matchers ](#spec-arg-matchers) below for details. +###### One of the arguments from this list "any_asn, asn_list, asn_matcher" can be set +`any_asn` - (Optional)any_asn (`Bool`). - +`asn_list` - (Optional)asn_list. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. +`asn_matcher` - (Optional)asn_matcher. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. +`body_matcher` - (Optional)body_matcher. See [Spec Body Matcher ](#spec-body-matcher) below for details. +###### One of the arguments from this list "disable_challenge, enable_captcha_challenge, enable_javascript_challenge" must be set +`disable_challenge` - (Optional) Disable the challenge type selected in PolicyBasedChallenge (`Bool`). +`enable_captcha_challenge` - (Optional) Enable captcha challenge (`Bool`). +`enable_javascript_challenge` - (Optional) Enable javascript challenge (`Bool`). +###### One of the arguments from this list "any_client, client_name, client_name_matcher, client_selector" can be set +`any_client` - (Optional)any_client (`Bool`). +`client_name` - (Optional)client_name (`String`).(Deprecated) - +`client_name_matcher` - (Optional)client_name_matcher. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details.(Deprecated) +`client_selector` - (Optional)client_selector. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`cookie_matchers` - (Optional)cookie_matchers. See [Spec Cookie Matchers ](#spec-cookie-matchers) below for details. +`domain_matcher` - (Optional)domain_matcher. See [Spec Domain Matcher ](#spec-domain-matcher) below for details. - +`expiration_timestamp` - (Optional)expiration_timestamp (`String`). +`headers` - (Optional)headers. See [Spec Headers ](#spec-headers) below for details. +`http_method` - (Optional)http_method. See [Spec Http Method ](#spec-http-method) below for details. +###### One of the arguments from this list "any_ip, ip_matcher, ip_prefix_list" can be set +`any_ip` - (Optional)any_ip (`Bool`). +`ip_matcher` - (Optional)ip_matcher. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional)ip_prefix_list. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - +`path` - (Optional)path. See [Spec Path ](#spec-path) below for details. +`query_params` - (Optional)query_params. See [Spec Query Params ](#spec-query-params) below for details. +###### One of the arguments from this list "ja4_tls_fingerprint, tls_fingerprint_matcher" can be set +`ja4_tls_fingerprint` - (Optional)ja4_tls_fingerprint. See [Tls Fingerprint Choice Ja4 Tls Fingerprint ](#tls-fingerprint-choice-ja4-tls-fingerprint) below for details.(Deprecated) - +`tls_fingerprint_matcher` - (Optional)tls_fingerprint_matcher. See [Tls Fingerprint Choice Tls Fingerprint Matcher ](#tls-fingerprint-choice-tls-fingerprint-matcher) below for details. +### Samesite Ignore Samesite +Ignore Samesite attribute. +### Samesite Samesite Lax +Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. +### Samesite Samesite None +Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. - +### Samesite Samesite Strict +Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - +Clear Secret is used for the secrets that are not encrypted. +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info +Vault Secret is used for the secrets managed by Hashicorp Vault. +`key` - (Optional) If not provided entire secret will be returned. (`String`). - +`location` - (Required) Path to secret in Vault. (`String`). +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). +`version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info +Secret is given as bootstrap secret in F5XC Security Sidecar. +`name` - (Required) Name of the secret. (`String`). +### Secret Value Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Section Choice All Request Sections +x-displayName: "All Request". +### Section Choice All Response Sections +x-displayName: "All Response". - +### Section Choice All Sections +x-displayName: "All Request & Response". +### Section Choice Custom Sections +x-displayName: "Custom Sections". +`custom_sections` - (Required) Request & Response Sections. (`List of Strings`). - +### Secure Add Secure +Add secure attribute. +### Secure Ignore Secure +Ignore secure attribute. - +### Selector Choice Client Selector +The predicate evaluates to true if the expressions in the label selector are true for the client labels.. +`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Selector Choice None - +No Label Selector. +### Send Headers Choice Append Headers - +Append mitigation headers.. +`auto_type_header_name` - (Required) A case-insensitive HTTP header name. (`String`). +`inference_header_name` - (Required) A case-insensitive HTTP header name. (`String`). +### Send Headers Choice No Headers +No mitigation headers.. +### Sensitive Data Detection Rules Custom Sensitive Data Detection Rules +Rules to detect custom sensitive data in requests and/or responses sections.. +`metadata` - (Required) Common attributes for the rule including name and description.. See [Custom Sensitive Data Detection Rules Metadata ](#custom-sensitive-data-detection-rules-metadata) below for details. - +`sensitive_data_detection_config` - (Required) The custom data detection config specifies targets, scopes & the pattern to be detected.. See [Custom Sensitive Data Detection Rules Sensitive Data Detection Config ](#custom-sensitive-data-detection-rules-sensitive-data-detection-config) below for details. +`sensitive_data_type` - (Required) If the pattern is detected, the request is labeled with specified sensitive data type.. See [Custom Sensitive Data Detection Rules Sensitive Data Type ](#custom-sensitive-data-detection-rules-sensitive-data-type) below for details. +### Sensitive Data Detection Rules Disabled Built In Rules +List of disabled built-in sensitive data detection rules.. +`name` - (Required) Built-in rule for sensitive data detection. (`String`). +### Sensitive Data Disclosure Rules Sensitive Data Types In Response +Sensitive Data Exposure Rules allows specifying rules to mask sensitive data fields in API responses . - +`body` - (Optional) x-displayName: "JSON Path". See [Sensitive Data Types In Response Body ](#sensitive-data-types-in-response-body) below for details. +###### One of the arguments from this list "mask, report" can be set +`mask` - (Optional) x-displayName: "Mask Sensitive Data" (`Bool`).(Deprecated) +`report` - (Optional) x-displayName: "Report Sensitive Data" (`Bool`).(Deprecated) +###### One of the arguments from this list "api_endpoint, api_group, base_path" must be set +`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Type Condition Type Choice Api Endpoint ](#type-condition-type-choice-api-endpoint) below for details. - +`api_group` - (Optional) The API group which this validation applies to (`String`).(Deprecated) +`base_path` - (Optional) The base path which this validation applies to (`String`).(Deprecated) +### Sensitive Data Policy Choice Sensitive Data Policy +Apply custom sensitive data discovery. +`sensitive_data_policy_ref` - (Required) Specify Sensitive Data Discovery. See [ref](#ref) below for details. +### Sensitive Data Types In Response Body +x-displayName: "JSON Path". +`fields` - (Required) List of JSON Path field values. Use square brackets with an underscore \[*] to indicate array elements, e.g., person.emails\[*]. (`String`). +### Server Header Choice Default Header - +Response header name is “server” and value is “volt-adc”. +### Server Header Choice Pass Through +Pass existing server header as is. If server header is absent, a new header is not appended.. +### Server Url Rules Client Matcher +Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - +###### One of the arguments from this list "any_client, client_selector, ip_threat_category_list" must be set +`any_client` - (Optional) Any Client (`Bool`). +`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. +`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. +###### One of the arguments from this list "any_ip, asn_list, asn_matcher, ip_matcher, ip_prefix_list" must be set +`any_ip` - (Optional) Any Source IP (`Bool`). +`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. +`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. +`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. +`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. +`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. +### Server Url Rules Request Matcher +Conditions related to the request, such as query parameters, headers, etc.. +`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. +`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. +`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. +`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. +### Server Validation Choice Skip Server Verification +Skip origin server verification. -`https_auto_cert` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal(only for Domains not managed by F5 Distributed Cloud).. See [Loadbalancer Type Https Auto Cert ](#loadbalancer-type-https-auto-cert) below for details. - +### Server Validation Choice Use Server Verification +Perform origin server verification using the provided Root CA Certificate. +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set +`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. +`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Origin Pool for verification of server's certificate (`String`). +### Server Validation Choice Volterra Trusted Ca +Perform origin server verification using F5XC Default Root CA Certificate. +### Service Info Service Selector +discovery has to happen. This implicit label is added to service_selector. +`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Service Policy Choice Active Service Policies +Apply the specified list of service policies and bypass the namespace service policy set. - +`policies` - (Required) If all policies are evaluated and none match, then the request will be denied by default.. See [ref](#ref) below for details. +### Simple Route Advanced Options +Configure Advanced per route options. +###### One of the arguments from this list "bot_defense_javascript_injection, inherited_bot_defense_javascript_injection" can be set +`bot_defense_javascript_injection` - (Optional) Configuration for Bot Defense JavaScript Injection. See [Bot Defense Javascript Injection Choice Bot Defense Javascript Injection ](#bot-defense-javascript-injection-choice-bot-defense-javascript-injection) below for details. +`inherited_bot_defense_javascript_injection` - (Optional) Hence no custom configuration is applied on the route (`Bool`). +###### One of the arguments from this list "buffer_policy, common_buffering" must be set +`buffer_policy` - (Optional) Route level buffer configuration overrides any configuration at VirtualHost level.. See [Buffer Choice Buffer Policy ](#buffer-choice-buffer-policy) below for details. +`common_buffering` - (Optional) Use common buffering configuration (`Bool`). +###### One of the arguments from this list "do_not_retract_cluster, retract_cluster" must be set +`do_not_retract_cluster` - (Optional) configuration. (`Bool`). +`retract_cluster` - (Optional) for route (`Bool`). +`cors_policy` - (Optional) resources from a server at a different origin. See [Advanced Options Cors Policy ](#advanced-options-cors-policy) below for details. +`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Advanced Options Csrf Policy ](#advanced-options-csrf-policy) below for details. +`disable_location_add` - (Optional) virtual-host level. This configuration is ignored on CE sites. (`Bool`). +`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). - +###### One of the arguments from this list "common_hash_policy, specific_hash_policy" must be set +`common_hash_policy` - (Optional) Use load balancer hash policy for this route (`Bool`). +`specific_hash_policy` - (Optional) Configure hash policy specific for this route. See [Hash Policy Choice Specific Hash Policy ](#hash-policy-choice-specific-hash-policy) below for details. +###### One of the arguments from this list "disable_mirroring, mirror_policy" must be set +`disable_mirroring` - (Optional) Disable Mirroring of request (`Bool`). +`mirror_policy` - (Optional) useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. See [Mirroring Choice Mirror Policy ](#mirroring-choice-mirror-policy) below for details. +`priority` - (Optional) Also, circuit-breaker configuration at destination cluster is chosen based on the route priority. (`String`). +`request_headers_to_add` - (Optional) Headers are key-value pairs to be added to HTTP request being routed towards upstream.. See [Advanced Options Request Headers To Add ](#advanced-options-request-headers-to-add) below for details. +`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +`response_headers_to_add` - (Optional) Headers are key-value pairs to be added to HTTP response being sent towards downstream.. See [Advanced Options Response Headers To Add ](#advanced-options-response-headers-to-add) below for details. +`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +###### One of the arguments from this list "default_retry_policy, no_retry_policy, retry_policy" must be set +`default_retry_policy` - (Optional) Use system default retry policy (`Bool`). +`no_retry_policy` - (Optional) Do not configure retry policy (`Bool`). +`retry_policy` - (Optional) Configure custom retry policy. See [Retry Policy Choice Retry Policy ](#retry-policy-choice-retry-policy) below for details. +###### One of the arguments from this list "disable_prefix_rewrite, prefix_rewrite, regex_rewrite" must be set +`disable_prefix_rewrite` - (Optional) Do not rewrite any path portion. (`Bool`). +`prefix_rewrite` - (Optional) the query string) will be swapped with this value. (`String`). +`regex_rewrite` - (Optional) with the substitution value.. See [Rewrite Choice Regex Rewrite ](#rewrite-choice-regex-rewrite) below for details. +###### One of the arguments from this list "disable_spdy, enable_spdy" must be set +`disable_spdy` - (Optional) SPDY upgrade is disabled (`Bool`). +`enable_spdy` - (Optional) SPDY upgrade is enabled (`Bool`). +`timeout` - (Optional) Should be set to a high value or 0 (infinite timeout) for server-side streaming. (`Int`). +###### One of the arguments from this list "app_firewall, disable_waf, inherited_waf" can be set +`app_firewall` - (Optional) Reference to App Firewall configuration object. See [ref](#ref) below for details. +`disable_waf` - (Optional) App Firewall configuration that is configured in the Load Balancer will not be enforced on this route (`Bool`). +`inherited_waf` - (Optional) Hence no custom configuration is applied on the route (`Bool`). +###### One of the arguments from this list "disable_web_socket_config, web_socket_config" must be set +`disable_web_socket_config` - (Optional) Websocket upgrade is disabled (`Bool`). +`web_socket_config` - (Optional) Upgrade to Websocket for this route. See [Websocket Choice Web Socket Config ](#websocket-choice-web-socket-config) below for details. +### Simple Route Headers +List of (key, value) headers. +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). +`name` - (Required) Name of the header (`String`). +###### One of the arguments from this list "exact, presence, regex" can be set +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). +`regex` - (Optional) Regex match of the header value in re2 format (`String`). +### Simple Route Incoming Port +The port on which the request is received. +###### One of the arguments from this list "no_port_match, port, port_ranges" can be set +`no_port_match` - (Optional) Disable matching of ports (`Bool`). +`port` - (Optional) Exact Port to match (`Int`). +`port_ranges` - (Optional) Port range to match (`String`). - +### Simple Route Origin Pools +Origin Pools for this route. +`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). +###### One of the arguments from this list "cluster, pool" must be set +`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. +`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. +`priority` - (Optional) made active as per the increasing priority. (`Int`). +`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). +### Simple Route Path +URI path of route. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). +### Slow Ddos Mitigation Choice Slow Ddos Mitigation +Custom Settings for Slow DDoS Mitigation. +`request_headers_timeout` - (Optional) provides protection against Slowloris attacks. (`Int`). +###### One of the arguments from this list "disable_request_timeout, request_timeout" must be set +`disable_request_timeout` - (Optional) x-displayName: "No Timeout" (`Bool`). +`request_timeout` - (Optional) x-example: "60000" (`Int`). -`disable_malicious_user_detection` - (Optional) x-displayName: "Disable" (`Bool`). +### Sni Choice Disable Sni +Do not use SNI.. -`enable_malicious_user_detection` - (Optional) x-displayName: "Enable" (`Bool`). +### Sni Choice Use Host Header As Sni +Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. +### Spdy Choice Disable Spdy +SPDY upgrade is disabled. -`malicious_user_mitigation` - (Optional) The settings defined in malicious user mitigation specify what mitigation actions to take for users determined to be at different threat levels.. See [ref](#ref) below for details.(Deprecated) +### Spdy Choice Enable Spdy +SPDY upgrade is enabled. +### Spec Arg Matchers -`multi_lb_app` - (Optional) It should be configured externally using app type feature and label should be added to the HTTP load balancer. (`Bool`).(Deprecated) +arg_matchers. +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). -`single_lb_app` - (Optional) ML Config applied on this load balancer. See [Ml Config Choice Single Lb App ](#ml-config-choice-single-lb-app) below for details.(Deprecated) - +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the argument is not present. (`Bool`). +`check_present` - (Optional) Check that the argument is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the Arg. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - +`presence` - (Optional) Check if the arg is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive JSON path in the HTTP request body. (`String`). +### Spec Body Matcher +body_matcher. - +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Spec Cookie Matchers +cookie_matchers. +`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). +`check_present` - (Optional) Check that the cookie is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-sensitive cookie name. (`String`). +### Spec Domain Matcher - +domain_matcher. +`exact_values` - (Optional) A list of exact values to match the input against. (`String`). +`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +### Spec Headers +headers. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - +`check_present` - (Optional) Check that the header is present. (`Bool`). +`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. +`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) +`name` - (Required) A case-insensitive HTTP header name. (`String`). - +### Spec Http Method +http_method. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). +### Spec Path +path. +`exact_values` - (Optional) A list of exact path values to match the input HTTP path against. (`String`). -`more_option` - (Optional) More options like header manipulation, compression etc.. See [More Option ](#more-option) below for details. +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`prefix_values` - (Optional) A list of path prefix values to match the input HTTP path against. (`String`). - +`regex_values` - (Optional) A list of regular expressions to match the input HTTP path against. (`String`). +`suffix_values` - (Optional) A list of path suffix values to match the input HTTP path against. (`String`). +`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Spec Query Params +query_params. - +`invert_matcher` - (Optional) Invert the match result. (`Bool`). +`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set +`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). +`check_present` - (Optional) Check that the query parameter is present. (`Bool`). +`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. - +`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) +### Specific Hash Policy Hash Policy +route the request. +###### One of the arguments from this list "cookie, header_name, source_ip" must be set - +`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. +`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). +`source_ip` - (Optional) Hash based on source IP address (`Bool`). +`terminal` - (Optional) Specify if its a terminal policy (`Bool`). - +### Strict Sni Host Header Check Choice Additional Domains +Wildcard names are supported in the suffix or prefix form. +`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). +### Strict Sni Host Header Check Choice Enable Strict Sni Host Header Check +Enable strict SNI and Host header check. +### Subset Choice Disable Subsets +Subset load balancing is disabled. All eligible origin servers will be considered for load balancing.. +### Subset Choice Enable Subsets +Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. +`endpoint_subsets` - (Required) List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. See [Enable Subsets Endpoint Subsets ](#enable-subsets-endpoint-subsets) below for details. +###### One of the arguments from this list "any_endpoint, default_subset, fail_request" must be set +`any_endpoint` - (Optional) Select any origin server from available healthy origin servers in this pool (`Bool`). +`default_subset` - (Optional) Use the default subset provided here. Select endpoints matching default subset.. See [Fallback Policy Choice Default Subset ](#fallback-policy-choice-default-subset) below for details. +`fail_request` - (Optional) Request will be failed and error returned, as if cluster has no origin servers. (`Bool`). - +### Target All Endpoint +Validation will be performed for all requests on this LB. +### Target Api Groups +Validation will be performed for the endpoints mentioned in the API Groups. +`api_groups` - (Required) x-required (`String`). +### Target Base Paths +Validation will be performed for selected path prefixes. +`base_paths` - (Required) x-required (`String`). +### Target Choice Any Target +The rule will be applied for all requests on this LB.. +### Target Choice Api Endpoint Target +The rule is applied only for the specified api endpoints.. +`api_endpoint_path` - (Required) The rule is applied only for the specified api endpoints. (`String`). +`methods` - (Required) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). +### Temporary Blocking Parameters Choice Default Temporary Blocking Parameters +Use default parameters. +### Temporary Blocking Parameters Choice Temporary User Blocking +Specifies configuration for temporary user blocking resulting from malicious user detection. +`custom_page` - (Optional) E.g. "

Blocked

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). +### Tls Cert Params Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set +`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. +`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). +`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). +`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Tls Certificates Private Key +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set - +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Certificates Choice Tls Cert Params +Select/Add one or more TLS Certificate objects to associate with this Load Balancer. +`certificates` - (Required) Select one or more certificates with any domain names.. See [ref](#ref) below for details. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Cert Params Tls Config ](#tls-cert-params-tls-config) below for details. +### Tls Certificates Choice Tls Parameters +Upload a TLS certificate covering all domain names for this Load Balancer. +###### One of the arguments from this list "no_mtls, use_mtls" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - +`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Tls Parameters Tls Certificates ](#tls-parameters-tls-certificates) below for details. +`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Parameters Tls Config ](#tls-parameters-tls-config) below for details. +### Tls Choice No Tls +x-displayName: "Disable". +### Tls Choice Use Tls - +x-displayName: "Enable". +###### One of the arguments from this list "default_session_key_caching, disable_session_key_caching, max_session_keys" must be set - +`default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). +`disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). +`max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). +###### One of the arguments from this list "no_mtls, use_mtls, use_mtls_obj" must be set +`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). +`use_mtls` - (Optional) x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. +`use_mtls_obj` - (Optional) x-displayName: "Select/add a TLS Certificate object for client authentication". See [ref](#ref) below for details. +###### One of the arguments from this list "skip_server_verification, use_server_verification, volterra_trusted_ca" must be set +`skip_server_verification` - (Optional) Skip origin server verification (`Bool`). +`use_server_verification` - (Optional) Perform origin server verification using the provided Root CA Certificate. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. +`volterra_trusted_ca` - (Optional) Perform origin server verification using F5XC Default Root CA Certificate (`Bool`). +###### One of the arguments from this list "disable_sni, sni, use_host_header_as_sni" must be set +`disable_sni` - (Optional) Do not use SNI. (`Bool`). +`sni` - (Optional) SNI value to be used. (`String`). +`use_host_header_as_sni` - (Optional) Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied. (`Bool`). +`tls_config` - (Required) TLS parameters such as min/max TLS version and ciphers. See [Use Tls Tls Config ](#use-tls-tls-config) below for details. +### Tls Fingerprint Choice Ja4 Tls Fingerprint +ja4_tls_fingerprint. +`exact_values` - (Optional) A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against (`String`). +### Tls Fingerprint Choice Tls Fingerprint Matcher +tls_fingerprint_matcher. +`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). +`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). +`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - +### Tls Parameters Tls Certificates - - - - - - - - - - - - - - - - - - - - - - - - - -`default_pool` - (Optional) Single Origin Pool. See [Origin Pool Choice Default Pool ](#origin-pool-choice-default-pool) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`default_pool_list` - (Optional) Multiple Origin Pools with weights and priorities. See [Origin Pool Choice Default Pool List ](#origin-pool-choice-default-pool-list) below for details.(Deprecated) - - - - - - - - - - - - - - - - -`origin_server_subset_rule_list` - (Optional) When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. See [Origin Server Subset Rule List ](#origin-server-subset-rule-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`protected_cookies` - (Optional) Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. See [Protected Cookies ](#protected-cookies) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`api_rate_limit` - (Optional) Define rate limiting for one or more API endpoints.. See [Rate Limit Choice Api Rate Limit ](#rate-limit-choice-api-rate-limit) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`disable_rate_limit` - (Optional) Rate limiting is not currently enabled for this load balancer (`Bool`). - - -`rate_limit` - (Optional) Define custom rate limiting parameters for this load balancer. See [Rate Limit Choice Rate Limit ](#rate-limit-choice-rate-limit) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`routes` - (Optional) to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic. See [Routes ](#routes) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`sensitive_data_disclosure_rules` - (Optional) Sensitive Data Disclosure Rules are setting to mask sensitive data in the request/response to prevent data exposure in XC portal. See [Sensitive Data Disclosure Rules ](#sensitive-data-disclosure-rules) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`default_sensitive_data_policy` - (Optional) Apply system default sensitive data discovery (`Bool`). - - -`sensitive_data_policy` - (Optional) Apply custom sensitive data discovery. See [Sensitive Data Policy Choice Sensitive Data Policy ](#sensitive-data-policy-choice-sensitive-data-policy) below for details. - - - - - - - - -`active_service_policies` - (Optional) Apply the specified list of service policies and bypass the namespace service policy set. See [Service Policy Choice Active Service Policies ](#service-policy-choice-active-service-policies) below for details. - - - - - -`no_service_policies` - (Optional) Do not apply any service policies i.e. bypass the namespace service policy set (`Bool`). - - -`service_policies_from_namespace` - (Optional) Apply the active service policies configured as part of the namespace service policy set (`Bool`). - - - - - -`slow_ddos_mitigation` - (Optional) Custom Settings for Slow DDoS Mitigation. See [Slow Ddos Mitigation Choice Slow Ddos Mitigation ](#slow-ddos-mitigation-choice-slow-ddos-mitigation) below for details. - - - - - - - - - - - - - -`system_default_timeouts` - (Optional) Default Settings for Slow DDoS Mitigation (`Bool`). - - - - - -`disable_threat_mesh` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_threat_mesh` - (Optional) x-displayName: "Enable" (`Bool`). - - - - - -`disable_trust_client_ip_headers` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_trust_client_ip_headers` - (Optional) x-displayName: "Enable". See [Trust Client Ip Headers Choice Enable Trust Client Ip Headers ](#trust-client-ip-headers-choice-enable-trust-client-ip-headers) below for details. - - - - - - - -`trusted_clients` - (Optional) Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. See [Trusted Clients ](#trusted-clients) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`user_id_client_ip` - (Optional) Use the Client IP address as the user identifier. (`Bool`). - - -`user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier.. See [ref](#ref) below for details. - - - - - -`app_firewall` - (Optional) Reference to App Firewall configuration object. See [ref](#ref) below for details. - - -`disable_waf` - (Optional) No WAF configuration for this load balancer (`Bool`). - - - - -`waf_exclusion_rules` - (Optional) When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. See [Waf Exclusion Rules ](#waf-exclusion-rules) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Api Protection Rules - - Rules can also include additional conditions, for example specific clients can access certain API endpoint or API group.. - -`api_endpoint_rules` - (Optional) If request matches any of these rules, skipping second category rules.. See [Api Protection Rules Api Endpoint Rules ](#api-protection-rules-api-endpoint-rules) below for details. - -`api_groups_rules` - (Optional) For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. See [Api Protection Rules Api Groups Rules ](#api-protection-rules-api-groups-rules) below for details. - - - -### Api Rate Limit Legacy - - Legacy value only temporary pre-migration. This value will be copied over to api_rate_limit and removed later.. - -`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Legacy Api Endpoint Rules ](#api-rate-limit-legacy-api-endpoint-rules) below for details. - - - -###### One of the arguments from this list "bypass_rate_limiting_rules, no_ip_allowed_list, ip_allowed_list, custom_ip_allowed_list" must be set - -`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. - - -`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - - -`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - - -`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). - - -`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Legacy Server Url Rules ](#api-rate-limit-legacy-server-url-rules) below for details. - - - -### Blocked Clients - - Define rules to block IP Prefixes or AS numbers.. - - - - -###### One of the arguments from this list "waf_skip_processing, bot_skip_processing, skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "ip_prefix, as_number, http_header, user_identifier" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Blocked Clients Metadata ](#blocked-clients-metadata) below for details. - - - -### Cors Policy - - resources from a server at a different origin. - -`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). - -`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - -`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). - -`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). - -`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - -`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - - - -### Csrf Policy - - Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - - - -###### One of the arguments from this list "disabled, all_load_balancer_domains, custom_domain_list" must be set - -`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). - - -`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - - -`disabled` - (Optional) Allow all source origin domains. (`Bool`). - - - - -### Data Guard Rules - - Note: App Firewall should be enabled, to use Data Guard feature.. - - - -###### One of the arguments from this list "apply_data_guard, skip_data_guard" must be set - -`apply_data_guard` - (Optional) x-displayName: "Apply" (`Bool`). - - -`skip_data_guard` - (Optional) x-displayName: "Skip" (`Bool`). - - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Enable Data Guard for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Data Guard Rules Metadata ](#data-guard-rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Data Guard Rules Path ](#data-guard-rules-path) below for details. - - - -### Ddos Mitigation Rules - - Define manual mitigation rules to block L7 DDoS attacks.. - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Ddos Mitigation Rules Metadata ](#ddos-mitigation-rules-metadata) below for details. - - - -###### One of the arguments from this list "block" must be set - -`block` - (Optional) Block user for a duration determined by the expiration time (`Bool`). - - - - -###### One of the arguments from this list "ip_prefix_list, ddos_client_source" must be set - -`ddos_client_source` - (Optional) Combination of Region, ASN and TLS Fingerprints. See [Mitigation Choice Ddos Client Source ](#mitigation-choice-ddos-client-source) below for details. - - -`ip_prefix_list` - (Optional) IPv4 prefix string.. See [Mitigation Choice Ip Prefix List ](#mitigation-choice-ip-prefix-list) below for details. - - - - -### Default Route Pools - - Origin Pools used when no route is specified (default route). - -`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). - - - -###### One of the arguments from this list "pool, cluster" must be set - -`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. - - -`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. - - -`priority` - (Optional) made active as per the increasing priority. (`Int`). - -`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). - - - -### Graphql Rules - - queries and prevent GraphQL tailored attacks.. - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Enable GraphQL inspection for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`exact_path` - (Required) Specifies the exact path to GraphQL endpoint. Default value is /graphql. (`String`). - -`graphql_settings` - (Optional) GraphQL configuration.. See [Graphql Rules Graphql Settings ](#graphql-rules-graphql-settings) below for details. - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Graphql Rules Metadata ](#graphql-rules-metadata) below for details. - - - -###### One of the arguments from this list "method_get, method_post" must be set - -`method_get` - (Optional) x-displayName: "GET" (`Bool`). - - -`method_post` - (Optional) x-displayName: "POST" (`Bool`). - - - - -### Jwt Validation - - tokens or tokens that are not yet valid.. - -`action` - (Required) x-required. See [Jwt Validation Action ](#jwt-validation-action) below for details. - - - -###### One of the arguments from this list "auth_server_uri, jwks, jwks_config" must be set - -`auth_server_uri` - (Optional) JWKS URI will be will be retrieved from this URI (`String`).(Deprecated) - - -`jwks` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`).(Deprecated) - - -`jwks_config` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. See [Jwks Configuration Jwks Config ](#jwks-configuration-jwks-config) below for details. - - -`mandatory_claims` - (Optional) If the claim does not exist JWT token validation will fail.. See [Jwt Validation Mandatory Claims ](#jwt-validation-mandatory-claims) below for details. - -`reserved_claims` - (Optional) the token validation of these claims should be disabled.. See [Jwt Validation Reserved Claims ](#jwt-validation-reserved-claims) below for details. - -`target` - (Required) Define endpoints for which JWT token validation will be performed. See [Jwt Validation Target ](#jwt-validation-target) below for details. - -`token_location` - (Required) Define where in the HTTP request the JWT token will be extracted. See [Jwt Validation Token Location ](#jwt-validation-token-location) below for details. - - - -### More Option - - More options like header manipulation, compression etc.. - -`buffer_policy` - (Optional) specify the maximum buffer size and buffer interval with this config.. See [More Option Buffer Policy ](#more-option-buffer-policy) below for details. - -`compression_params` - (Optional) Only GZIP compression is supported. See [More Option Compression Params ](#more-option-compression-params) below for details. - -`cookies_to_modify` - (Optional) List of cookies to be modified from the HTTP response being sent towards downstream.. See [More Option Cookies To Modify ](#more-option-cookies-to-modify) below for details.(Deprecated) - -`custom_errors` - (Optional) matches for a request. (`String`). - -`disable_default_error_pages` - (Optional) Disable the use of default F5XC error pages. (`Bool`). - -`idle_timeout` - (Optional) received, otherwise the stream is reset. (`Int`). - -`javascript_info` - (Optional) Custom JavaScript Configuration. Custom JavaScript code can be executed at various stages of request processing.. See [More Option Javascript Info ](#more-option-javascript-info) below for details.(Deprecated) - -`jwt` - (Optional) audiences and issuer. See [ref](#ref) below for details.(Deprecated) - -`max_request_header_size` - (Optional) such load balancers is used for all the load balancers in question. (`Int`). - - - - -###### One of the arguments from this list "enable_path_normalize, disable_path_normalize" can be set - -`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`).(Deprecated) - - -`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`).(Deprecated) - - -`request_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [More Option Request Headers To Add ](#more-option-request-headers-to-add) below for details. - -`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). - -`response_headers_to_add` - (Optional) Headers specified at this level are applied after headers from matched Route are applied. See [More Option Response Headers To Add ](#more-option-response-headers-to-add) below for details. - -`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). - - - - -###### One of the arguments from this list "enable_strict_sni_host_header_check, additional_domains" can be set - -`additional_domains` - (Optional) Wildcard names are supported in the suffix or prefix form. See [Strict Sni Host Header Check Choice Additional Domains ](#strict-sni-host-header-check-choice-additional-domains) below for details.(Deprecated) - - -`enable_strict_sni_host_header_check` - (Optional) Enable strict SNI and Host header check (`Bool`).(Deprecated) - - - - -### Origin Server Subset Rule List - - When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. - -`origin_server_subset_rules` - (Optional) When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. See [Origin Server Subset Rule List Origin Server Subset Rules ](#origin-server-subset-rule-list-origin-server-subset-rules) below for details. - - - -### Protected Cookies - - Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.. - - - -###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set - -`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). - - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - - -###### One of the arguments from this list "max_age_value, ignore_max_age" can be set - -`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - - -`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) - - -`name` - (Required) Name of the Cookie (`String`). - - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "add_secure, ignore_secure" can be set - -`add_secure` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - -### Routes - - to origin pool or redirect matching traffic to a different URL or respond directly to matching traffic. - - - -###### One of the arguments from this list "simple_route, redirect_route, direct_response_route, custom_route_object" must be set - -`custom_route_object` - (Optional) A custom route uses a route object created outside of this view.. See [Choice Custom Route Object ](#choice-custom-route-object) below for details. - - -`direct_response_route` - (Optional) A direct response route matches on path and/or HTTP method and responds directly to the matching traffic. See [Choice Direct Response Route ](#choice-direct-response-route) below for details. - - -`redirect_route` - (Optional) A redirect route matches on path and/or HTTP method and redirects the matching traffic to a different URL. See [Choice Redirect Route ](#choice-redirect-route) below for details. - - -`simple_route` - (Optional) A simple route matches on path and/or HTTP method and forwards the matching traffic to the associated pools. See [Choice Simple Route ](#choice-simple-route) below for details. - - - - -### Sensitive Data Disclosure Rules - - Sensitive Data Disclosure Rules are setting to mask sensitive data in the request/response to prevent data exposure in XC portal. - -`sensitive_data_types_in_response` - (Optional) Settings to mask sensitive data in response body . See [Sensitive Data Disclosure Rules Sensitive Data Types In Response ](#sensitive-data-disclosure-rules-sensitive-data-types-in-response) below for details. - - - -### Trusted Clients - - Define rules to skip processing of one or more features such as WAF, Bot Defense etc. for clients.. - - - - -###### One of the arguments from this list "skip_processing, waf_skip_processing, bot_skip_processing" can be set - -`bot_skip_processing` - (Optional) Skip Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`skip_processing` - (Optional) Skip both WAF and Bot Defense processing for clients matching this rule. (`Bool`).(Deprecated) - - -`waf_skip_processing` - (Optional) Skip WAF processing for clients matching this rule. (`Bool`).(Deprecated) - - -`actions` - (Optional) Actions that should be taken when client identifier matches the rule (`List of Strings`). - - - -###### One of the arguments from this list "ip_prefix, as_number, http_header, user_identifier" must be set - -`as_number` - (Optional) RFC 6793 defined 4-byte AS number (`Int`). - - -`http_header` - (Optional) Request header name and value pairs. See [Client Source Choice Http Header ](#client-source-choice-http-header) below for details. - - -`ip_prefix` - (Optional) IPv4 prefix string. (`String`). - - -`user_identifier` - (Optional) Identify user based on user identifier. User identifier value needs to be copied from security event. (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Trusted Clients Metadata ](#trusted-clients-metadata) below for details. - - - -### Waf Exclusion Rules - - When an exclusion rule is matched, then this exclusion rule takes effect and no more rules are evaluated.. - - - -###### One of the arguments from this list "any_domain, exact_value, suffix_value" must be set - -`any_domain` - (Optional) Apply this WAF exclusion rule for any domain (`Bool`). - - -`exact_value` - (Optional) Exact domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - -`expiration_timestamp` - (Optional) the configuration but is not applied anymore. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Waf Exclusion Rules Metadata ](#waf-exclusion-rules-metadata) below for details. - -`methods` - (Optional) methods to be matched (`List of Strings`). - - - -###### One of the arguments from this list "path_regex, any_path, path_prefix" must be set - -`any_path` - (Optional) Match all paths (`Bool`). - - -`path_prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`path_regex` - (Optional) Define the regex for the path. For example, the regex ^/.*$ will match on all paths (`String`). - - - - - -###### One of the arguments from this list "app_firewall_detection_control, waf_skip_processing" can be set - -`app_firewall_detection_control` - (Optional) Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. See [Waf Advanced Configuration App Firewall Detection Control ](#waf-advanced-configuration-app-firewall-detection-control) below for details. - - -`waf_skip_processing` - (Optional) Skip all App Firewall processing for this request (`Bool`). - - - - -### Action Allow - - Allow the request to proceed.. - - - -### Action Deny - - Deny the request.. - - - -### Action Choice Action Block - - Block the request and issue an API security event. - - - -### Action Choice Action Report - - Continue processing the request and issue an API security event. - - - -### Action Choice Action Skip - - Continue processing the request. - - - -### Action Choice Apply Data Guard - - x-displayName: "Apply". - - - -### Action Choice Block - - Block the request and report the issue. - - - -### Action Choice Bot Skip Processing - - Skip Bot Defense processing for clients matching this rule.. - - - -### Action Choice Report - - Allow the request and report the issue. - - - -### Action Choice Skip Data Guard - - x-displayName: "Skip". - - - -### Action Choice Skip Processing - - Skip both WAF and Bot Defense processing for clients matching this rule.. - - - -### Action Choice Waf Skip Processing - - Skip WAF processing for clients matching this rule.. - - - -### Action Type Block - - Block bot request and send response with custom content.. - -`body` - (Optional) E.g. "

Your request was blocked

". Base64 encoded string for this html is "LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==" (`String`). - -`body_hash` - (Optional) Represents the corresponding MD5 Hash for the body message. (`String`).(Deprecated) - -`status` - (Optional) HTTP Status code to respond with (`String`). - - - -### Action Type Flag - - Flag the request while not taking any invasive actions.. - - - - -###### One of the arguments from this list "append_headers, no_headers" can be set - -`append_headers` - (Optional) Append mitigation headers.. See [Send Headers Choice Append Headers ](#send-headers-choice-append-headers) below for details. - - -`no_headers` - (Optional) No mitigation headers. (`Bool`). - - - - -### Action Type None - - No mitigation actions.. - - - -### Action Type Redirect - - Redirect bot request to a custom URI.. - -`uri` - (Required) URI location for redirect may be relative or absolute. (`String`). - - - -### Additional Headers Choice Allow Additional Headers - - Allow extra headers (on top of what specified in the OAS documentation). - - - -### Additional Headers Choice Disallow Additional Headers - - Disallow extra headers (on top of what specified in the OAS documentation). - - - -### Additional Parameters Choice Allow Additional Parameters - - Allow extra query parameters (on top of what specified in the OAS documentation). - - - -### Additional Parameters Choice Disallow Additional Parameters - - Disallow extra query parameters (on top of what specified in the OAS documentation). - - - -### Advanced Options Cors Policy - - resources from a server at a different origin. - -`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). - -`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - -`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). - -`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). - -`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - -`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - - - -### Advanced Options Csrf Policy - - Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - - - -###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set - -`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). - - -`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - - -`disabled` - (Optional) Allow all source origin domains. (`Bool`). - - - - -### Advanced Options Header Transformation Type - - Settings to normalize the headers of upstream requests.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set - -`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - - -`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - - -`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - - -`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - - - - -### Advanced Options Request Headers To Add - - Headers are key-value pairs to be added to HTTP request being routed towards upstream.. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "secret_value, value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Advanced Options Response Headers To Add - - Headers are key-value pairs to be added to HTTP response being sent towards downstream.. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Advertise Choice Advertise Custom - - Advertise this load balancer on specific sites. - -`advertise_where` - (Required) Where should this load balancer be available. See [Advertise Custom Advertise Where ](#advertise-custom-advertise-where) below for details. - - - -### Advertise Choice Advertise On Public - - Advertise this load balancer on public network. - -`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. - - - -### Advertise Custom Advertise Where - - Where should this load balancer be available. - - - -###### One of the arguments from this list "virtual_site_segment, segment, virtual_site, virtual_site_with_vip, virtual_network, site_segment, cloud_edge_segment, advertise_on_public, site, vk8s_service" must be set - -`advertise_on_public` - (Optional) Advertise this load balancer on public network. See [Choice Advertise On Public ](#choice-advertise-on-public) below for details. - - -`site` - (Optional) Advertise on a customer site and a given network.. See [Choice Site ](#choice-site) below for details. - - -`site_segment` - (Optional) Advertise on a segment on a site. See [Choice Site Segment ](#choice-site-segment) below for details. - - -`virtual_network` - (Optional) Advertise on a virtual network. See [Choice Virtual Network ](#choice-virtual-network) below for details. - - -`virtual_site` - (Optional) Advertise on a customer virtual site and a given network.. See [Choice Virtual Site ](#choice-virtual-site) below for details. - - -`virtual_site_with_vip` - (Optional) Advertise on a customer virtual site and a given network and IP.. See [Choice Virtual Site With Vip ](#choice-virtual-site-with-vip) below for details. - - -`vk8s_service` - (Optional) Advertise on vK8s Service Network on RE.. See [Choice Vk8s Service ](#choice-vk8s-service) below for details. - - - - -###### One of the arguments from this list "use_default_port, port, port_ranges" must be set - -`port` - (Optional) TCP port to Listen. (`Int`). - - -`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - -`use_default_port` - (Optional) For HTTP, default is 80. For HTTPS/SNI, default is 443. (`Bool`). - - - - -### Allow Introspection Queries Choice Disable Introspection - - Disable introspection queries for the load balancer.. - - - -### Allow Introspection Queries Choice Enable Introspection - - Enable introspection queries for the load balancer.. - - - -### Allowed Domains All Load Balancer Domains - - Add All load balancer domains to source origin (allow) list.. - - - -### Allowed Domains Custom Domain List - - Add one or more domains to source origin (allow) list.. - -`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - - - -### Allowed Domains Disabled - - Allow all source origin domains.. - - - -### Api Definition Choice Api Definitions - - DEPRECATED by 'api_definition'. - -`api_definitions` - (Optional) API Definitions using OpenAPI specification files. See [ref](#ref) below for details. - - - -### Api Definition Choice Api Specification - - Specify API definition and OpenAPI Validation. - -`api_definition` - (Required) Specify API definition which includes application API paths and methods derived from swagger files.. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "validation_custom_list, validation_disabled, validation_all_spec_endpoints" must be set - -`validation_all_spec_endpoints` - (Optional) All other API endpoints would proceed according to "Fall Through Mode". See [Validation Target Choice Validation All Spec Endpoints ](#validation-target-choice-validation-all-spec-endpoints) below for details. - - -`validation_custom_list` - (Optional) Any other end-points not listed will act according to "Fall Through Mode". See [Validation Target Choice Validation Custom List ](#validation-target-choice-validation-custom-list) below for details. - - -`validation_disabled` - (Optional) Don't run OpenAPI validation (`Bool`). - - - - -### Api Discovery Choice Disable Discovery - - x-displayName: "Disable". - - - -### Api Discovery Choice Enable Api Discovery - - x-displayName: "Enable". - -`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Api Discovery Discovered Api Settings ](#enable-api-discovery-discovered-api-settings) below for details. - - - -###### One of the arguments from this list "disable_learn_from_redirect_traffic, enable_learn_from_redirect_traffic" must be set - -`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Api Discovery Sensitive Data Detection Rules ](#enable-api-discovery-sensitive-data-detection-rules) below for details.(Deprecated) - - - -### Api Discovery Choice Enable Discovery - - x-displayName: "Enable". - -`discovered_api_settings` - (Optional) Configure Discovered API Settings.. See [Enable Discovery Discovered Api Settings ](#enable-discovery-discovered-api-settings) below for details. - - - -###### One of the arguments from this list "enable_learn_from_redirect_traffic, disable_learn_from_redirect_traffic" must be set - -`disable_learn_from_redirect_traffic` - (Optional) Disable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`enable_learn_from_redirect_traffic` - (Optional) Enable learning API patterns from traffic with redirect response codes 3xx (`Bool`). - - -`sensitive_data_detection_rules` - (Optional) Manage rules to detect sensitive data in requests and/or response sections.. See [Enable Discovery Sensitive Data Detection Rules ](#enable-discovery-sensitive-data-detection-rules) below for details.(Deprecated) - - - -### Api Endpoint Rules Action - - The action to take if the input request matches the rule.. - - - -###### One of the arguments from this list "deny, allow" must be set - -`allow` - (Optional) Allow the request to proceed. (`Bool`). - - -`deny` - (Optional) Deny the request. (`Bool`). - - - - -### Api Endpoint Rules Api Endpoint Method - - The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - - -### Api Endpoint Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "ip_threat_category_list, client_selector, any_client" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher, asn_list, asn_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Api Endpoint Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Api Endpoint Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Api Groups Rules Action - - The action to take if the input request matches the rule.. - - - -###### One of the arguments from this list "allow, deny" must be set - -`allow` - (Optional) Allow the request to proceed. (`Bool`). - - -`deny` - (Optional) Deny the request. (`Bool`). - - - - -### Api Groups Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "any_client, ip_threat_category_list, client_selector" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher, asn_list, asn_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Api Groups Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Api Groups Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Api Protection Rules Api Endpoint Rules - - If request matches any of these rules, skipping second category rules.. - -`action` - (Required) The action to take if the input request matches the rule.. See [Api Endpoint Rules Action ](#api-endpoint-rules-action) below for details. - -`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. - -`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Endpoint Rules Metadata ](#api-endpoint-rules-metadata) below for details. - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - - - -### Api Protection Rules Api Groups Rules - - For API groups, refer to API Definition which includes API groups derived from uploaded swaggers.. - -`action` - (Required) The action to take if the input request matches the rule.. See [Api Groups Rules Action ](#api-groups-rules-action) below for details. - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - -`base_path` - (Required) For example: /v1 (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Groups Rules Client Matcher ](#api-groups-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Api Groups Rules Metadata ](#api-groups-rules-metadata) below for details. - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Groups Rules Request Matcher ](#api-groups-rules-request-matcher) below for details. - - - -### Api Rate Limit Api Endpoint Rules - - For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. - -`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. - -`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - -`base_path` - (Optional) The request base path. (`String`).(Deprecated) - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "ref_rate_limiter, inline_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - - - -### Api Rate Limit Server Url Rules - - For matching also specific endpoints you can use the API endpoint rules set bellow.. - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - -`base_path` - (Required) Prefix of the request path. (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. - - - -### Api Rate Limit Legacy Api Endpoint Rules - - For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. - -`api_endpoint_method` - (Optional) The predicate evaluates to true if the actual HTTP method belongs is present in the list of expected values.. See [Api Endpoint Rules Api Endpoint Method ](#api-endpoint-rules-api-endpoint-method) below for details. - -`api_endpoint_path` - (Required) The endpoint (path) of the request. (`String`). - -`base_path` - (Optional) The request base path. (`String`).(Deprecated) - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Api Endpoint Rules Client Matcher ](#api-endpoint-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Select external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Api Endpoint Rules Request Matcher ](#api-endpoint-rules-request-matcher) below for details. - - - -### Api Rate Limit Legacy Server Url Rules - - For matching also specific endpoints you can use the API endpoint rules set bellow.. - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`). - -`base_path` - (Required) Prefix of the request path. (`String`). - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Server Url Rules Client Matcher ](#server-url-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - - - - -###### One of the arguments from this list "inline_rate_limiter, ref_rate_limiter" must be set - -`inline_rate_limiter` - (Optional) Specify rate values for the rule.. See [Rate Limiter Choice Inline Rate Limiter ](#rate-limiter-choice-inline-rate-limiter) below for details. - - -`ref_rate_limiter` - (Optional) Use external rate limiter.. See [ref](#ref) below for details. - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Server Url Rules Request Matcher ](#server-url-rules-request-matcher) below for details. - - - -### App Firewall Detection Control Exclude Attack Type Contexts - - Attack Types to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`exclude_attack_type` - (Required) x-required (`String`). - - - -### App Firewall Detection Control Exclude Bot Name Contexts - - Bot Names to be excluded for the defined match criteria. - -`bot_name` - (Required) x-example: "Hydra" (`String`). - - - -### App Firewall Detection Control Exclude Signature Contexts - - Signature IDs to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`signature_id` - (Required) 0 implies that all signatures will be excluded for the specified context. (`Int`). - - - -### App Firewall Detection Control Exclude Violation Contexts - - Violations to be excluded for the defined match criteria. - -`context` - (Required) x-required (`String`). - -`context_name` - (Optional) Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. (`String`). - -`exclude_violation` - (Required) x-required (`String`). - - - -### App Traffic Type Choice Mobile - - Mobile traffic channel.. - - - -### App Traffic Type Choice Mobile Client - - Mobile traffic channel.. - - - -### App Traffic Type Choice Web - - Web traffic channel.. - - - -### App Traffic Type Choice Web Client - - Web traffic channel.. - - - -### App Traffic Type Choice Web Mobile - - Web and mobile traffic channel.. - -`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Header ](#web-mobile-header) below for details.(Deprecated) - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Headers ](#web-mobile-headers) below for details.(Deprecated) - -`mobile_identifier` - (Optional) Mobile identifier type (`String`). - - - -### App Traffic Type Choice Web Mobile Client - - Web and mobile traffic channel.. - -`header` - (Optional) Header that is used by mobile traffic.. See [Web Mobile Client Header ](#web-mobile-client-header) below for details.(Deprecated) - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Web Mobile Client Headers ](#web-mobile-client-headers) below for details.(Deprecated) - -`mobile_identifier` - (Optional) Mobile identifier type (`String`). - - - -### Asn Choice Any Asn - -any_asn. - - - -### Asn Choice Asn List - -asn_list. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Asn Choice Asn Matcher - -asn_matcher. - -`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. - - - -### Audience Validation Audience - - x-displayName: "Exact Match". - -`audiences` - (Required) x-required (`String`). - - - -### Audience Validation Audience Disable - - x-displayName: "Disable". - - - -### Blocked Clients Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Bot Defense Policy - - Bot Defense Policy.. - - - -###### One of the arguments from this list "disable_js_insert, js_insert_all_pages, js_insert_all_pages_except, js_insertion_rules" must be set - -`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). - - -`js_insert_all_pages` - (Optional) Insert Bot Defense JavaScript in all pages.. See [Java Script Choice Js Insert All Pages ](#java-script-choice-js-insert-all-pages) below for details. - - -`js_insert_all_pages_except` - (Optional) Insert Bot Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. - - -`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. - - -`javascript_mode` - (Required) The larger chunk can be loaded asynchronously or synchronously. It can also be cacheable or non-cacheable on the browser. (`String`). - -`js_download_path` - (Optional) Customize Bot Defense Client JavaScript path. If not specified, default `/common.js` (`String`). - - - -###### One of the arguments from this list "disable_mobile_sdk, mobile_sdk_config" must be set - -`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). - - -`mobile_sdk_config` - (Optional) Mobile SDK configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. - - -`protected_app_endpoints` - (Required) List of protected application endpoints (max 128 items).. See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. - - - -### Bot Defense Advanced Policy - - Bot Defense Advanced Policy.. - -`js_download_path` - (Required) Customize Bot Defense Web Client JavaScript path (`String`). - - - -###### One of the arguments from this list "mobile_sdk_config, disable_mobile_sdk" must be set - -`disable_mobile_sdk` - (Optional) Disable Mobile SDK. (`Bool`). - - -`mobile_sdk_config` - (Optional) Enable Mobile SDK Configuration. See [Mobile Sdk Choice Mobile Sdk Config ](#mobile-sdk-choice-mobile-sdk-config) below for details. - - -`protected_app_endpoints` - (Required) List of protected endpoints (max 128 items). See [Policy Protected App Endpoints ](#policy-protected-app-endpoints) below for details. - - - -### Bot Defense Choice Bot Defense - - Select Bot Defense Standard. - - - -###### One of the arguments from this list "enable_cors_support, disable_cors_support" must be set - -`disable_cors_support` - (Optional) protect against Bot Attacks. (`Bool`).(Deprecated) - - -`enable_cors_support` - (Optional) Allows Bot Defense to work with your existing CORS policies. (`Bool`).(Deprecated) - - -`policy` - (Required) Bot Defense Policy.. See [Bot Defense Policy ](#bot-defense-policy) below for details. - -`regional_endpoint` - (Required) x-required (`String`). - -`timeout` - (Optional) The timeout for the inference check, in milliseconds. (`Int`). - - - -### Bot Defense Choice Bot Defense Advanced - - Select Bot Defense Advanced. - -`mobile` - (Optional) Select infrastructure for mobile.. See [ref](#ref) below for details. - -`policy` - (Required) Bot Defense Advanced Policy.. See [Bot Defense Advanced Policy ](#bot-defense-advanced-policy) below for details. - -`web` - (Optional) Select infrastructure for web.. See [ref](#ref) below for details. - - - -### Bot Defense Javascript Injection Javascript Tags - - Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. - -`javascript_url` - (Required) Please enter the full URL (include domain and path), or relative path. (`String`). - -`tag_attributes` - (Optional) Add the tag attributes you want to include in your Javascript tag.. See [Javascript Tags Tag Attributes ](#javascript-tags-tag-attributes) below for details. - - - -### Bot Defense Javascript Injection Choice Bot Defense Javascript Injection - - Configuration for Bot Defense JavaScript Injection. - -`javascript_location` - (Optional) Select the location where you would like to insert the Javascript tag(s). (`String`). - -`javascript_tags` - (Required) Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. See [Bot Defense Javascript Injection Javascript Tags ](#bot-defense-javascript-injection-javascript-tags) below for details. - - - -### Bot Defense Javascript Injection Choice Inherited Bot Defense Javascript Injection - - Hence no custom configuration is applied on the route. - - - -### Buffer Choice Buffer Policy - - Route level buffer configuration overrides any configuration at VirtualHost level.. - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). - -`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) - - - -### Buffer Choice Common Buffering - - Use common buffering configuration. - - - -### Bypass Rate Limiting Rules Bypass Rate Limiting Rules - - This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. - -`client_matcher` - (Optional) Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. See [Bypass Rate Limiting Rules Client Matcher ](#bypass-rate-limiting-rules-client-matcher) below for details. - - - -###### One of the arguments from this list "any_url, base_path, api_endpoint, api_groups" must be set - -`any_url` - (Optional) Any URL (`Bool`). - - -`api_endpoint` - (Required) The endpoint (path) of the request.. See [Destination Type Api Endpoint ](#destination-type-api-endpoint) below for details. - - -`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Destination Type Api Groups ](#destination-type-api-groups) below for details. - - -`base_path` - (Optional) The base path which this validation applies to (`String`). - - - - -###### One of the arguments from this list "any_domain, specific_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - - -`specific_domain` - (Optional) For example: api.example.com (`String`). - - -`request_matcher` - (Optional) Conditions related to the request, such as query parameters, headers, etc.. See [Bypass Rate Limiting Rules Request Matcher ](#bypass-rate-limiting-rules-request-matcher) below for details. - - - -### Bypass Rate Limiting Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "ip_threat_category_list, client_selector, any_client" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher, asn_list, asn_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Bypass Rate Limiting Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Captcha Challenge Parameters Choice Captcha Challenge Parameters - - Configure captcha challenge parameters. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Captcha Challenge Parameters Choice Default Captcha Challenge Parameters - - Use default parameters. - - - -### Challenge Action Disable Challenge - - Disable the challenge type selected in PolicyBasedChallenge. - - - -### Challenge Action Enable Captcha Challenge - - Enable captcha challenge. - - - -### Challenge Action Enable Javascript Challenge - - Enable javascript challenge. - - - -### Challenge Choice Always Enable Captcha Challenge - - Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests.. - - - -### Challenge Choice Always Enable Js Challenge - - Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests.. - - - -### Challenge Choice No Challenge - - Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests.. - - - -### Challenge Type Captcha Challenge - - Configure Captcha challenge on this load balancer. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Challenge Type Enable Challenge - - Configure auto mitigation i.e risk based challenges for malicious users. - - - - -###### One of the arguments from this list "default_captcha_challenge_parameters, captcha_challenge_parameters" can be set - -`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - - -`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - - - - -###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set - -`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - -`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. - - - - - -###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set - -`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). - - -`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. - - - - -### Challenge Type Js Challenge - - Configure JavaScript challenge on this load balancer. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Challenge Type Policy Based Challenge - - Specifies the settings for policy rule based challenge. - - - - -###### One of the arguments from this list "default_captcha_challenge_parameters, captcha_challenge_parameters" can be set - -`captcha_challenge_parameters` - (Optional) Configure captcha challenge parameters. See [Captcha Challenge Parameters Choice Captcha Challenge Parameters ](#captcha-challenge-parameters-choice-captcha-challenge-parameters) below for details. - - -`default_captcha_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - - - -###### One of the arguments from this list "no_challenge, always_enable_js_challenge, always_enable_captcha_challenge" must be set - -`always_enable_captcha_challenge` - (Optional) Challenge rules can be used to selectively disable Captcha challenge or enable JavaScript challenge for some requests. (`Bool`). - - -`always_enable_js_challenge` - (Optional) Challenge rules can be used to selectively disable JavaScript challenge or enable Captcha challenge for some requests. (`Bool`). - - -`no_challenge` - (Optional) Challenge rules can be used to selectively enable JavaScript or Captcha challenge for some requests. (`Bool`). - - - - - -###### One of the arguments from this list "default_js_challenge_parameters, js_challenge_parameters" can be set - -`default_js_challenge_parameters` - (Optional) Use default parameters (`Bool`). - - -`js_challenge_parameters` - (Optional) Configure JavaScript challenge parameters. See [Js Challenge Parameters Choice Js Challenge Parameters ](#js-challenge-parameters-choice-js-challenge-parameters) below for details. - - - - - -###### One of the arguments from this list "default_mitigation_settings, malicious_user_mitigation" can be set - -`default_mitigation_settings` - (Optional) For high level, users will be temporarily blocked. (`Bool`). - - -`malicious_user_mitigation` - (Optional) Define the mitigation actions to be taken for different threat levels. See [ref](#ref) below for details. - - -`rule_list` - (Optional) list challenge rules to be used in policy based challenge. See [Policy Based Challenge Rule List ](#policy-based-challenge-rule-list) below for details. - - - - -###### One of the arguments from this list "temporary_user_blocking, default_temporary_blocking_parameters" can be set - -`default_temporary_blocking_parameters` - (Optional) Use default parameters (`Bool`).(Deprecated) - - -`temporary_user_blocking` - (Optional) Specifies configuration for temporary user blocking resulting from malicious user detection. See [Temporary Blocking Parameters Choice Temporary User Blocking ](#temporary-blocking-parameters-choice-temporary-user-blocking) below for details.(Deprecated) - - - - -### Choice Advertise On Public - - Advertise this load balancer on public network. - -`public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. - - - -### Choice Consul Service - - Specify origin server with Hashi Corp Consul service name and site information. - - - -###### One of the arguments from this list "inside_network, outside_network" must be set - -`inside_network` - (Optional) Inside network on the site (`Bool`). - - -`outside_network` - (Optional) Outside network on the site (`Bool`). - - -`service_name` - (Required) cluster-id is optional. (`String`). - -`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Consul Service Site Locator ](#consul-service-site-locator) below for details. - - - -### Choice Custom Endpoint Object - - Specify origin server with a reference to endpoint object. - -`endpoint` - (Required) Reference to an endpoint object. See [ref](#ref) below for details. - - - -### Choice Custom Route Object - - A custom route uses a route object created outside of this view.. - -`route_ref` - (Optional) Reference to a custom route object. See [ref](#ref) below for details. - - - -### Choice Custom Security - - Custom selection of TLS versions and cipher suites. - -`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - -`max_version` - (Optional) Maximum TLS protocol version. (`String`). - -`min_version` - (Optional) Minimum TLS protocol version. (`String`). - - - -### Choice Default Security - - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - - - -### Choice Direct Response Route - - A direct response route matches on path and/or HTTP method and responds directly to the matching traffic. - -`headers` - (Optional) List of (key, value) headers. See [Direct Response Route Headers ](#direct-response-route-headers) below for details. - -`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). - -`incoming_port` - (Optional) The port on which the request is received. See [Direct Response Route Incoming Port ](#direct-response-route-incoming-port) below for details. - -`path` - (Required) URI path of route. See [Direct Response Route Path ](#direct-response-route-path) below for details. - -`route_direct_response` - (Optional) Send direct response. See [Direct Response Route Route Direct Response ](#direct-response-route-route-direct-response) below for details. - - - -### Choice K8s Service - - Specify origin server with K8s service name and site information. - - - -###### One of the arguments from this list "inside_network, outside_network, vk8s_networks" must be set - -`inside_network` - (Optional) Inside network on the site (`Bool`). - - -`outside_network` - (Optional) Outside network on the site (`Bool`). - - -`vk8s_networks` - (Optional) origin server are on vK8s network on the site (`Bool`). - - - - -###### One of the arguments from this list "service_name, service_selector" must be set - -`service_name` - (Optional) Both namespace and cluster-id are optional. (`String`). - - -`service_selector` - (Optional) discovery has to happen. This implicit label is added to service_selector. See [Service Info Service Selector ](#service-info-service-selector) below for details.(Deprecated) - - -`site_locator` - (Required) Site or Virtual site where this origin server is located. See [K8s Service Site Locator ](#k8s-service-site-locator) below for details. - - - -### Choice Low Security - - TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. - - - -### Choice Medium Security - - TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. - - - -### Choice Private Ip - - Specify origin server with private or public IP address and site information. - - - -###### One of the arguments from this list "inside_network, outside_network, segment" must be set - -`inside_network` - (Optional) Inside network on the site (`Bool`). - - -`outside_network` - (Optional) Outside network on the site (`Bool`). - - -`segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "ip, ipv6" must be set - -`ip` - (Optional) Private IPV4 address (`String`). - - -`ipv6` - (Optional) Private IPV6 address (`String`). - - -`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Ip Site Locator ](#private-ip-site-locator) below for details. - - - -### Choice Private Name - - Specify origin server with private or public DNS name and site information. - -`dns_name` - (Required) DNS Name (`String`). - - - -###### One of the arguments from this list "inside_network, outside_network, segment" must be set - -`inside_network` - (Optional) Inside network on the site (`Bool`). - - -`outside_network` - (Optional) Outside network on the site (`Bool`). - - -`segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. - - -`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). - -`site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Name Site Locator ](#private-name-site-locator) below for details. - - - -### Choice Public Ip - - Specify origin server with public IP. - - - -###### One of the arguments from this list "ip, ipv6" must be set - -`ip` - (Optional) Public IPV4 address (`String`). - - -`ipv6` - (Optional) Public IPV6 address (`String`). - - - - -### Choice Public Name - - Specify origin server with public DNS name. - -`dns_name` - (Required) DNS Name (`String`). - -`refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). - - - -### Choice Redirect Route - - A redirect route matches on path and/or HTTP method and redirects the matching traffic to a different URL. - -`headers` - (Optional) List of (key, value) headers. See [Redirect Route Headers ](#redirect-route-headers) below for details. - -`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). - -`incoming_port` - (Optional) The port on which the request is received. See [Redirect Route Incoming Port ](#redirect-route-incoming-port) below for details. - -`path` - (Required) URI path of route. See [Redirect Route Path ](#redirect-route-path) below for details. - -`route_redirect` - (Optional) Send redirect response. See [Redirect Route Route Redirect ](#redirect-route-route-redirect) below for details. - - - -### Choice Simple Route - - A simple route matches on path and/or HTTP method and forwards the matching traffic to the associated pools. - -`advanced_options` - (Optional) Configure Advanced per route options. See [Simple Route Advanced Options ](#simple-route-advanced-options) below for details. - -`headers` - (Optional) List of (key, value) headers. See [Simple Route Headers ](#simple-route-headers) below for details. - - - -###### One of the arguments from this list "auto_host_rewrite, host_rewrite, disable_host_rewrite" must be set - -`auto_host_rewrite` - (Optional) Host header will be swapped with hostname of upstream host chosen by the cluster (`Bool`). - - -`disable_host_rewrite` - (Optional) Host header is not modified (`Bool`). - - -`host_rewrite` - (Optional) Host header will be swapped with this value (`String`). - - -`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). - -`incoming_port` - (Optional) The port on which the request is received. See [Simple Route Incoming Port ](#simple-route-incoming-port) below for details. - -`origin_pools` - (Required) Origin Pools for this route. See [Simple Route Origin Pools ](#simple-route-origin-pools) below for details. - -`path` - (Required) URI path of route. See [Simple Route Path ](#simple-route-path) below for details. - - - -### Choice Site - - Advertise on a customer site and a given network.. - -`ip` - (Optional) Use given IP address as VIP on the site (`String`). - -`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). - -`network` - (Required) By default VIP chosen as ip address of primary network interface in the network (`String`). - -`site` - (Required) Reference to site object. See [ref](#ref) below for details. - - - -### Choice Site Segment - - Advertise on a segment on a site. - -`ip` - (Required) Use given IP address as VIP on the site (`String`). - -`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). - -`segment` - (Required) x-required. See [ref](#ref) below for details. - -`site` - (Required) x-required. See [ref](#ref) below for details. - - - -### Choice Virtual Network - - Advertise on a virtual network. - - - - -###### One of the arguments from this list "specific_v6_vip, default_v6_vip" can be set - -`default_v6_vip` - (Optional) Use the default VIP, system allocated or configured in the virtual network (`Bool`). - - -`specific_v6_vip` - (Optional) Use given IPV6 address as VIP on virtual Network (`String`). - - - - - -###### One of the arguments from this list "default_vip, specific_vip" can be set - -`default_vip` - (Optional) Use the default VIP, system allocated or configured in the virtual network (`Bool`). - - -`specific_vip` - (Optional) Use given IPV4 address as VIP on virtual Network (`String`). - - -`virtual_network` - (Required) Select network reference. See [ref](#ref) below for details. - - - -### Choice Virtual Site - - Advertise on a customer virtual site and a given network.. - -`network` - (Required) IP address of primary network interface in the network (`String`). - -`virtual_site` - (Required) Reference to virtual site object. See [ref](#ref) below for details. - - - -### Choice Virtual Site With Vip - - Advertise on a customer virtual site and a given network and IP.. - -`ip` - (Optional) Use given IP address as VIP on the site (`String`). - -`ipv6` - (Optional) Use given IPv6 address as VIP on the site (`String`). - -`network` - (Required) IP address of primary network interface in the network (`String`). - -`virtual_site` - (Required) Reference to virtual site object. See [ref](#ref) below for details. - - - -### Choice Vk8s Service - - Advertise on vK8s Service Network on RE.. - - - -###### One of the arguments from this list "site, virtual_site" must be set - -`site` - (Optional) Reference to site object. See [ref](#ref) below for details. - - -`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. - - - - -### Choice Vn Private Ip - - Specify origin server IP address on virtual network other than inside or outside network. - -`virtual_network` - (Required) Virtual Network where this IP will be present. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "ip, ipv6" must be set - -`ip` - (Optional) IPV4 address (`String`). - - -`ipv6` - (Optional) IPV6 address (`String`). - - - - -### Choice Vn Private Name - - Specify origin server name on virtual network other than inside or outside network. - -`dns_name` - (Required) DNS Name (`String`). - -`private_network` - (Required) Virtual Network where this Name will be present. See [ref](#ref) below for details. - - - -### Circuit Breaker Choice Circuit Breaker - - allows to apply back pressure on downstream quickly.. - -`connection_limit` - (Optional) Remove endpoint out of load balancing decision, if number of connections reach connection limit. (`Int`). - -`max_requests` - (Optional) Remove endpoint out of load balancing decision, if requests exceed this count. (`Int`). - -`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). - -`priority` - (Optional) matched with priority of CircuitBreaker to select the CircuitBreaker (`String`). - -`retries` - (Optional) Remove endpoint out of load balancing decision, if retries for request exceed this count. (`Int`). - - - -### Circuit Breaker Choice Default Circuit Breaker - - requests are 1024 and the default value for retries is 3. - - - -### Circuit Breaker Choice Disable Circuit Breaker - - Circuit Breaker is disabled. - - - -### Client Choice Any Client - - Any Client. - - - -### Client Choice Client Name Matcher - -client_name_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Client Choice Client Selector - - The predicate evaluates to true if the expressions in the label selector are true for the client labels.. - -`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - - -### Client Choice Ip Threat Category List - - IP threat categories to choose from. - -`ip_threat_categories` - (Required) The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions (`List of Strings`). - - - -### Client Matcher Tls Fingerprint Matcher - - The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Client Side Defense Policy - - Please ensure that the same domains are configured in the Client-Side Defense configuration.. - - - -###### One of the arguments from this list "js_insertion_rules, disable_js_insert, js_insert_all_pages, js_insert_all_pages_except" must be set - -`disable_js_insert` - (Optional) Disable JavaScript insertion. (`Bool`). - - -`js_insert_all_pages` - (Optional) Insert Client-Side Defense JavaScript in all pages. (`Bool`). - - -`js_insert_all_pages_except` - (Optional) Insert Client-Side Defense JavaScript in all pages with the exceptions.. See [Java Script Choice Js Insert All Pages Except ](#java-script-choice-js-insert-all-pages-except) below for details. - - -`js_insertion_rules` - (Optional) Specify custom JavaScript insertion rules.. See [Java Script Choice Js Insertion Rules ](#java-script-choice-js-insertion-rules) below for details. - - - - -### Client Side Defense Choice Client Side Defense - - Client-Side Defense configuration for JavaScript insertion. - -`policy` - (Required) Please ensure that the same domains are configured in the Client-Side Defense configuration.. See [Client Side Defense Policy ](#client-side-defense-policy) below for details. - - - -### Client Source Choice Http Header - - Request header name and value pairs. - -`headers` - (Required) List of HTTP header name and value pairs. See [Http Header Headers ](#http-header-headers) below for details. - - - -### Cluster Retract Choice Do Not Retract Cluster - - configuration.. - - - -### Cluster Retract Choice Retract Cluster - - for route. - - - -### Condition Type Choice Api Endpoint - - The API endpoint (Path + Method) which this validation applies to. - -`methods` - (Optional) Methods to be matched (`List of Strings`). - -`path` - (Required) Path to be matched (`String`). - - - -### Consul Service Site Locator - - Site or Virtual site where this origin server is located. - - - -###### One of the arguments from this list "site, virtual_site" must be set - -`site` - (Optional) Reference to site object. See [ref](#ref) below for details. - - -`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. - - - - -### Cookie Tampering Disable Tampering Protection - - x-displayName: "Disable". - - - -### Cookie Tampering Enable Tampering Protection - - x-displayName: "Enable". - - - -### Cors Support Choice Disable Cors Support - - protect against Bot Attacks.. - - - -### Cors Support Choice Enable Cors Support - - Allows Bot Defense to work with your existing CORS policies.. - - - -### Count By Choice Use Http Lb User Id - - Defined in HTTP-LB Security Configuration -> User Identifier.. - - - -### Crl Choice No Crl - - Client certificate revocation status is not verified. - - - -### Custom Sensitive Data Detection Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Custom Sensitive Data Detection Rules Sensitive Data Detection Config - - The custom data detection config specifies targets, scopes & the pattern to be detected.. - - - -###### One of the arguments from this list "specific_domain, any_domain" must be set - -`any_domain` - (Optional) The rule will apply for all domains. (`Bool`).(Deprecated) - - -`specific_domain` - (Optional) For example: api.example.com (`String`).(Deprecated) - - - - -###### One of the arguments from this list "value_pattern, key_value_pattern, key_pattern" must be set - -`key_pattern` - (Optional) Search for pattern across all field names in the specified sections.. See [Pattern Choice Key Pattern ](#pattern-choice-key-pattern) below for details. - - -`key_value_pattern` - (Optional) Search for specific field and value patterns in the specified sections.. See [Pattern Choice Key Value Pattern ](#pattern-choice-key-value-pattern) below for details. - - -`value_pattern` - (Optional) Search for pattern across all field values in the specified sections.. See [Pattern Choice Value Pattern ](#pattern-choice-value-pattern) below for details. - - - - -###### One of the arguments from this list "all_sections, all_request_sections, all_response_sections, custom_sections" must be set - -`all_request_sections` - (Optional) x-displayName: "All Request" (`Bool`). - - -`all_response_sections` - (Optional) x-displayName: "All Response" (`Bool`). - - -`all_sections` - (Optional) x-displayName: "All Request & Response" (`Bool`). - - -`custom_sections` - (Optional) x-displayName: "Custom Sections". See [Section Choice Custom Sections ](#section-choice-custom-sections) below for details. - - - - -###### One of the arguments from this list "base_path, api_group, any_target, api_endpoint_target" must be set - -`any_target` - (Optional) The rule will be applied for all requests on this LB. (`Bool`). - - -`api_endpoint_target` - (Optional) The rule is applied only for the specified api endpoints.. See [Target Choice Api Endpoint Target ](#target-choice-api-endpoint-target) below for details. - - -`api_group` - (Optional) Custom groups can be created if user tags paths or operations with "x-volterra-api-group" extensions inside swaggers. (`String`).(Deprecated) - - -`base_path` - (Optional) The rule is applied only for the requests matching the specified base path. (`String`).(Deprecated) - - - - -### Custom Sensitive Data Detection Rules Sensitive Data Type - - If the pattern is detected, the request is labeled with specified sensitive data type.. - -`type` - (Required) The request is labeled as specified sensitive data type. (`String`). - - - -### Data Guard Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Data Guard Rules Path - - URI path matcher.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Ddos Client Source Asn List - - The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Ddos Client Source Tls Fingerprint Matcher - - The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Ddos Mitigation Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Default Lb Choice Default Loadbalancer - - x-displayName: "Yes". - - - -### Default Lb Choice Non Default Loadbalancer - - x-displayName: "No". - - - -### Default Pool Advanced Options - - Advanced options configuration like timeouts, circuit breaker, subset load balancing. - - - -###### One of the arguments from this list "default_circuit_breaker, disable_circuit_breaker, circuit_breaker" must be set - -`circuit_breaker` - (Optional) allows to apply back pressure on downstream quickly.. See [Circuit Breaker Choice Circuit Breaker ](#circuit-breaker-choice-circuit-breaker) below for details. - - -`default_circuit_breaker` - (Optional) requests are 1024 and the default value for retries is 3 (`Bool`). - - -`disable_circuit_breaker` - (Optional) Circuit Breaker is disabled (`Bool`). - - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2 seconds (`Int`). - -`header_transformation_type` - (Optional) Settings to normalize the headers of upstream requests.. See [Advanced Options Header Transformation Type ](#advanced-options-header-transformation-type) below for details.(Deprecated) - -`http_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 5 minutes. (`Int`). - - - -###### One of the arguments from this list "http1_config, http2_options, auto_http_config" must be set - -`auto_http_config` - (Optional) and will use whichever protocol is negotiated by ALPN with the upstream. (`Bool`). - - -`http1_config` - (Optional) Enable HTTP/1.1 for upstream connections. See [Http Protocol Type Http1 Config ](#http-protocol-type-http1-config) below for details. - - -`http2_options` - (Optional) Enable HTTP/2 for upstream connections.. See [Http Protocol Type Http2 Options ](#http-protocol-type-http2-options) below for details. - - - - - -###### One of the arguments from this list "enable_lb_source_ip_persistance, disable_lb_source_ip_persistance" can be set - -`disable_lb_source_ip_persistance` - (Optional) Disable LB source IP persistence (`Bool`). - - -`enable_lb_source_ip_persistance` - (Optional) Enable LB source IP persistence (`Bool`). - - - - -###### One of the arguments from this list "disable_outlier_detection, outlier_detection" must be set - -`disable_outlier_detection` - (Optional) Outlier detection is disabled (`Bool`). - - -`outlier_detection` - (Optional) healthy load balancing set. Outlier detection is a form of passive health checking.. See [Outlier Detection Choice Outlier Detection ](#outlier-detection-choice-outlier-detection) below for details. - - - - -###### One of the arguments from this list "no_panic_threshold, panic_threshold" must be set - -`no_panic_threshold` - (Optional) Disable panic threshold. Only healthy endpoints are considered for load balancing. (`Bool`). - - -`panic_threshold` - (Optional) all endpoints will be considered for load balancing ignoring its health status. (`Int`). - - - - - -###### One of the arguments from this list "disable_proxy_protocol, proxy_protocol_v1, proxy_protocol_v2" can be set - -`disable_proxy_protocol` - (Optional) Disable Proxy Protocol for upstream connections (`Bool`). - - -`proxy_protocol_v1` - (Optional) Enable Proxy Protocol Version 1 for upstream connections (`Bool`). - - -`proxy_protocol_v2` - (Optional) Enable Proxy Protocol Version 2 for upstream connections (`Bool`). - - - - -###### One of the arguments from this list "disable_subsets, enable_subsets" must be set - -`disable_subsets` - (Optional) Subset load balancing is disabled. All eligible origin servers will be considered for load balancing. (`Bool`). - - -`enable_subsets` - (Optional) Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. See [Subset Choice Enable Subsets ](#subset-choice-enable-subsets) below for details. - - - - -### Default Pool Origin Servers - - List of origin servers in this pool. - - - -###### One of the arguments from this list "public_ip, public_name, consul_service, vn_private_ip, vn_private_name, private_ip, private_name, k8s_service, custom_endpoint_object" must be set - -`consul_service` - (Optional) Specify origin server with Hashi Corp Consul service name and site information. See [Choice Consul Service ](#choice-consul-service) below for details. - - -`custom_endpoint_object` - (Optional) Specify origin server with a reference to endpoint object. See [Choice Custom Endpoint Object ](#choice-custom-endpoint-object) below for details. - - -`k8s_service` - (Optional) Specify origin server with K8s service name and site information. See [Choice K8s Service ](#choice-k8s-service) below for details. - - -`private_ip` - (Optional) Specify origin server with private or public IP address and site information. See [Choice Private Ip ](#choice-private-ip) below for details. - - -`private_name` - (Optional) Specify origin server with private or public DNS name and site information. See [Choice Private Name ](#choice-private-name) below for details. - - -`public_ip` - (Optional) Specify origin server with public IP. See [Choice Public Ip ](#choice-public-ip) below for details. - - -`public_name` - (Optional) Specify origin server with public DNS name. See [Choice Public Name ](#choice-public-name) below for details. - - -`vn_private_ip` - (Optional) Specify origin server IP address on virtual network other than inside or outside network. See [Choice Vn Private Ip ](#choice-vn-private-ip) below for details. - - -`vn_private_name` - (Optional) Specify origin server name on virtual network other than inside or outside network. See [Choice Vn Private Name ](#choice-vn-private-name) below for details. - - -`labels` - (Optional) Add Labels for this origin server, these labels can be used to form subset. (`String`). - - - -### Default Pool List Pools - - List of Origin Pools. - -`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). - - - -###### One of the arguments from this list "pool, cluster" must be set - -`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. - - -`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. - - -`priority` - (Optional) made active as per the increasing priority. (`Int`). - -`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). - - - -### Destination Type Any Url - - Any URL . - - - -### Destination Type Api Endpoint - - The endpoint (path) of the request.. - -`methods` - (Optional) Methods to be matched (`List of Strings`). - -`path` - (Required) Path to be matched (`String`). - - - -### Destination Type Api Groups - - Validation will be performed for the endpoints mentioned in the API Groups. - -`api_groups` - (Required) x-required (`String`). - - - -### Direct Response Route Headers - - List of (key, value) headers. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "exact, regex, presence" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Direct Response Route Incoming Port - - The port on which the request is received. - - - - -###### One of the arguments from this list "port, port_ranges, no_port_match" can be set - -`no_port_match` - (Optional) Disable matching of ports (`Bool`). - - -`port` - (Optional) Exact Port to match (`Int`). - - -`port_ranges` - (Optional) Port range to match (`String`). - - - - -### Direct Response Route Path - - URI path of route. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Direct Response Route Route Direct Response - - Send direct response. - -`response_body` - (Optional) response body to send (`String`). - -`response_code` - (Optional) response code to send (`Int`). - - - -### Domain Choice Any Domain - - The rule will apply for all domains.. - - - -### Domain Matcher Choice Any Domain - - Any Domain.. - - - -### Domain Matcher Choice Domain - - Domain matcher.. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### Enable Api Discovery Discovered Api Settings - - Configure Discovered API Settings.. - -`purge_duration_for_inactive_discovered_apis` - (Optional) Inactive discovered API will be deleted after configured duration. (`Int`). - - - -### Enable Api Discovery Sensitive Data Detection Rules - - Manage rules to detect sensitive data in requests and/or response sections.. - -`custom_sensitive_data_detection_rules` - (Optional) Rules to detect custom sensitive data in requests and/or responses sections.. See [Sensitive Data Detection Rules Custom Sensitive Data Detection Rules ](#sensitive-data-detection-rules-custom-sensitive-data-detection-rules) below for details. - -`disabled_built_in_rules` - (Optional) List of disabled built-in sensitive data detection rules.. See [Sensitive Data Detection Rules Disabled Built In Rules ](#sensitive-data-detection-rules-disabled-built-in-rules) below for details. - - - -### Enable Discovery Discovered Api Settings - - Configure Discovered API Settings.. - -`purge_duration_for_inactive_discovered_apis` - (Optional) Inactive discovered API will be deleted after configured duration. (`Int`). - - - -### Enable Discovery Sensitive Data Detection Rules - - Manage rules to detect sensitive data in requests and/or response sections.. - -`custom_sensitive_data_detection_rules` - (Optional) Rules to detect custom sensitive data in requests and/or responses sections.. See [Sensitive Data Detection Rules Custom Sensitive Data Detection Rules ](#sensitive-data-detection-rules-custom-sensitive-data-detection-rules) below for details. - -`disabled_built_in_rules` - (Optional) List of disabled built-in sensitive data detection rules.. See [Sensitive Data Detection Rules Disabled Built In Rules ](#sensitive-data-detection-rules-disabled-built-in-rules) below for details. - - - -### Enable Subsets Endpoint Subsets - - List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. - -`keys` - (Required) List of keys that define a cluster subset class. (`String`). - - - -### Exclude List Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Exclude List Path - - URI path matcher.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Fail Configuration Fail Close - - Handle the transaction as it failed the OpenAPI specification validation (Block or Report). - - - -### Fail Configuration Fail Open - - Continue to process the transaction without enforcing OpenAPI specification (Allow). - - - -### Fall Through Mode Choice Fall Through Mode Allow - - Allow any unprotected end point. - - - -### Fall Through Mode Choice Fall Through Mode Custom - - Custom rules for any unprotected end point. - -`open_api_validation_rules` - (Required) x-displayName: "Custom Fall Through Rule List". See [Fall Through Mode Custom Open Api Validation Rules ](#fall-through-mode-custom-open-api-validation-rules) below for details. - - - -### Fall Through Mode Custom Open Api Validation Rules - - x-displayName: "Custom Fall Through Rule List". - - - -###### One of the arguments from this list "action_skip, action_report, action_block" must be set - -`action_block` - (Optional) Block the request and issue an API security event (`Bool`). - - -`action_report` - (Optional) Continue processing the request and issue an API security event (`Bool`). - - -`action_skip` - (Optional) Continue processing the request (`Bool`). - - - - -###### One of the arguments from this list "base_path, api_group, api_endpoint" must be set - -`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. - - -`api_group` - (Optional) The API group which this validation applies to (`String`). - - -`base_path` - (Optional) The base path which this validation applies to (`String`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. - - - -### Fallback Policy Choice Any Endpoint - - Select any origin server from available healthy origin servers in this pool. - - - -### Fallback Policy Choice Default Subset - - Use the default subset provided here. Select endpoints matching default subset.. - -`default_subset` - (Optional) which gets used when route specifies no metadata or no subset matching the metadata exists. (`String`). - - - -### Fallback Policy Choice Fail Request - - Request will be failed and error returned, as if cluster has no origin servers.. - - - -### Flow Label Choice Account Management - - x-displayName: "Account Management". - - - -###### One of the arguments from this list "create, password_reset" must be set - -`create` - (Optional) x-displayName: "Account Creation" (`Bool`). - - -`password_reset` - (Optional) x-displayName: "Password Reset" (`Bool`). - - - - -### Flow Label Choice Authentication - - x-displayName: "Authentication". - - - -###### One of the arguments from this list "logout, token_refresh, login, login_mfa, login_partner" must be set - -`login` - (Optional) x-displayName: "Login". See [Label Choice Login ](#label-choice-login) below for details. - - -`login_mfa` - (Optional) x-displayName: "Login MFA" (`Bool`). - - -`login_partner` - (Optional) x-displayName: "Login for a Channel Partner" (`Bool`). - - -`logout` - (Optional) x-displayName: "Logout" (`Bool`). - - -`token_refresh` - (Optional) x-displayName: "Token Refresh" (`Bool`). - - - - -### Flow Label Choice Financial Services - - x-displayName: "Financial Services". - - - -###### One of the arguments from this list "apply, money_transfer" must be set - -`apply` - (Optional) x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)" (`Bool`). - - -`money_transfer` - (Optional) x-displayName: "Money Transfer" (`Bool`). - - - - -### Flow Label Choice Flight - - x-displayName: "Flight". - - - -###### One of the arguments from this list "checkin" must be set - -`checkin` - (Optional) x-displayName: "Check into Flight" (`Bool`). - - - - -### Flow Label Choice Flow Label - - x-displayName: "Specify Endpoint label category". - - - -###### One of the arguments from this list "flight, authentication, account_management, profile_management, shopping_gift_cards, financial_services, search" must be set - -`account_management` - (Optional) x-displayName: "Account Management". See [Flow Label Choice Account Management ](#flow-label-choice-account-management) below for details. - - -`authentication` - (Optional) x-displayName: "Authentication". See [Flow Label Choice Authentication ](#flow-label-choice-authentication) below for details. - - -`financial_services` - (Optional) x-displayName: "Financial Services". See [Flow Label Choice Financial Services ](#flow-label-choice-financial-services) below for details. - - -`flight` - (Optional) x-displayName: "Flight". See [Flow Label Choice Flight ](#flow-label-choice-flight) below for details. - - -`profile_management` - (Optional) x-displayName: "Profile Management". See [Flow Label Choice Profile Management ](#flow-label-choice-profile-management) below for details. - - -`search` - (Optional) x-displayName: "Search". See [Flow Label Choice Search ](#flow-label-choice-search) below for details. - - -`shopping_gift_cards` - (Optional) x-displayName: "Shopping & Gift Cards". See [Flow Label Choice Shopping Gift Cards ](#flow-label-choice-shopping-gift-cards) below for details. - - - - -### Flow Label Choice Profile Management - - x-displayName: "Profile Management". - - - -###### One of the arguments from this list "create, update, view" must be set - -`create` - (Optional) x-displayName: "Profile Creation" (`Bool`). - - -`update` - (Optional) x-displayName: "Profile Update" (`Bool`). - - -`view` - (Optional) x-displayName: "Profile View" (`Bool`). - - - - -### Flow Label Choice Search - - x-displayName: "Search". - - - - -###### One of the arguments from this list "flight_search, product_search, room_search, reservation_search" can be set - -`flight_search` - (Optional) x-displayName: "Flight Search" (`Bool`). - - -`product_search` - (Optional) x-displayName: "Product Search" (`Bool`). - - -`reservation_search` - (Optional) x-displayName: "Reservation Search (e.g., sporting events, concerts)" (`Bool`). - - -`room_search` - (Optional) x-displayName: "Room Search" (`Bool`). - - - - -### Flow Label Choice Shopping Gift Cards - - x-displayName: "Shopping & Gift Cards". - - - - -###### One of the arguments from this list "shop_make_payment, shop_purchase_gift_card, shop_add_to_cart, shop_promo_code_validation, shop_price_inquiry, shop_update_quantity, shop_choose_seat, shop_enter_drawing_submission, gift_card_validation, gift_card_make_purchase_with_gift_card, shop_checkout, shop_order" can be set - -`gift_card_make_purchase_with_gift_card` - (Optional) x-displayName: "Purchase with Gift Card" (`Bool`). - - -`gift_card_validation` - (Optional) x-displayName: "Gift Card Validation" (`Bool`). - - -`shop_add_to_cart` - (Optional) x-displayName: "Add to Cart" (`Bool`). - - -`shop_checkout` - (Optional) x-displayName: "Checkout" (`Bool`). - - -`shop_choose_seat` - (Optional) x-displayName: "Select Seat(s)" (`Bool`). - - -`shop_enter_drawing_submission` - (Optional) x-displayName: "Enter Drawing Submission" (`Bool`). - - -`shop_make_payment` - (Optional) x-displayName: "Payment / Billing" (`Bool`). - - -`shop_order` - (Optional) x-displayName: "Order Submit" (`Bool`). - - -`shop_price_inquiry` - (Optional) x-displayName: "Price Inquiry" (`Bool`). - - -`shop_promo_code_validation` - (Optional) x-displayName: "Promo Code Validation" (`Bool`). - - -`shop_purchase_gift_card` - (Optional) x-displayName: "Purchase a Gift Card" (`Bool`). - - -`shop_update_quantity` - (Optional) x-displayName: "Update Quantity" (`Bool`). - - - - -### Flow Label Choice Undefined Flow Label - - x-displayName: "Undefined". - - - -### Goodbot Choice Allow Good Bots - - System flags Good Bot traffic and allow it to continue to the origin. - - - -### Goodbot Choice Mitigate Good Bots - - System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above. - - - -### Graphql Rules Graphql Settings - - GraphQL configuration.. - - - -###### One of the arguments from this list "disable_introspection, enable_introspection" must be set - -`disable_introspection` - (Optional) Disable introspection queries for the load balancer. (`Bool`). - - -`enable_introspection` - (Optional) Enable introspection queries for the load balancer. (`Bool`). - - -`max_batched_queries` - (Required) Specify maximum number of queries in a single batched request. (`Int`). - -`max_depth` - (Required) Specify maximum depth for the GraphQL query. (`Int`). - -`max_total_length` - (Required) Specify maximum length in bytes for the GraphQL query. (`Int`). - -`max_value_length` - (Required) Specify maximum value length in bytes for the GraphQL query. (`Int`).(Deprecated) - -`policy_name` - (Optional) Sets the BD Policy to use (`String`).(Deprecated) - - - -### Graphql Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Hash Policy Choice Common Hash Policy - - Use load balancer hash policy for this route. - - - -### Hash Policy Choice Cookie Stickiness - - Consistent hashing algorithm, ring hash, is used to select origin server. - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) Add httponly attribute (`Bool`). - - -`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). - - -`name` - (Required) produced (`String`). - -`path` - (Optional) will be set for the cookie (`String`). - - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set - -`add_secure` - (Optional) Add secure attribute (`Bool`). - - -`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). - - -`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). - - - -### Hash Policy Choice Ring Hash - - Request are sent to all eligible origin servers using hash of request based on hash policy. Consistent hashing algorithm, ring hash, is used to select origin server. - -`hash_policy` - (Required) route the request. See [Ring Hash Hash Policy ](#ring-hash-hash-policy) below for details. - - - -### Hash Policy Choice Specific Hash Policy - - Configure hash policy specific for this route. - -`hash_policy` - (Required) route the request. See [Specific Hash Policy Hash Policy ](#specific-hash-policy-hash-policy) below for details. - - - -### Header Transformation Choice Default Header Transformation - - Normalize the headers to lower case. - - - -### Header Transformation Choice Legacy Header Transformation - - Use old header transformation if configured earlier. - - - -### Header Transformation Choice Preserve Case Header Transformation - - Preserves the original case of headers without any modifications.. - - - -### Header Transformation Choice Proper Case Header Transformation - - For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. - - - -### Health Check Port Choice Same As Endpoint Port - - Health check is performed on endpoint port itself. - - - -### Host Rewrite Params Auto Host Rewrite - - Host header will be swapped with hostname of upstream host chosen by the cluster. - - - -### Host Rewrite Params Disable Host Rewrite - - Host header is not modified. - - - -### Http1 Config Header Transformation - - the stateful formatter will take effect, and the stateless formatter will be disregarded.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set - -`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - - -`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - - -`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - - -`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - - - - -### Http Header Headers - - List of HTTP header name and value pairs. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "exact, regex, presence" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Http Protocol Choice Http Protocol Enable V1 Only - - Enable HTTP/1.1 for downstream connections. - -`header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http Protocol Enable V1 Only Header Transformation ](#http-protocol-enable-v1-only-header-transformation) below for details. - - - -### Http Protocol Choice Http Protocol Enable V1 V2 - - Enable both HTTP/1.1 and HTTP/2 for downstream connections. - - - -### Http Protocol Choice Http Protocol Enable V2 Only - - Enable HTTP/2 for downstream connections. - - - -### Http Protocol Enable V1 Only Header Transformation - - the stateful formatter will take effect, and the stateless formatter will be disregarded.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set - -`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - - -`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - - -`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - - -`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - - - - -### Http Protocol Type Auto Http Config - - and will use whichever protocol is negotiated by ALPN with the upstream.. - - - -### Http Protocol Type Http1 Config - - Enable HTTP/1.1 for upstream connections. - -`header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http1 Config Header Transformation ](#http1-config-header-transformation) below for details. - - - -### Http Protocol Type Http2 Options - - Enable HTTP/2 for upstream connections.. - -`enabled` - (Optional) Enable/disable HTTP2 Protocol for upstream connections (`Bool`). - - - -### Httponly Add Httponly - - Add httponly attribute. - - - -### Httponly Ignore Httponly - - Ignore httponly attribute. - - - -### Https Header Transformation Type - - Header transformation options for response headers to the client. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set - -`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - - -`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - - -`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - - -`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - - - - -### Https Http Protocol Options - - HTTP protocol configuration options for downstream connections.. - - - -###### One of the arguments from this list "http_protocol_enable_v1_only, http_protocol_enable_v2_only, http_protocol_enable_v1_v2" must be set - -`http_protocol_enable_v1_only` - (Optional) Enable HTTP/1.1 for downstream connections. See [Http Protocol Choice Http Protocol Enable V1 Only ](#http-protocol-choice-http-protocol-enable-v1-only) below for details. - - -`http_protocol_enable_v1_v2` - (Optional) Enable both HTTP/1.1 and HTTP/2 for downstream connections (`Bool`). - - -`http_protocol_enable_v2_only` - (Optional) Enable HTTP/2 for downstream connections (`Bool`). - - - - -### Https Auto Cert Header Transformation Type - - Header transformation options for response headers to the client. - - - -###### One of the arguments from this list "default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation, legacy_header_transformation" must be set - -`default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - - -`legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - - -`preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - - -`proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). - - - - -### Https Auto Cert Http Protocol Options - - HTTP protocol configuration options for downstream connections.. - - - -###### One of the arguments from this list "http_protocol_enable_v1_only, http_protocol_enable_v2_only, http_protocol_enable_v1_v2" must be set - -`http_protocol_enable_v1_only` - (Optional) Enable HTTP/1.1 for downstream connections. See [Http Protocol Choice Http Protocol Enable V1 Only ](#http-protocol-choice-http-protocol-enable-v1-only) below for details. - - -`http_protocol_enable_v1_v2` - (Optional) Enable both HTTP/1.1 and HTTP/2 for downstream connections (`Bool`). - - -`http_protocol_enable_v2_only` - (Optional) Enable HTTP/2 for downstream connections (`Bool`). - - - - -### Https Auto Cert Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "default_security, medium_security, low_security, custom_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Ip Allowed List Choice Bypass Rate Limiting Rules - - This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. - -`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Bypass Rate Limiting Rules Bypass Rate Limiting Rules ](#bypass-rate-limiting-rules-bypass-rate-limiting-rules) below for details. - - - -### Ip Allowed List Choice Custom Ip Allowed List - - IP Allowed list using existing ip_prefix_set objects.. - -`rate_limiter_allowed_prefixes` - (Required) Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.. See [ref](#ref) below for details. - - - -### Ip Allowed List Choice Ip Allowed List - - List of IP(s) for which rate limiting will be disabled.. - -`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). - -`prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). - - - -### Ip Allowed List Choice No Ip Allowed List - - There is no ip allowed list for rate limiting, all clients go through rate limiting.. - - - -### Ip Asn Choice Any Ip - - Any Source IP. - - - -### Ip Asn Choice Asn List - - The predicate evaluates to true if the origin ASN is present in the ASN list.. - -`as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - - -### Ip Asn Choice Asn Matcher - - The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. - -`asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. - - - -### Ip Asn Choice Ip Matcher - - The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - - -### Ip Asn Choice Ip Prefix List - - The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Choice Any Ip - -any_ip. - - - -### Ip Choice Ip Matcher - -ip_matcher. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - - -### Ip Choice Ip Prefix List - -ip_prefix_list. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ip Reputation Choice Enable Ip Reputation - - x-displayName: "Enable". - -`ip_threat_categories` - (Required) If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied. (`List of Strings`). - - - -### Issuer Validation Issuer Disable - - x-displayName: "Disable". - - - -### Java Script Choice Disable Js Insert - - Disable JavaScript insertion.. - - - -### Java Script Choice Js Insert All Pages - - Insert Client-Side Defense JavaScript in all pages.. - - - -### Java Script Choice Js Insert All Pages - - Insert Bot Defense JavaScript in all pages.. - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - - - -### Java Script Choice Js Insert All Pages Except - - Insert Client-Side Defense JavaScript in all pages with the exceptions.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. - - - -### Java Script Choice Js Insert All Pages Except - - Insert Bot Defense JavaScript in all pages with the exceptions.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insert All Pages Except Exclude List ](#js-insert-all-pages-except-exclude-list) below for details. - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - - - -### Java Script Choice Js Insertion Rules - - Specify custom JavaScript insertion rules.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. - -`rules` - (Required) Required list of pages to insert Client-Side Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. - - - -### Java Script Choice Js Insertion Rules - - Specify custom JavaScript insertion rules.. - -`exclude_list` - (Optional) Optional JavaScript insertions exclude list of domain and path matchers.. See [Js Insertion Rules Exclude List ](#js-insertion-rules-exclude-list) below for details. - -`rules` - (Required) Required list of pages to insert Bot Defense client JavaScript.. See [Js Insertion Rules Rules ](#js-insertion-rules-rules) below for details. - - - -### Javascript Tags Tag Attributes - - Add the tag attributes you want to include in your Javascript tag.. - -`javascript_tag` - (Optional) Select from one of the predefined tag attibutes. (`String`). - -`tag_value` - (Optional) Add the tag attribute value. (`String`). - - - -### Js Challenge Parameters Choice Default Js Challenge Parameters - - Use default parameters. - - - -### Js Challenge Parameters Choice Js Challenge Parameters - - Configure JavaScript challenge parameters. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Js Insert All Pages Except Exclude List - - Optional JavaScript insertions exclude list of domain and path matchers.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. - - - -### Js Insertion Rules Exclude List - - Optional JavaScript insertions exclude list of domain and path matchers.. - - - -###### One of the arguments from this list "domain, any_domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Exclude List Metadata ](#exclude-list-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Exclude List Path ](#exclude-list-path) below for details. - - - -### Js Insertion Rules Rules - - Required list of pages to insert Client-Side Defense client JavaScript.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. - - - -### Js Insertion Rules Rules - - Required list of pages to insert Bot Defense client JavaScript.. - - - -###### One of the arguments from this list "any_domain, domain" must be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - -`javascript_location` - (Optional) Defines where to insert Bot Defense JavaScript in HTML page. (`String`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`path` - (Required) URI path matcher.. See [Rules Path ](#rules-path) below for details. - - - -### Jwks Configuration Jwks Config - - The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.. - -`cleartext` - (Optional) The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details. (`String`). - - - -### Jwt Validation Action - - x-required. - - - -###### One of the arguments from this list "block, report" must be set - -`block` - (Optional) Block the request and report the issue (`Bool`). - - -`report` - (Optional) Allow the request and report the issue (`Bool`). - - - - -### Jwt Validation Mandatory Claims - - If the claim does not exist JWT token validation will fail.. - -`claim_names` - (Optional) x-displayName: "Claim Names" (`String`). - - - -### Jwt Validation Reserved Claims - - the token validation of these claims should be disabled.. - - - -###### One of the arguments from this list "audience_disable, audience" must be set - -`audience` - (Optional) x-displayName: "Exact Match". See [Audience Validation Audience ](#audience-validation-audience) below for details. - - -`audience_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - - - -###### One of the arguments from this list "issuer_disable, issuer" must be set - -`issuer` - (Optional) x-displayName: "Exact Match" (`String`). - - -`issuer_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - - - -###### One of the arguments from this list "validate_period_disable, validate_period_enable" must be set - -`validate_period_disable` - (Optional) x-displayName: "Disable" (`Bool`). - - -`validate_period_enable` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -### Jwt Validation Target - - Define endpoints for which JWT token validation will be performed. - - - -###### One of the arguments from this list "all_endpoint, api_groups, base_paths" must be set - -`all_endpoint` - (Optional) Validation will be performed for all requests on this LB (`Bool`). - - -`api_groups` - (Optional) Validation will be performed for the endpoints mentioned in the API Groups. See [Target Api Groups ](#target-api-groups) below for details. - - -`base_paths` - (Optional) Validation will be performed for selected path prefixes. See [Target Base Paths ](#target-base-paths) below for details. - - - - -### Jwt Validation Token Location - - Define where in the HTTP request the JWT token will be extracted. - - - -###### One of the arguments from this list "cookie, header, query_param, bearer_token" must be set - -`bearer_token` - (Optional) Token is found in Authorization HTTP header with Bearer authentication scheme (`Bool`). - - -`cookie` - (Optional) Token is found in the cookie (`String`).(Deprecated) - - -`header` - (Optional) Token is found in the header (`String`).(Deprecated) - - -`query_param` - (Optional) Token is found in the query string parameter (`String`).(Deprecated) - - - - -### K8s Service Site Locator - - Site or Virtual site where this origin server is located. - - - -###### One of the arguments from this list "site, virtual_site" must be set - -`site` - (Optional) Reference to site object. See [ref](#ref) below for details. - - -`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. - - - - -### Key Value Pattern Key Pattern - - Pattern for key/field.. - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Search for values with exact match. (`String`). - - -`regex_value` - (Optional) Search for values matching this regular expression. (`String`). - - - - -### Key Value Pattern Value Pattern - - Pattern for value.. - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Pattern value to be detected. (`String`). - - -`regex_value` - (Optional) Regular expression for this pattern. (`String`). - - - - -### L7 Ddos Auto Mitigation Action L7 Ddos Action Js Challenge - - Serve JavaScript challenge to suspicious sources. - -`cookie_expiry` - (Optional) An expired cookie causes the loadbalancer to issue a new challenge. (`Int`). - -`custom_page` - (Optional) E.g. "

Please Wait

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - -`js_script_delay` - (Optional) Delay introduced by Javascript, in milliseconds. (`Int`). - - - -### Label Choice Apply - - x-displayName: "Apply for a Financial Service Account (e.g., credit card, banking, retirement account)". - - - -### Label Choice Checkin - - x-displayName: "Check into Flight". - - - -### Label Choice Create - - x-displayName: "Account Creation". - - - -### Label Choice Flight Search - - x-displayName: "Flight Search". - - - -### Label Choice Gift Card Make Purchase With Gift Card - - x-displayName: "Purchase with Gift Card". - - - -### Label Choice Gift Card Validation - - x-displayName: "Gift Card Validation". - - - -### Label Choice Login - - x-displayName: "Login". - - - - -### Label Choice Login Mfa - - x-displayName: "Login MFA". - - - -### Label Choice Login Partner - - x-displayName: "Login for a Channel Partner". - - - -### Label Choice Logout - - x-displayName: "Logout". - - - -### Label Choice Money Transfer - - x-displayName: "Money Transfer". - - - -### Label Choice Password Reset - - x-displayName: "Password Reset". - - - -### Label Choice Product Search - - x-displayName: "Product Search". - - - -### Label Choice Reservation Search - - x-displayName: "Reservation Search (e.g., sporting events, concerts)". - - - -### Label Choice Room Search - - x-displayName: "Room Search". - - - -### Label Choice Shop Add To Cart - - x-displayName: "Add to Cart". - - - -### Label Choice Shop Checkout - - x-displayName: "Checkout". - - - -### Label Choice Shop Choose Seat - - x-displayName: "Select Seat(s)". - - - -### Label Choice Shop Enter Drawing Submission - - x-displayName: "Enter Drawing Submission". - - - -### Label Choice Shop Make Payment - - x-displayName: "Payment / Billing". - - - -### Label Choice Shop Order - - x-displayName: "Order Submit". - - - -### Label Choice Shop Price Inquiry - - x-displayName: "Price Inquiry". - - - -### Label Choice Shop Promo Code Validation - - x-displayName: "Promo Code Validation". - - - -### Label Choice Shop Purchase Gift Card - - x-displayName: "Purchase a Gift Card". - - - -### Label Choice Shop Update Quantity - - x-displayName: "Update Quantity". - - - -### Label Choice Token Refresh - - x-displayName: "Token Refresh". - - - -### Label Choice Update - - x-displayName: "Profile Update". - - - -### Label Choice View - - x-displayName: "Profile View". - - - -### Lb Source Ip Persistance Choice Disable Lb Source Ip Persistance - - Disable LB source IP persistence. - - - -### Lb Source Ip Persistance Choice Enable Lb Source Ip Persistance - - Enable LB source IP persistence. - - - -### Learn From Redirect Traffic Disable Learn From Redirect Traffic - - Disable learning API patterns from traffic with redirect response codes 3xx. - - - -### Learn From Redirect Traffic Enable Learn From Redirect Traffic - - Enable learning API patterns from traffic with redirect response codes 3xx. - - - -### Loadbalancer Type Http - - HTTP Load Balancer.. - -`dns_volterra_managed` - (Optional) or a DNS CNAME record should be created in your DNS provider's portal. (`Bool`). - - - -###### One of the arguments from this list "port, port_ranges" must be set - -`port` - (Optional) HTTP port to Listen. (`Int`). - - -`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - - - -### Loadbalancer Type Https - - User is responsible for managing DNS to this load balancer.. - -`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). - -`connection_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 2 minutes. (`Int`). - - - - -###### One of the arguments from this list "non_default_loadbalancer, default_loadbalancer" can be set - -`default_loadbalancer` - (Optional) x-displayName: "Yes" (`Bool`). - - -`non_default_loadbalancer` - (Optional) x-displayName: "No" (`Bool`). - - -`header_transformation_type` - (Optional) Header transformation options for response headers to the client. See [Https Header Transformation Type ](#https-header-transformation-type) below for details.(Deprecated) - -`http_protocol_options` - (Optional) HTTP protocol configuration options for downstream connections.. See [Https Http Protocol Options ](#https-http-protocol-options) below for details. - -`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). - - - -###### One of the arguments from this list "enable_path_normalize, disable_path_normalize" must be set - -`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -###### One of the arguments from this list "port, port_ranges" must be set - -`port` - (Optional) HTTPS port to Listen. (`Int`). - - -`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - - - - -###### One of the arguments from this list "default_header, server_name, append_server_name, pass_through" can be set - -`append_server_name` - (Optional) If header value is already present, it is not overwritten and passed as-is. (`String`). - - -`default_header` - (Optional) Response header name is “server” and value is “volt-adc” (`Bool`). - - -`pass_through` - (Optional) Pass existing server header as is. If server header is absent, a new header is not appended. (`Bool`). - - -`server_name` - (Optional) This will overwrite existing values, if any, for the server header. (`String`). - - - - -###### One of the arguments from this list "tls_parameters, tls_cert_params" must be set - -`tls_cert_params` - (Optional) Select/Add one or more TLS Certificate objects to associate with this Load Balancer. See [Tls Certificates Choice Tls Cert Params ](#tls-certificates-choice-tls-cert-params) below for details. - - -`tls_parameters` - (Optional) Upload a TLS certificate covering all domain names for this Load Balancer. See [Tls Certificates Choice Tls Parameters ](#tls-certificates-choice-tls-parameters) below for details. - - - - -### Loadbalancer Type Https Auto Cert - - or a DNS CNAME record should be created in your DNS provider's portal(only for Domains not managed by F5 Distributed Cloud).. - -`add_hsts` - (Optional) Add HTTP Strict-Transport-Security response header (`Bool`). - -`connection_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 2 minutes. (`Int`). - - - - -###### One of the arguments from this list "non_default_loadbalancer, default_loadbalancer" can be set - -`default_loadbalancer` - (Optional) For traffic terminating at this load balancer, the certificate associated with the first configured domain will be used for TLS termination. (`Bool`). - - -`non_default_loadbalancer` - (Optional) x-displayName: "No" (`Bool`). - - -`header_transformation_type` - (Optional) Header transformation options for response headers to the client. See [Https Auto Cert Header Transformation Type ](#https-auto-cert-header-transformation-type) below for details.(Deprecated) - -`http_protocol_options` - (Optional) HTTP protocol configuration options for downstream connections.. See [Https Auto Cert Http Protocol Options ](#https-auto-cert-http-protocol-options) below for details. - -`http_redirect` - (Optional) Redirect HTTP traffic to HTTPS (`Bool`). - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - - - -###### One of the arguments from this list "enable_path_normalize, disable_path_normalize" must be set - -`disable_path_normalize` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_path_normalize` - (Optional) x-displayName: "Enable" (`Bool`). - - - - - -###### One of the arguments from this list "port, port_ranges" can be set - -`port` - (Optional) HTTPS port to Listen. (`Int`). - - -`port_ranges` - (Optional) Each port range consists of a single port or two ports separated by "-". (`String`). - - - - - -###### One of the arguments from this list "default_header, server_name, append_server_name, pass_through" can be set - -`append_server_name` - (Optional) If header value is already present, it is not overwritten and passed as-is. (`String`). - - -`default_header` - (Optional) Response header name is “server” and value is “volt-adc” (`Bool`). - - -`pass_through` - (Optional) Pass existing server header as is. If server header is absent, a new header is not appended. (`Bool`). - - -`server_name` - (Optional) This will overwrite existing values, if any, for the server header. (`String`). - - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Https Auto Cert Tls Config ](#https-auto-cert-tls-config) below for details. - - - -### Malicious User Detection Choice Disable Malicious User Detection - - x-displayName: "Disable". - - - -### Malicious User Detection Choice Enable Malicious User Detection - - x-displayName: "Enable". - - - -### Malicious User Mitigation Choice Default Mitigation Settings - - For high level, users will be temporarily blocked.. - - - -### Masking Mode Choice Mask - - x-displayName: "Mask Sensitive Data". - - - -### Masking Mode Choice Report - - x-displayName: "Report Sensitive Data". - - - -### Match Check Not Present - - Check that the cookie is not present.. - - - -### Match Check Present - - Check that the cookie is present.. - - - -### Match Item - - Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Max Age Ignore Max Age - - Ignore max age attribute. - - - -### Max Session Keys Type Default Session Key Caching - - Default session key caching. Only one session key will be cached.. - - - -### Max Session Keys Type Disable Session Key Caching - - Disable session key caching. This will disable TLS session resumption.. - - - -### Method Choice Method Get - - x-displayName: "GET". - - - -### Method Choice Method Post - - x-displayName: "POST". - - - -### Mirror Policy Percent - - Percentage of requests to be mirrored. - -`denominator` - (Required) Samples per denominator. numerator part per 100 or 10000 ro 1000000 (`String`). - -`numerator` - (Required) sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 (`Int`). - - - -### Mirroring Choice Disable Mirroring - - Disable Mirroring of request. - - - -### Mirroring Choice Mirror Policy - - useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. - -`origin_pool` - (Required) referred here must be present.. See [ref](#ref) below for details. - -`percent` - (Required) Percentage of requests to be mirrored. See [Mirror Policy Percent ](#mirror-policy-percent) below for details. - - - -### Mitigation Action Block - - Block user for a duration determined by the expiration time. - - - -### Mitigation Choice Ddos Client Source - - Combination of Region, ASN and TLS Fingerprints. - -`asn_list` - (Optional) The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.. See [Ddos Client Source Asn List ](#ddos-client-source-asn-list) below for details. - -`country_list` - (Optional) Sources that are located in one of the countries in the given list (`List of Strings`). - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Ddos Client Source Tls Fingerprint Matcher ](#ddos-client-source-tls-fingerprint-matcher) below for details. - - - -### Mitigation Choice Ip Prefix List - - IPv4 prefix string.. - -`invert_match` - (Optional) Invert the match result. (`Bool`). - -`ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). - - - -### Ml Config Choice Single Lb App - - ML Config applied on this load balancer. - - - -###### One of the arguments from this list "enable_discovery, disable_discovery" must be set - -`disable_discovery` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_discovery` - (Optional) x-displayName: "Enable". See [Api Discovery Choice Enable Discovery ](#api-discovery-choice-enable-discovery) below for details. - - - - -###### One of the arguments from this list "enable_malicious_user_detection, disable_malicious_user_detection" must be set - -`disable_malicious_user_detection` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_malicious_user_detection` - (Optional) x-displayName: "Enable" (`Bool`). - - - - -### Mobile Identifier Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Mobile Sdk Choice Disable Mobile Sdk - - Disable Mobile SDK.. - - - -### Mobile Sdk Choice Mobile Sdk Config - - Enable Mobile SDK Configuration. - -`mobile_identifier` - (Optional) Mobile Request Identifier Headers Type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. - - - -### Mobile Sdk Choice Mobile Sdk Config - - Mobile SDK configuration. - -`mobile_identifier` - (Optional) Mobile traffic identifier type.. See [Mobile Sdk Config Mobile Identifier ](#mobile-sdk-config-mobile-identifier) below for details. - -`reload_header_name` - (Optional) Header that is used for SDK configuration sync. (`String`).(Deprecated) - - - -### Mobile Sdk Config Mobile Identifier - - Mobile traffic identifier type.. - -`headers` - (Optional) Headers that can be used to identify mobile traffic.. See [Mobile Identifier Headers ](#mobile-identifier-headers) below for details. - - - -### More Option Buffer Policy - - specify the maximum buffer size and buffer interval with this config.. - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). - -`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) - - - -### More Option Compression Params - - Only GZIP compression is supported. - -`content_length` - (Optional) Minimum response length, in bytes, which will trigger compression. The default value is 30. (`Int`). - -`content_type` - (Optional) "text/xml" (`String`). - -`disable_on_etag_header` - (Optional) weak etags will be preserved and the ones that require strong validation will be removed. (`Bool`). - -`remove_accept_encoding_header` - (Optional) so that responses do not get compressed before reaching the filter. (`Bool`). - - - -### More Option Cookies To Modify - - List of cookies to be modified from the HTTP response being sent towards downstream.. - - - -###### One of the arguments from this list "disable_tampering_protection, enable_tampering_protection" must be set - -`disable_tampering_protection` - (Optional) x-displayName: "Disable" (`Bool`). - - -`enable_tampering_protection` - (Optional) x-displayName: "Enable" (`Bool`). - - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_httponly` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - - -###### One of the arguments from this list "ignore_max_age, max_age_value" can be set - -`ignore_max_age` - (Optional) Ignore max age attribute (`Bool`).(Deprecated) - - -`max_age_value` - (Optional) Add max age attribute (`Int`).(Deprecated) - - -`name` - (Required) Name of the Cookie (`String`). - - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set - -`add_secure` - (Optional) x-displayName: "Add" (`Bool`). - - -`ignore_secure` - (Optional) x-displayName: "Ignore" (`Bool`). - - - - -### More Option Javascript Info - - Custom JavaScript Configuration. Custom JavaScript code can be executed at various stages of request processing.. - -`cache_prefix` - (Optional) KeyValue store referred by script. (`String`). - -`custom_script_url` - (Optional) URL of JavaScript that gets executed (`String`). - -`script_config` - (Optional) Input passed to the script (`String`). - - - -### More Option Request Headers To Add - - Headers specified at this level are applied after headers from matched Route are applied. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### More Option Response Headers To Add - - Headers specified at this level are applied after headers from matched Route are applied. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Mtls Choice No Mtls - - x-displayName: "Disable". - - - -### Mtls Choice Use Mtls - - x-displayName: "Enable". - -`client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). - - - - -###### One of the arguments from this list "no_crl, crl" can be set - -`crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. - - -`no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). - - - - -###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set - -`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. - - -`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). - - - - - -###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set - -`xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). - - -`xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. - - - - -### Mtls Choice Use Mtls - - x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". - -`tls_certificates` - (Required) mTLS Client Certificate. See [Use Mtls Tls Certificates ](#use-mtls-tls-certificates) below for details. - - - -### Network Choice Inside Network - - Inside network on the site. - - - -### Network Choice Outside Network - - Outside network on the site. - - - -### Network Choice Vk8s Networks - - origin server are on vK8s network on the site. - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. - -`hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). - - - -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Open Api Validation Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Open Api Validation Rules Validation Mode - - When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). - - - -###### One of the arguments from this list "skip_response_validation, response_validation_mode_active" must be set - -`response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. - - -`skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - - - -###### One of the arguments from this list "validation_mode_active, skip_validation" must be set - -`skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - -`validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. - - - - -### Origin Pool Choice Default Pool - - Single Origin Pool. - -`advanced_options` - (Optional) Advanced options configuration like timeouts, circuit breaker, subset load balancing. See [Default Pool Advanced Options ](#default-pool-advanced-options) below for details. - -`endpoint_selection` - (Required) Policy for selection of endpoints from local site or remote site or both (`String`). - - - - -###### One of the arguments from this list "health_check_port, same_as_endpoint_port" can be set - -`health_check_port` - (Optional) Port used for performing health check (`Int`). - - -`same_as_endpoint_port` - (Optional) Health check is performed on endpoint port itself (`Bool`). - - -`healthcheck` - (Optional) Reference to healthcheck configuration objects. See [ref](#ref) below for details. - -`loadbalancer_algorithm` - (Required) loadbalancer_algorithm to determine which host is selected. (`String`). - -`origin_servers` - (Required) List of origin servers in this pool. See [Default Pool Origin Servers ](#default-pool-origin-servers) below for details. - - - -###### One of the arguments from this list "port, automatic_port, lb_port" must be set - -`automatic_port` - (Optional) For other origin server types, port will be automatically set as 443 if TLS is enabled at Origin Pool and 80 if TLS is disabled (`Bool`). - - -`lb_port` - (Optional) Endpoint port is selected based on loadbalancer port (`Bool`). - - -`port` - (Optional) Endpoint service is available on this port (`Int`). - - - - -###### One of the arguments from this list "no_tls, use_tls" must be set - -`no_tls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_tls` - (Optional) x-displayName: "Enable". See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. - - -`view_internal` - (Optional) Reference to view internal object. See [ref](#ref) below for details. - - - -### Origin Pool Choice Default Pool List - - Multiple Origin Pools with weights and priorities. - -`pools` - (Optional) List of Origin Pools. See [Default Pool List Pools ](#default-pool-list-pools) below for details. - - - -### Origin Server Subset Rule List Origin Server Subset Rules - - When an Origin server subset rule is matched, then this selection rule takes effect and no more rules are evaluated.. - - - -###### One of the arguments from this list "any_asn, asn_list, asn_matcher" must be set - -`any_asn` - (Optional) Any origin ASN. (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - - -`body_matcher` - (Optional) The actual request body value is extracted from the request API as a string.. See [Origin Server Subset Rules Body Matcher ](#origin-server-subset-rules-body-matcher) below for details.(Deprecated) - -`country_codes` - (Optional) List of Country Codes (`List of Strings`). - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IPv4 Address is covered by one or more of the IPv4 Prefixes in the IP Prefix Sets.. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IPv4 Address is covered by one or more of the IPv4 Prefixes from the list.. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Origin Server Subset Rules Metadata ](#origin-server-subset-rules-metadata) below for details. - -`origin_server_subsets_action` - (Required) 2. Enable subset load balancing in the Origin Server Subsets section and configure keys in origin server subsets classes (`String`). - -`re_name_list` - (Optional) List of RE names for match (`String`). - - - -###### One of the arguments from this list "none, client_selector" must be set - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Selector Choice Client Selector ](#selector-choice-client-selector) below for details. - - -`none` - (Optional) No Label Selector (`Bool`). - - - - -### Origin Server Subset Rules Body Matcher - - The actual request body value is extracted from the request API as a string.. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Origin Server Subset Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Outlier Detection Choice Disable Outlier Detection - - Outlier detection is disabled. - - - -### Outlier Detection Choice Outlier Detection - - healthy load balancing set. Outlier detection is a form of passive health checking.. - -`base_ejection_time` - (Optional) Defaults to 30000ms or 30s. Specified in milliseconds. (`Int`). - -`consecutive_5xx` - (Optional) a consecutive 5xx ejection occurs. Defaults to 5. (`Int`). - -`consecutive_gateway_failure` - (Optional) before a consecutive gateway failure ejection occurs. Defaults to 5. (`Int`). - -`interval` - (Optional) to 10000ms or 10s. Specified in milliseconds. (`Int`). - -`max_ejection_percent` - (Optional) detection. Defaults to 10% but will eject at least one host regardless of the value. (`Int`). - - - -### Oversized Body Choice Oversized Body Fail Validation - - Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb). - - - -### Oversized Body Choice Oversized Body Skip Validation - - Skip body validation when the body length is too long to verify (default 64Kb). - - - -### Panic Threshold Type No Panic Threshold - - Disable panic threshold. Only healthy endpoints are considered for load balancing.. - - - -### Path Choice Any Path - - Match all paths. - - - -### Path Normalize Choice Disable Path Normalize - - x-displayName: "Disable". - - - -### Path Normalize Choice Enable Path Normalize - - x-displayName: "Enable". - - - -### Pattern Choice Key Pattern - - Search for pattern across all field names in the specified sections.. - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Search for values with exact match. (`String`). - - -`regex_value` - (Optional) Search for values matching this regular expression. (`String`). - - - - -### Pattern Choice Key Value Pattern - - Search for specific field and value patterns in the specified sections.. - -`key_pattern` - (Required) Pattern for key/field.. See [Key Value Pattern Key Pattern ](#key-value-pattern-key-pattern) below for details. - -`value_pattern` - (Required) Pattern for value.. See [Key Value Pattern Value Pattern ](#key-value-pattern-value-pattern) below for details. - - - -### Pattern Choice Value Pattern - - Search for pattern across all field values in the specified sections.. - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Pattern value to be detected. (`String`). - - -`regex_value` - (Optional) Regular expression for this pattern. (`String`). - - - - -### Policy Protected App Endpoints - - List of protected application endpoints (max 128 items).. - - - -###### One of the arguments from this list "mobile, web_mobile, web" must be set - -`mobile` - (Optional) Mobile traffic channel. (`Bool`). - - -`web` - (Optional) Web traffic channel. (`Bool`). - - -`web_mobile` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile ](#app-traffic-type-choice-web-mobile) below for details. - - - - - -###### One of the arguments from this list "any_domain, domain" can be set - -`any_domain` - (Optional) Any Domain. (`Bool`). - - -`domain` - (Optional) Domain matcher.. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - - - -###### One of the arguments from this list "flow_label, undefined_flow_label" must be set - -`flow_label` - (Optional) x-displayName: "Specify Endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. - - -`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). - - - - -###### One of the arguments from this list "allow_good_bots, mitigate_good_bots" must be set - -`allow_good_bots` - (Optional) System flags Good Bot traffic and allow it to continue to the origin (`Bool`). - - -`mitigate_good_bots` - (Optional) System flags Good Bot Traffic, but mitigation is handled in the same manner as malicious automated traffic defined above (`Bool`). - - -`http_methods` - (Required) List of HTTP methods. (`List of Strings`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. - -`mitigation` - (Required) Mitigation action.. See [Protected App Endpoints Mitigation ](#protected-app-endpoints-mitigation) below for details. - -`path` - (Required) Matching URI path of the route.. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. - -`protocol` - (Optional) Protocol. (`String`). - - - -### Policy Protected App Endpoints - - List of protected endpoints (max 128 items). - - - -###### One of the arguments from this list "web_client, mobile_client, web_mobile_client" must be set - -`mobile_client` - (Optional) Mobile traffic channel. (`Bool`). - - -`web_client` - (Optional) Web traffic channel. (`Bool`). - - -`web_mobile_client` - (Optional) Web and mobile traffic channel.. See [App Traffic Type Choice Web Mobile Client ](#app-traffic-type-choice-web-mobile-client) below for details. - - - - - -###### One of the arguments from this list "any_domain, domain" can be set - -`any_domain` - (Optional) Any Domain (`Bool`). - - -`domain` - (Optional) Select Domain matcher. See [Domain Matcher Choice Domain ](#domain-matcher-choice-domain) below for details. - - - - - -###### One of the arguments from this list "flow_label, undefined_flow_label" can be set - -`flow_label` - (Optional) x-displayName: "Specify endpoint label category". See [Flow Label Choice Flow Label ](#flow-label-choice-flow-label) below for details. - - -`undefined_flow_label` - (Optional) x-displayName: "Undefined" (`Bool`). - - -`http_methods` - (Required) List of HTTP methods. (`List of Strings`). - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Protected App Endpoints Metadata ](#protected-app-endpoints-metadata) below for details. - -`path` - (Required) Accepts wildcards * to match multiple characters or ? to match a single character. See [Protected App Endpoints Path ](#protected-app-endpoints-path) below for details. - -`query` - (Optional) Enter a regular expression or exact value to match your query parameters of interest. See [Protected App Endpoints Query ](#protected-app-endpoints-query) below for details. - -`request_body` - (Optional) Request Body. See [Protected App Endpoints Request Body ](#protected-app-endpoints-request-body) below for details. - - - -### Policy Based Challenge Rule List - - list challenge rules to be used in policy based challenge. - -`rules` - (Optional) these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. See [Rule List Rules ](#rule-list-rules) below for details. - - - -### Policy Choice No Policies - - Do not apply additional rate limiter policies.. - - - -### Policy Choice Policies - - to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. - -`policies` - (Required) Ordered list of rate limiter policies.. See [ref](#ref) below for details. - - - -### Policy Specifier Cookie - - Hash based on cookie. - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) Add httponly attribute (`Bool`). - - -`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). - - -`name` - (Required) produced (`String`). - -`path` - (Optional) will be set for the cookie (`String`). - - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set - -`add_secure` - (Optional) Add secure attribute (`Bool`). - - -`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). - - -`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). - - - -### Port Choice Automatic Port - - For other origin server types, port will be automatically set as 443 if TLS is enabled at Origin Pool and 80 if TLS is disabled. - - - -### Port Choice Lb Port - - Endpoint port is selected based on loadbalancer port. - - - -### Port Choice Use Default Port - - For HTTP, default is 80. For HTTPS/SNI, default is 443.. - - - -### Port Match No Port Match - - Disable matching of ports. - - - -### Private Ip Site Locator - - Site or Virtual site where this origin server is located. - - - -###### One of the arguments from this list "site, virtual_site" must be set - -`site` - (Optional) Reference to site object. See [ref](#ref) below for details. - - -`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. - - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Private Name Site Locator - - Site or Virtual site where this origin server is located. - - - -###### One of the arguments from this list "site, virtual_site" must be set - -`site` - (Optional) Reference to site object. See [ref](#ref) below for details. - - -`virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. - - - - -### Property Validation Settings Choice Property Validation Settings Custom - - Use custom settings with Open API specification validation. - -`headers` - (Optional) Custom settings for headers validation. See [Property Validation Settings Custom Headers ](#property-validation-settings-custom-headers) below for details.(Deprecated) - -`queryParameters` - (Optional) Custom settings for query parameters validation. See [Property Validation Settings Custom QueryParameters ](#property-validation-settings-custom-queryParameters) below for details. - - - -### Property Validation Settings Choice Property Validation Settings Default - - Keep the default settings of OpenAPI specification validation. - - - -### Property Validation Settings Custom Headers - - Custom settings for headers validation. - - - -###### One of the arguments from this list "allow_additional_headers, disallow_additional_headers" must be set - -`allow_additional_headers` - (Optional) Allow extra headers (on top of what specified in the OAS documentation) (`Bool`). - - -`disallow_additional_headers` - (Optional) Disallow extra headers (on top of what specified in the OAS documentation) (`Bool`). - - - - -### Property Validation Settings Custom QueryParameters - - Custom settings for query parameters validation. - - - -###### One of the arguments from this list "allow_additional_parameters, disallow_additional_parameters" must be set - -`allow_additional_parameters` - (Optional) Allow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - - -`disallow_additional_parameters` - (Optional) Disallow extra query parameters (on top of what specified in the OAS documentation) (`Bool`). - - - - -### Protected App Endpoints Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Protected App Endpoints Mitigation - - Mitigation action.. - - - - -###### One of the arguments from this list "redirect, flag, none, block" can be set - -`block` - (Optional) Block bot request and send response with custom content.. See [Action Type Block ](#action-type-block) below for details. - - -`flag` - (Optional) Flag the request while not taking any invasive actions.. See [Action Type Flag ](#action-type-flag) below for details. - - -`none` - (Optional) No mitigation actions. (`Bool`).(Deprecated) - - -`redirect` - (Optional) Redirect bot request to a custom URI.. See [Action Type Redirect ](#action-type-redirect) below for details. - - - - -### Protected App Endpoints Path - - Matching URI path of the route.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Protected App Endpoints Query - - Enter a regular expression or exact value to match your query parameters of interest. - -`name` - (Optional) Enter query parameter name (`String`). - - - -###### One of the arguments from this list "regex_value, check_presence, exact_value" must be set - -`check_presence` - (Optional) Parameter name taken which is exist in the query parameter (`Bool`). - - -`exact_value` - (Optional) Exact query value to match (`String`). - - -`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). - - - - -### Protected App Endpoints Request Body - - Request Body. - -`name` - (Optional) Enter request body parameter name (`String`). - - - -###### One of the arguments from this list "exact_value, regex_value" must be set - -`exact_value` - (Optional) Exact query value to match (`String`). - - -`regex_value` - (Optional) Regular expression of query match (e.g. the value .* will match on all query) (`String`). - - - - -### Proxy Protocol Choice Disable Proxy Protocol - - Disable Proxy Protocol for upstream connections. - - - -### Proxy Protocol Choice Proxy Protocol V1 - - Enable Proxy Protocol Version 1 for upstream connections. - - - -### Proxy Protocol Choice Proxy Protocol V2 - - Enable Proxy Protocol Version 2 for upstream connections. - - - -### Query Params Remove All Params - - x-displayName: "Remove All Parameters". - - - -### Query Params Retain All Params - - x-displayName: "Retain All Parameters". - - - -### Query Params Strip Query Params - - Specifies the list of query params to be removed. Not supported. - -`query_params` - (Optional) Query params keys to strip while manipulating the HTTP request (`String`). - - - -### Rate Limit Rate Limiter - - Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. - -`burst_multiplier` - (Optional) The maximum burst of requests to accommodate, expressed as a multiple of the rate. (`Int`). - -`total_number` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). - -`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - - - -### Rate Limit Choice Api Rate Limit - - Define rate limiting for one or more API endpoints.. - -`api_endpoint_rules` - (Optional) For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.. See [Api Rate Limit Api Endpoint Rules ](#api-rate-limit-api-endpoint-rules) below for details. - - - -###### One of the arguments from this list "bypass_rate_limiting_rules, no_ip_allowed_list, ip_allowed_list, custom_ip_allowed_list" must be set - -`bypass_rate_limiting_rules` - (Optional) This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.. See [Ip Allowed List Choice Bypass Rate Limiting Rules ](#ip-allowed-list-choice-bypass-rate-limiting-rules) below for details. - - -`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - - -`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - - -`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). - - -`server_url_rules` - (Optional) For matching also specific endpoints you can use the API endpoint rules set bellow.. See [Api Rate Limit Server Url Rules ](#api-rate-limit-server-url-rules) below for details. - - - -### Rate Limit Choice Rate Limit - - Define custom rate limiting parameters for this load balancer. - - - -###### One of the arguments from this list "no_ip_allowed_list, ip_allowed_list, custom_ip_allowed_list" must be set - -`custom_ip_allowed_list` - (Optional) IP Allowed list using existing ip_prefix_set objects.. See [Ip Allowed List Choice Custom Ip Allowed List ](#ip-allowed-list-choice-custom-ip-allowed-list) below for details. - - -`ip_allowed_list` - (Optional) List of IP(s) for which rate limiting will be disabled.. See [Ip Allowed List Choice Ip Allowed List ](#ip-allowed-list-choice-ip-allowed-list) below for details. - - -`no_ip_allowed_list` - (Optional) There is no ip allowed list for rate limiting, all clients go through rate limiting. (`Bool`). - - - - -###### One of the arguments from this list "no_policies, policies" must be set - -`no_policies` - (Optional) Do not apply additional rate limiter policies. (`Bool`). - - -`policies` - (Optional) to the action configured in the rule. If there's no match, the rate limiting configuration for the HTTP load balancer is honored.. See [Policy Choice Policies ](#policy-choice-policies) below for details. - - -`rate_limiter` - (Optional) Requests to the virtual_host are rate limited based on the parameters specified in the rate_limiter.. See [Rate Limit Rate Limiter ](#rate-limit-rate-limiter) below for details. - - - -### Rate Limiter Choice Inline Rate Limiter - - Specify rate values for the rule.. - - - -###### One of the arguments from this list "use_http_lb_user_id, ref_user_id" must be set - -`ref_user_id` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.. See [ref](#ref) below for details. - - -`use_http_lb_user_id` - (Optional) Defined in HTTP-LB Security Configuration -> User Identifier. (`Bool`). - - -`threshold` - (Required) The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. (`Int`). - -`unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - - - -### Redirect Route Headers - - List of (key, value) headers. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "exact, regex, presence" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Redirect Route Incoming Port - - The port on which the request is received. - - - - -###### One of the arguments from this list "port, port_ranges, no_port_match" can be set - -`no_port_match` - (Optional) Disable matching of ports (`Bool`). - - -`port` - (Optional) Exact Port to match (`Int`). - - -`port_ranges` - (Optional) Port range to match (`String`). - - - - -### Redirect Route Path - - URI path of route. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Redirect Route Route Redirect - - Send redirect response. - -`host_redirect` - (Optional) swap host part of incoming URL in redirect URL (`String`). - -`port_redirect` - (Optional) Specify the port value to redirect to a URL with non default port(443) (`Int`).(Deprecated) - -`proto_redirect` - (Optional) When incoming-proto option is specified, swapping of protocol is not done. (`String`). - - - - -###### One of the arguments from this list "all_params, retain_all_params, remove_all_params, replace_params, strip_query_params" can be set - -`all_params` - (Optional) be removed. Default value is false, which means query portion of the URL will NOT be removed (`Bool`).(Deprecated) - - -`remove_all_params` - (Optional) x-displayName: "Remove All Parameters" (`Bool`). - - -`replace_params` - (Optional) x-displayName: "Replace All Parameters" (`String`). - - -`retain_all_params` - (Optional) x-displayName: "Retain All Parameters" (`Bool`). - - -`strip_query_params` - (Optional) Specifies the list of query params to be removed. Not supported. See [Query Params Strip Query Params ](#query-params-strip-query-params) below for details.(Deprecated) - - - - - -###### One of the arguments from this list "path_redirect, prefix_rewrite" can be set - -`path_redirect` - (Optional) swap path part of incoming URL in redirect URL (`String`). - - -`prefix_rewrite` - (Optional) This option allows redirect URLs be dynamically created based on the request (`String`). - - -`response_code` - (Optional) The HTTP status code to use in the redirect response. (`Int`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Request Matcher Cookie Matchers - - Note that all specified cookie matcher predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "check_not_present, item, presence, check_present" must be set - -`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). - - -`check_present` - (Optional) Check that the cookie is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive cookie name. (`String`). - - - -### Request Matcher Headers - - Note that all specified header predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Request Matcher Jwt Claims - - Note that this feature only works on LBs with JWT Validation feature enabled.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the JWT Claim is not present. (`Bool`). - - -`check_present` - (Optional) Check that the JWT Claim is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the JWT Claim. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`name` - (Required) JWT claim name. (`String`). - - - -### Request Matcher Query Params - - Note that all specified query parameter predicates must evaluate to true.. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). - - - -###### One of the arguments from this list "item, presence, check_present, check_not_present" must be set - -`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). - - -`check_present` - (Optional) Check that the query parameter is present. (`Bool`). - - -`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) - - - - -### Request Timeout Choice Disable Request Timeout - - x-displayName: "No Timeout". - - - -### Response Validation Mode Choice Response Validation Mode Active - - Enforce OpenAPI validation processing for this event. - -`response_validation_properties` - (Required) List of properties of the response to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). - - - -###### One of the arguments from this list "enforcement_report, enforcement_block" must be set - -`enforcement_block` - (Optional) Block the response, trigger an API security event (`Bool`). - - -`enforcement_report` - (Optional) Allow the response, trigger an API security event (`Bool`). - - - - -### Response Validation Mode Choice Skip Response Validation - - Skip OpenAPI validation processing for this event. - - - -### Retry Policy Back Off - - 10 times the base interval. - -`base_interval` - (Optional) Specifies the base interval between retries in milliseconds (`Int`). - -`max_interval` - (Optional) to the base_interval if set. The default is 10 times the base_interval. (`Int`). - - - -### Retry Policy Choice Default Retry Policy - - Use system default retry policy. - - - -### Retry Policy Choice No Retry Policy - - Do not configure retry policy. - - - -### Retry Policy Choice Retry Policy - - Configure custom retry policy. - -`back_off` - (Optional) 10 times the base interval. See [Retry Policy Back Off ](#retry-policy-back-off) below for details. - -`num_retries` - (Optional) is used between each retry (`Int`). - -`per_try_timeout` - (Optional) Specifies a non-zero timeout per retry attempt. In milliseconds (`Int`). - -`retriable_status_codes` - (Optional) HTTP status codes that should trigger a retry in addition to those specified by retry_on. (`Int`). - -`retry_condition` - (Required) (disconnect/reset/read timeout.) (`String`). - -`retry_on` - (Optional) matching one defined in retriable_status_codes field (`String`).(Deprecated) - - - -### Rewrite Choice Disable Prefix Rewrite - - Do not rewrite any path portion.. - - - -### Rewrite Choice Regex Rewrite - - with the substitution value.. - -`pattern` - (Optional) The regular expression used to find portions of a string that should be replaced. (`String`). - -`substitution` - (Optional) substitution operation to produce a new string. (`String`). - - - -### Ring Hash Hash Policy - - route the request. - - - -###### One of the arguments from this list "header_name, cookie, source_ip" must be set - -`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. - - -`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). - - -`source_ip` - (Optional) Hash based on source IP address (`Bool`). - - -`terminal` - (Optional) Specify if its a terminal policy (`Bool`). - - - -### Rule List Rules - - these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions. - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. - -`spec` - (Required) Specification for the rule including match predicates and actions.. See [Rules Spec ](#rules-spec) below for details. - - - -### Rules Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Rules Path - - URI path matcher.. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Rules Spec - - Specification for the rule including match predicates and actions.. - -`arg_matchers` - (Optional)arg_matchers. See [Spec Arg Matchers ](#spec-arg-matchers) below for details. - - - - -###### One of the arguments from this list "any_asn, asn_list, asn_matcher" can be set - -`any_asn` - (Optional)any_asn (`Bool`). - - -`asn_list` - (Optional)asn_list. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional)asn_matcher. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - - -`body_matcher` - (Optional)body_matcher. See [Spec Body Matcher ](#spec-body-matcher) below for details. - - - -###### One of the arguments from this list "disable_challenge, enable_javascript_challenge, enable_captcha_challenge" must be set - -`disable_challenge` - (Optional) Disable the challenge type selected in PolicyBasedChallenge (`Bool`). - - -`enable_captcha_challenge` - (Optional) Enable captcha challenge (`Bool`). - - -`enable_javascript_challenge` - (Optional) Enable javascript challenge (`Bool`). - - - - - -###### One of the arguments from this list "any_client, client_name, client_selector, client_name_matcher" can be set - -`any_client` - (Optional)any_client (`Bool`). - - -`client_name` - (Optional)client_name (`String`).(Deprecated) - - -`client_name_matcher` - (Optional)client_name_matcher. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details.(Deprecated) - - -`client_selector` - (Optional)client_selector. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`cookie_matchers` - (Optional)cookie_matchers. See [Spec Cookie Matchers ](#spec-cookie-matchers) below for details. - -`domain_matcher` - (Optional)domain_matcher. See [Spec Domain Matcher ](#spec-domain-matcher) below for details. - -`expiration_timestamp` - (Optional)expiration_timestamp (`String`). - -`headers` - (Optional)headers. See [Spec Headers ](#spec-headers) below for details. - -`http_method` - (Optional)http_method. See [Spec Http Method ](#spec-http-method) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher" can be set - -`any_ip` - (Optional)any_ip (`Bool`). - - -`ip_matcher` - (Optional)ip_matcher. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional)ip_prefix_list. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - - -`path` - (Optional)path. See [Spec Path ](#spec-path) below for details. - -`query_params` - (Optional)query_params. See [Spec Query Params ](#spec-query-params) below for details. - -`tls_fingerprint_matcher` - (Optional)tls_fingerprint_matcher. See [Spec Tls Fingerprint Matcher ](#spec-tls-fingerprint-matcher) below for details. - - - -### Samesite Ignore Samesite - - Ignore Samesite attribute. - - - -### Samesite Samesite Lax - - Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. - - - -### Samesite Samesite None - - Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. - - - -### Samesite Samesite Strict - - Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. - -`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - -`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). - - - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. - -`key` - (Optional) If not provided entire secret will be returned. (`String`). - -`location` - (Required) Path to secret in Vault. (`String`). - -`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - -`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). - -`version` - (Optional) If not provided latest version will be returned. (`Int`). - - - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. - -`name` - (Required) Name of the secret. (`String`). - - - -### Secret Value Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Section Choice All Request Sections - - x-displayName: "All Request". - - - -### Section Choice All Response Sections - - x-displayName: "All Response". - - - -### Section Choice All Sections - - x-displayName: "All Request & Response". - - - -### Section Choice Custom Sections - - x-displayName: "Custom Sections". - -`custom_sections` - (Required) Request & Response Sections. (`List of Strings`). - - - -### Secure Add Secure - - Add secure attribute. - - - -### Secure Ignore Secure - - Ignore secure attribute. - - - -### Selector Choice Client Selector - - The predicate evaluates to true if the expressions in the label selector are true for the client labels.. - -`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - - -### Selector Choice None - - No Label Selector. - - - -### Send Headers Choice Append Headers - - Append mitigation headers.. - -`auto_type_header_name` - (Required) A case-insensitive HTTP header name. (`String`). - -`inference_header_name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Send Headers Choice No Headers - - No mitigation headers.. - - - -### Sensitive Data Detection Rules Custom Sensitive Data Detection Rules - - Rules to detect custom sensitive data in requests and/or responses sections.. - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Custom Sensitive Data Detection Rules Metadata ](#custom-sensitive-data-detection-rules-metadata) below for details. - -`sensitive_data_detection_config` - (Required) The custom data detection config specifies targets, scopes & the pattern to be detected.. See [Custom Sensitive Data Detection Rules Sensitive Data Detection Config ](#custom-sensitive-data-detection-rules-sensitive-data-detection-config) below for details. - -`sensitive_data_type` - (Required) If the pattern is detected, the request is labeled with specified sensitive data type.. See [Custom Sensitive Data Detection Rules Sensitive Data Type ](#custom-sensitive-data-detection-rules-sensitive-data-type) below for details. - - - -### Sensitive Data Detection Rules Disabled Built In Rules - - List of disabled built-in sensitive data detection rules.. - -`name` - (Required) Built-in rule for sensitive data detection. (`String`). - - - -### Sensitive Data Disclosure Rules Sensitive Data Types In Response - - Settings to mask sensitive data in response body . - -`body` - (Optional) x-displayName: "Json fields". See [Sensitive Data Types In Response Body ](#sensitive-data-types-in-response-body) below for details. - - - -###### One of the arguments from this list "mask, report" must be set - -`mask` - (Optional) x-displayName: "Mask Sensitive Data" (`Bool`). - - -`report` - (Optional) x-displayName: "Report Sensitive Data" (`Bool`). - - -`metadata` - (Required) Common attributes for the rule including name and description.. See [Sensitive Data Types In Response Metadata ](#sensitive-data-types-in-response-metadata) below for details. - - - -###### One of the arguments from this list "api_endpoint, base_path, api_group" must be set - -`api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Type Condition Type Choice Api Endpoint ](#type-condition-type-choice-api-endpoint) below for details. - - -`api_group` - (Optional) The API group which this validation applies to (`String`).(Deprecated) - - -`base_path` - (Optional) The base path which this validation applies to (`String`).(Deprecated) - - - - -### Sensitive Data Policy Choice Sensitive Data Policy - - Apply custom sensitive data discovery. - -`sensitive_data_policy_ref` - (Required) Specify Sensitive Data Discovery. See [ref](#ref) below for details. - - - -### Sensitive Data Types In Response Body - - x-displayName: "Json fields". - -`fields` - (Required) List of JSONPath field values (`String`). - - - -### Sensitive Data Types In Response Metadata - - Common attributes for the rule including name and description.. - -`description` - (Optional) Human readable description. (`String`). - -`disable` - (Optional) A value of true will administratively disable the object that corresponds to the containing message. (`Bool`).(Deprecated) - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - - -### Server Header Choice Default Header - - Response header name is “server” and value is “volt-adc”. - - - -### Server Header Choice Pass Through - - Pass existing server header as is. If server header is absent, a new header is not appended.. - - - -### Server Url Rules Client Matcher - - Conditions related to the origin of the request, such as client IP, TLS fingerprint, etc.. - - - -###### One of the arguments from this list "any_client, ip_threat_category_list, client_selector" must be set - -`any_client` - (Optional) Any Client (`Bool`). - - -`client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - -`ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher, asn_list, asn_matcher" must be set - -`any_ip` - (Optional) Any Source IP (`Bool`). - - -`asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Ip Asn Choice Asn List ](#ip-asn-choice-asn-list) below for details. - - -`asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Ip Asn Choice Asn Matcher ](#ip-asn-choice-asn-matcher) below for details. - - -`ip_matcher` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes in the IP Prefix Sets.. See [Ip Asn Choice Ip Matcher ](#ip-asn-choice-ip-matcher) below for details. - - -`ip_prefix_list` - (Optional) The predicate evaluates to true if the client IP Address is covered by one or more of the IP Prefixes from the list.. See [Ip Asn Choice Ip Prefix List ](#ip-asn-choice-ip-prefix-list) below for details. - - -`tls_fingerprint_matcher` - (Optional) The predicate evaluates to true if the TLS fingerprint matches any of the exact values or classes of known TLS fingerprints.. See [Client Matcher Tls Fingerprint Matcher ](#client-matcher-tls-fingerprint-matcher) below for details. - - - -### Server Url Rules Request Matcher - - Conditions related to the request, such as query parameters, headers, etc.. - -`cookie_matchers` - (Optional) Note that all specified cookie matcher predicates must evaluate to true.. See [Request Matcher Cookie Matchers ](#request-matcher-cookie-matchers) below for details. - -`headers` - (Optional) Note that all specified header predicates must evaluate to true.. See [Request Matcher Headers ](#request-matcher-headers) below for details. - -`jwt_claims` - (Optional) Note that this feature only works on LBs with JWT Validation feature enabled.. See [Request Matcher Jwt Claims ](#request-matcher-jwt-claims) below for details. - -`query_params` - (Optional) Note that all specified query parameter predicates must evaluate to true.. See [Request Matcher Query Params ](#request-matcher-query-params) below for details. - - - -### Server Validation Choice Skip Server Verification - - Skip origin server verification. - - - -### Server Validation Choice Use Server Verification - - Perform origin server verification using the provided Root CA Certificate. - - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set - -`trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. - - -`trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Origin Pool for verification of server's certificate (`String`). - - - - -### Server Validation Choice Volterra Trusted Ca - - Perform origin server verification using F5XC Default Root CA Certificate. - - - -### Service Info Service Selector - - discovery has to happen. This implicit label is added to service_selector. - -`expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - - -### Service Policy Choice Active Service Policies - - Apply the specified list of service policies and bypass the namespace service policy set. - -`policies` - (Required) If all policies are evaluated and none match, then the request will be denied by default.. See [ref](#ref) below for details. - - - -### Simple Route Advanced Options - - Configure Advanced per route options. - - - - -###### One of the arguments from this list "inherited_bot_defense_javascript_injection, bot_defense_javascript_injection" can be set - -`bot_defense_javascript_injection` - (Optional) Configuration for Bot Defense JavaScript Injection. See [Bot Defense Javascript Injection Choice Bot Defense Javascript Injection ](#bot-defense-javascript-injection-choice-bot-defense-javascript-injection) below for details. - - -`inherited_bot_defense_javascript_injection` - (Optional) Hence no custom configuration is applied on the route (`Bool`). - - - - -###### One of the arguments from this list "common_buffering, buffer_policy" must be set - -`buffer_policy` - (Optional) Route level buffer configuration overrides any configuration at VirtualHost level.. See [Buffer Choice Buffer Policy ](#buffer-choice-buffer-policy) below for details. - - -`common_buffering` - (Optional) Use common buffering configuration (`Bool`). - - - - -###### One of the arguments from this list "retract_cluster, do_not_retract_cluster" must be set - -`do_not_retract_cluster` - (Optional) configuration. (`Bool`). - - -`retract_cluster` - (Optional) for route (`Bool`). - - -`cors_policy` - (Optional) resources from a server at a different origin. See [Advanced Options Cors Policy ](#advanced-options-cors-policy) below for details. - -`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Advanced Options Csrf Policy ](#advanced-options-csrf-policy) below for details. - -`disable_location_add` - (Optional) virtual-host level. This configuration is ignored on CE sites. (`Bool`). - -`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). - - - -###### One of the arguments from this list "common_hash_policy, specific_hash_policy" must be set - -`common_hash_policy` - (Optional) Use load balancer hash policy for this route (`Bool`). - - -`specific_hash_policy` - (Optional) Configure hash policy specific for this route. See [Hash Policy Choice Specific Hash Policy ](#hash-policy-choice-specific-hash-policy) below for details. - - - - -###### One of the arguments from this list "disable_mirroring, mirror_policy" must be set - -`disable_mirroring` - (Optional) Disable Mirroring of request (`Bool`). - - -`mirror_policy` - (Optional) useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. See [Mirroring Choice Mirror Policy ](#mirroring-choice-mirror-policy) below for details. - - -`priority` - (Optional) Also, circuit-breaker configuration at destination cluster is chosen based on the route priority. (`String`). - -`request_headers_to_add` - (Optional) Headers are key-value pairs to be added to HTTP request being routed towards upstream.. See [Advanced Options Request Headers To Add ](#advanced-options-request-headers-to-add) below for details. - -`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). - -`response_headers_to_add` - (Optional) Headers are key-value pairs to be added to HTTP response being sent towards downstream.. See [Advanced Options Response Headers To Add ](#advanced-options-response-headers-to-add) below for details. - -`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). - - - -###### One of the arguments from this list "default_retry_policy, no_retry_policy, retry_policy" must be set - -`default_retry_policy` - (Optional) Use system default retry policy (`Bool`). - - -`no_retry_policy` - (Optional) Do not configure retry policy (`Bool`). - - -`retry_policy` - (Optional) Configure custom retry policy. See [Retry Policy Choice Retry Policy ](#retry-policy-choice-retry-policy) below for details. - - - - -###### One of the arguments from this list "disable_prefix_rewrite, prefix_rewrite, regex_rewrite" must be set - -`disable_prefix_rewrite` - (Optional) Do not rewrite any path portion. (`Bool`). - - -`prefix_rewrite` - (Optional) the query string) will be swapped with this value. (`String`). - - -`regex_rewrite` - (Optional) with the substitution value.. See [Rewrite Choice Regex Rewrite ](#rewrite-choice-regex-rewrite) below for details. - - - - -###### One of the arguments from this list "disable_spdy, enable_spdy" must be set - -`disable_spdy` - (Optional) SPDY upgrade is disabled (`Bool`). - - -`enable_spdy` - (Optional) SPDY upgrade is enabled (`Bool`). - - -`timeout` - (Optional) Should be set to a high value or 0 (infinite timeout) for server-side streaming. (`Int`). - - - - -###### One of the arguments from this list "inherited_waf, app_firewall, disable_waf" can be set - -`app_firewall` - (Optional) Reference to App Firewall configuration object. See [ref](#ref) below for details. - - -`disable_waf` - (Optional) App Firewall configuration that is configured in the Load Balancer will not be enforced on this route (`Bool`). - - -`inherited_waf` - (Optional) Hence no custom configuration is applied on the route (`Bool`). - - - - -###### One of the arguments from this list "disable_web_socket_config, web_socket_config" must be set - -`disable_web_socket_config` - (Optional) Websocket upgrade is disabled (`Bool`). - - -`web_socket_config` - (Optional) Upgrade to Websocket for this route. See [Websocket Choice Web Socket Config ](#websocket-choice-web-socket-config) below for details. - - - - -### Simple Route Headers - - List of (key, value) headers. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "exact, regex, presence" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Simple Route Incoming Port - - The port on which the request is received. - - - - -###### One of the arguments from this list "port, port_ranges, no_port_match" can be set - -`no_port_match` - (Optional) Disable matching of ports (`Bool`). - - -`port` - (Optional) Exact Port to match (`Int`). - - -`port_ranges` - (Optional) Port range to match (`String`). - - - - -### Simple Route Origin Pools - - Origin Pools for this route. - -`endpoint_subsets` - (Optional) upstream origin pool which match this metadata will be selected for load balancing (`String`). - - - -###### One of the arguments from this list "pool, cluster" must be set - -`cluster` - (Optional) More flexible, advanced feature control with cluster. See [ref](#ref) below for details. - - -`pool` - (Optional) Simple, commonly used pool parameters with origin pool. See [ref](#ref) below for details. - - -`priority` - (Optional) made active as per the increasing priority. (`Int`). - -`weight` - (Optional) Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool (`Int`). - - - -### Simple Route Path - - URI path of route. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Slow Ddos Mitigation Choice Slow Ddos Mitigation - - Custom Settings for Slow DDoS Mitigation. - -`request_headers_timeout` - (Optional) provides protection against Slowloris attacks. (`Int`). - - - -###### One of the arguments from this list "request_timeout, disable_request_timeout" must be set - -`disable_request_timeout` - (Optional) x-displayName: "No Timeout" (`Bool`). - - -`request_timeout` - (Optional) x-example: "60000" (`Int`). - - - - -### Sni Choice Disable Sni - - Do not use SNI.. - - - -### Sni Choice Use Host Header As Sni - - Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. - - - -### Spdy Choice Disable Spdy - - SPDY upgrade is disabled. - - - -### Spdy Choice Enable Spdy - - SPDY upgrade is enabled. - - - -### Spec Arg Matchers - -arg_matchers. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "item, presence, check_present, check_not_present" must be set - -`check_not_present` - (Optional) Check that the argument is not present. (`Bool`). - - -`check_present` - (Optional) Check that the argument is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the Arg. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the arg is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive JSON path in the HTTP request body. (`String`). - - - -### Spec Body Matcher - -body_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Spec Cookie Matchers - -cookie_matchers. - -`invert_matcher` - (Optional) Invert Match of the expression defined (`Bool`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the cookie is not present. (`Bool`). - - -`check_present` - (Optional) Check that the cookie is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the cookie. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the cookie is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-sensitive cookie name. (`String`). - - - -### Spec Domain Matcher - -domain_matcher. - -`exact_values` - (Optional) A list of exact values to match the input against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - - - -### Spec Headers - -headers. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the header is not present. (`Bool`). - - -`check_present` - (Optional) Check that the header is present. (`Bool`). - - -`item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) - - -`name` - (Required) A case-insensitive HTTP header name. (`String`). - - - -### Spec Http Method - -http_method. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - - -### Spec Path - -path. - -`exact_values` - (Optional) A list of exact path values to match the input HTTP path against. (`String`). - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`prefix_values` - (Optional) A list of path prefix values to match the input HTTP path against. (`String`). - -`regex_values` - (Optional) A list of regular expressions to match the input HTTP path against. (`String`). - -`suffix_values` - (Optional) A list of path suffix values to match the input HTTP path against. (`String`). - -`transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - - -### Spec Query Params - -query_params. - -`invert_matcher` - (Optional) Invert the match result. (`Bool`). - -`key` - (Required) A case-sensitive HTTP query parameter name. (`String`). - - - -###### One of the arguments from this list "presence, check_present, check_not_present, item" must be set - -`check_not_present` - (Optional) Check that the query parameter is not present. (`Bool`). - - -`check_present` - (Optional) Check that the query parameter is present. (`Bool`). - - -`item` - (Optional) criteria in the matcher.. See [Match Item ](#match-item) below for details. - - -`presence` - (Optional) Check if the query parameter is present or absent. (`Bool`).(Deprecated) - - - - -### Spec Tls Fingerprint Matcher - -tls_fingerprint_matcher. - -`classes` - (Optional) A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against. (`List of Strings`). - -`exact_values` - (Optional) A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against. (`String`). - -`excluded_values` - (Optional) or more known TLS fingerprint classes in the enclosing matcher. (`String`). - - - -### Specific Hash Policy Hash Policy - - route the request. - - - -###### One of the arguments from this list "header_name, cookie, source_ip" must be set - -`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. - - -`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). - - -`source_ip` - (Optional) Hash based on source IP address (`Bool`). - - -`terminal` - (Optional) Specify if its a terminal policy (`Bool`). - - - -### Strict Sni Host Header Check Choice Additional Domains - - Wildcard names are supported in the suffix or prefix form. - -`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - - - -### Strict Sni Host Header Check Choice Enable Strict Sni Host Header Check - - Enable strict SNI and Host header check. - - - -### Subset Choice Disable Subsets - - Subset load balancing is disabled. All eligible origin servers will be considered for load balancing.. - - - -### Subset Choice Enable Subsets - - Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. - -`endpoint_subsets` - (Required) List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. See [Enable Subsets Endpoint Subsets ](#enable-subsets-endpoint-subsets) below for details. - - - -###### One of the arguments from this list "any_endpoint, default_subset, fail_request" must be set - -`any_endpoint` - (Optional) Select any origin server from available healthy origin servers in this pool (`Bool`). - - -`default_subset` - (Optional) Use the default subset provided here. Select endpoints matching default subset.. See [Fallback Policy Choice Default Subset ](#fallback-policy-choice-default-subset) below for details. - - -`fail_request` - (Optional) Request will be failed and error returned, as if cluster has no origin servers. (`Bool`). - - - - -### Target All Endpoint - - Validation will be performed for all requests on this LB. - - - -### Target Api Groups - - Validation will be performed for the endpoints mentioned in the API Groups. - -`api_groups` - (Required) x-required (`String`). - - - -### Target Base Paths - - Validation will be performed for selected path prefixes. - -`base_paths` - (Required) x-required (`String`). - - - -### Target Choice Any Target - - The rule will be applied for all requests on this LB.. - - - -### Target Choice Api Endpoint Target - - The rule is applied only for the specified api endpoints.. - -`api_endpoint_path` - (Required) The rule is applied only for the specified api endpoints. (`String`). - -`methods` - (Required) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - - -### Temporary Blocking Parameters Choice Default Temporary Blocking Parameters - - Use default parameters. - - - -### Temporary Blocking Parameters Choice Temporary User Blocking - - Specifies configuration for temporary user blocking resulting from malicious user detection. - -`custom_page` - (Optional) E.g. "

Blocked

". Base64 encoded string for this html is "PHA+IFBsZWFzZSBXYWl0IDwvcD4=" (`String`). - - - -### Tls Cert Params Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "default_security, medium_security, low_security, custom_security" must be set - -`custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - - -`default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - - -`low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - - -`medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). - - - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Tls Certificates Choice Tls Cert Params - - Select/Add one or more TLS Certificate objects to associate with this Load Balancer. - -`certificates` - (Required) Select one or more certificates with any domain names.. See [ref](#ref) below for details. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Cert Params Tls Config ](#tls-cert-params-tls-config) below for details. - - - -### Tls Certificates Choice Tls Parameters - - Upload a TLS certificate covering all domain names for this Load Balancer. - - - -###### One of the arguments from this list "no_mtls, use_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Tls Parameters Tls Certificates ](#tls-parameters-tls-certificates) below for details. - -`tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Tls Parameters Tls Config ](#tls-parameters-tls-config) below for details. - - - -### Tls Choice No Tls - - x-displayName: "Disable". - - - -### Tls Choice Use Tls - - x-displayName: "Enable". - - - -###### One of the arguments from this list "max_session_keys, default_session_key_caching, disable_session_key_caching" must be set - -`default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). - - -`disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). - - -`max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). - - - - -###### One of the arguments from this list "use_mtls, use_mtls_obj, no_mtls" must be set - -`no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - - -`use_mtls` - (Optional) x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - - -`use_mtls_obj` - (Optional) x-displayName: "Select/add a TLS Certificate object for client authentication". See [ref](#ref) below for details. - - - - -###### One of the arguments from this list "use_server_verification, skip_server_verification, volterra_trusted_ca" must be set - -`skip_server_verification` - (Optional) Skip origin server verification (`Bool`). - - -`use_server_verification` - (Optional) Perform origin server verification using the provided Root CA Certificate. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. - - -`volterra_trusted_ca` - (Optional) Perform origin server verification using F5XC Default Root CA Certificate (`Bool`). - - - - -###### One of the arguments from this list "use_host_header_as_sni, disable_sni, sni" must be set - -`disable_sni` - (Optional) Do not use SNI. (`Bool`). - - -`sni` - (Optional) SNI value to be used. (`String`). - - -`use_host_header_as_sni` - (Optional) Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied. (`Bool`). - - -`tls_config` - (Required) TLS parameters such as min/max TLS version and ciphers. See [Use Tls Tls Config ](#use-tls-tls-config) below for details. - - - -### Tls Parameters Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. +for example, domain.com and *.domain.com - but use different signature algorithms. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Tls Parameters Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. -### Tls Parameters Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "custom_security, default_security, medium_security, low_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Token Location Bearer Token +Token is found in Authorization HTTP header with Bearer authentication scheme. +### Transaction Result Failure Conditions -### Token Location Bearer Token - - Token is found in Authorization HTTP header with Bearer authentication scheme. - - - -### Transaction Result Failure Conditions - - Failure Conditions. +Failure Conditions. `name` - (Optional) A case-insensitive HTTP header name. (`String`). @@ -11749,11 +5428,9 @@ tls_fingerprint_matcher. `status` - (Required) HTTP Status code (`String`). +### Transaction Result Success Conditions - -### Transaction Result Success Conditions - - Success Conditions. +Success Conditions. `name` - (Optional) A case-insensitive HTTP header name. (`String`). @@ -11761,35 +5438,27 @@ tls_fingerprint_matcher. `status` - (Required) HTTP Status code (`String`). +### Transaction Result Choice Disable Transaction Result +Disable collection of transaction result.. -### Transaction Result Choice Disable Transaction Result - - Disable collection of transaction result.. - +### Transaction Result Choice Transaction Result - -### Transaction Result Choice Transaction Result - - Collect transaction result.. +Collect transaction result.. `failure_conditions` - (Optional) Failure Conditions. See [Transaction Result Failure Conditions ](#transaction-result-failure-conditions) below for details. `success_conditions` - (Optional) Success Conditions. See [Transaction Result Success Conditions ](#transaction-result-success-conditions) below for details. +### Trust Client Ip Headers Choice Enable Trust Client Ip Headers - -### Trust Client Ip Headers Choice Enable Trust Client Ip Headers - - x-displayName: "Enable". +x-displayName: "Enable". `client_ip_headers` - (Required) For X-Forwarded-For header, the system will read the IP address(rightmost - 1), as the client ip (`String`). +### Trusted Clients Metadata - -### Trusted Clients Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -11797,382 +5466,249 @@ tls_fingerprint_matcher. `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Type Condition Type Choice Api Endpoint - -### Type Condition Type Choice Api Endpoint - - The API endpoint (Path + Method) which this validation applies to. +The API endpoint (Path + Method) which this validation applies to. `methods` - (Optional) Methods to be matched (`List of Strings`). `path` - (Required) Path to be matched (`String`). +### Use Mtls Tls Certificates - -### Use Mtls Tls Certificates - - mTLS Client Certificate. +mTLS Client Certificate. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Use Tls Tls Config +TLS parameters such as min/max TLS version and ciphers. -### Use Tls Tls Config - - TLS parameters such as min/max TLS version and ciphers. - - - -###### One of the arguments from this list "default_security, medium_security, low_security, custom_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### V6 Vip Choice Default V6 Vip +Use the default VIP, system allocated or configured in the virtual network. +### Validate Period Validate Period Disable -### V6 Vip Choice Default V6 Vip - - Use the default VIP, system allocated or configured in the virtual network. - - - -### Validate Period Validate Period Disable - - x-displayName: "Disable". +x-displayName: "Disable". +### Validate Period Validate Period Enable +x-displayName: "Enable". -### Validate Period Validate Period Enable - - x-displayName: "Enable". - - - -### Validation All Spec Endpoints Fall Through Mode - - Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). - +### Validation All Spec Endpoints Fall Through Mode +Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). ###### One of the arguments from this list "fall_through_mode_allow, fall_through_mode_custom" must be set `fall_through_mode_allow` - (Optional) Allow any unprotected end point (`Bool`). - `fall_through_mode_custom` - (Optional) Custom rules for any unprotected end point. See [Fall Through Mode Choice Fall Through Mode Custom ](#fall-through-mode-choice-fall-through-mode-custom) below for details. +### Validation All Spec Endpoints Settings +OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. - -### Validation All Spec Endpoints Settings - - OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. - - - - -###### One of the arguments from this list "fail_open, fail_close" can be set +###### One of the arguments from this list "fail_close, fail_open" can be set `fail_close` - (Optional) Handle the transaction as it failed the OpenAPI specification validation (Block or Report) (`Bool`).(Deprecated) - `fail_open` - (Optional) Continue to process the transaction without enforcing OpenAPI specification (Allow) (`Bool`).(Deprecated) - - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`). - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`). - - - - -###### One of the arguments from this list "property_validation_settings_default, property_validation_settings_custom" can be set +###### One of the arguments from this list "property_validation_settings_custom, property_validation_settings_default" can be set `property_validation_settings_custom` - (Optional) Use custom settings with Open API specification validation. See [Property Validation Settings Choice Property Validation Settings Custom ](#property-validation-settings-choice-property-validation-settings-custom) below for details. - `property_validation_settings_default` - (Optional) Keep the default settings of OpenAPI specification validation (`Bool`). +### Validation All Spec Endpoints Validation Mode +When a validation mismatch occurs on a request to one of the API Inventory endpoints. - -### Validation All Spec Endpoints Validation Mode - - When a validation mismatch occurs on a request to one of the API Inventory endpoints. - - - -###### One of the arguments from this list "skip_response_validation, response_validation_mode_active" must be set +###### One of the arguments from this list "response_validation_mode_active, skip_response_validation" must be set `response_validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Response Validation Mode Choice Response Validation Mode Active ](#response-validation-mode-choice-response-validation-mode-active) below for details. - `skip_response_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - - - -###### One of the arguments from this list "validation_mode_active, skip_validation" must be set +###### One of the arguments from this list "skip_validation, validation_mode_active" must be set `skip_validation` - (Optional) Skip OpenAPI validation processing for this event (`Bool`). - `validation_mode_active` - (Optional) Enforce OpenAPI validation processing for this event. See [Validation Mode Choice Validation Mode Active ](#validation-mode-choice-validation-mode-active) below for details. +### Validation Custom List Fall Through Mode - - -### Validation Custom List Fall Through Mode - - Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). - - +Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). ###### One of the arguments from this list "fall_through_mode_allow, fall_through_mode_custom" must be set `fall_through_mode_allow` - (Optional) Allow any unprotected end point (`Bool`). - `fall_through_mode_custom` - (Optional) Custom rules for any unprotected end point. See [Fall Through Mode Choice Fall Through Mode Custom ](#fall-through-mode-choice-fall-through-mode-custom) below for details. +### Validation Custom List Open Api Validation Rules +x-displayName: "Validation List". - -### Validation Custom List Open Api Validation Rules - - x-displayName: "Validation List". - - - -###### One of the arguments from this list "api_group, api_endpoint, base_path" must be set +###### One of the arguments from this list "api_endpoint, api_group, base_path" must be set `api_endpoint` - (Optional) The API endpoint (Path + Method) which this validation applies to. See [Condition Type Choice Api Endpoint ](#condition-type-choice-api-endpoint) below for details. - `api_group` - (Optional) The API group which this validation applies to (`String`). - `base_path` - (Optional) The base path which this validation applies to (`String`). - - - ###### One of the arguments from this list "any_domain, specific_domain" must be set `any_domain` - (Optional) The rule will apply for all domains. (`Bool`). - `specific_domain` - (Optional) The rule will apply for a specific domain. (`String`). - `metadata` - (Required) Common attributes for the rule including name and description.. See [Open Api Validation Rules Metadata ](#open-api-validation-rules-metadata) below for details. -`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). See [Open Api Validation Rules Validation Mode ](#open-api-validation-rules-validation-mode) below for details. - - - -### Validation Custom List Settings - - OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. +`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the endpoints listed on the OpenAPI specification file (a.k.a. swagger). See [Open Api Validation Rules Validation Mode ](#open-api-validation-rules-validation-mode) below for details. +### Validation Custom List Settings +OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. - -###### One of the arguments from this list "fail_open, fail_close" can be set +###### One of the arguments from this list "fail_close, fail_open" can be set `fail_close` - (Optional) Handle the transaction as it failed the OpenAPI specification validation (Block or Report) (`Bool`).(Deprecated) - `fail_open` - (Optional) Continue to process the transaction without enforcing OpenAPI specification (Allow) (`Bool`).(Deprecated) - - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`). - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`). - - - - -###### One of the arguments from this list "property_validation_settings_default, property_validation_settings_custom" can be set +###### One of the arguments from this list "property_validation_settings_custom, property_validation_settings_default" can be set `property_validation_settings_custom` - (Optional) Use custom settings with Open API specification validation. See [Property Validation Settings Choice Property Validation Settings Custom ](#property-validation-settings-choice-property-validation-settings-custom) below for details. - `property_validation_settings_default` - (Optional) Keep the default settings of OpenAPI specification validation (`Bool`). +### Validation Enforcement Type Enforcement Block +Block the response, trigger an API security event. +### Validation Enforcement Type Enforcement Report -### Validation Enforcement Type Enforcement Block - - Block the response, trigger an API security event. - - - -### Validation Enforcement Type Enforcement Report +Allow the response, trigger an API security event. - Allow the response, trigger an API security event. +### Validation Mode Choice Skip Validation +Skip OpenAPI validation processing for this event. +### Validation Mode Choice Validation Mode Active -### Validation Mode Choice Skip Validation - - Skip OpenAPI validation processing for this event. - - - -### Validation Mode Choice Validation Mode Active - - Enforce OpenAPI validation processing for this event. +Enforce OpenAPI validation processing for this event. `request_validation_properties` - (Required) List of properties of the request to validate according to the OpenAPI specification file (a.k.a. swagger) (`List of Strings`). - - -###### One of the arguments from this list "enforcement_report, enforcement_block" must be set +###### One of the arguments from this list "enforcement_block, enforcement_report" must be set `enforcement_block` - (Optional) Block the request, trigger an API security event (`Bool`). - `enforcement_report` - (Optional) Allow the request, trigger an API security event (`Bool`). +### Validation Target Choice Validation All Spec Endpoints - - -### Validation Target Choice Validation All Spec Endpoints - - All other API endpoints would proceed according to "Fall Through Mode". +All other API endpoints would proceed according to "Fall Through Mode". `fall_through_mode` - (Required) Determine what to do with unprotected endpoints (not part of the API Inventory or doesn't have a specific rule in custom rules). See [Validation All Spec Endpoints Fall Through Mode ](#validation-all-spec-endpoints-fall-through-mode) below for details. - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `settings` - (Optional) OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. See [Validation All Spec Endpoints Settings ](#validation-all-spec-endpoints-settings) below for details. -`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the API Inventory endpoints. See [Validation All Spec Endpoints Validation Mode ](#validation-all-spec-endpoints-validation-mode) below for details. +`validation_mode` - (Required) When a validation mismatch occurs on a request to one of the API Inventory endpoints. See [Validation All Spec Endpoints Validation Mode ](#validation-all-spec-endpoints-validation-mode) below for details. +### Validation Target Choice Validation Custom List - -### Validation Target Choice Validation Custom List - - Any other end-points not listed will act according to "Fall Through Mode". +Any other end-points not listed will act according to "Fall Through Mode". `fall_through_mode` - (Required) Determine what to do with unprotected endpoints (not in the OpenAPI specification file (a.k.a. swagger) or doesn't have a specific rule in custom rules). See [Validation Custom List Fall Through Mode ](#validation-custom-list-fall-through-mode) below for details. `open_api_validation_rules` - (Required) x-displayName: "Validation List". See [Validation Custom List Open Api Validation Rules ](#validation-custom-list-open-api-validation-rules) below for details. - - - -###### One of the arguments from this list "oversized_body_skip_validation, oversized_body_fail_validation" can be set +###### One of the arguments from this list "oversized_body_fail_validation, oversized_body_skip_validation" can be set `oversized_body_fail_validation` - (Optional) Apply the request/response action (block or report) when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `oversized_body_skip_validation` - (Optional) Skip body validation when the body length is too long to verify (default 64Kb) (`Bool`).(Deprecated) - `settings` - (Optional) OpenAPI specification validation settings relevant for "API Inventory" enforcement and for "Custom list" enforcement. See [Validation Custom List Settings ](#validation-custom-list-settings) below for details. +### Validation Target Choice Validation Disabled +Don't run OpenAPI validation. -### Validation Target Choice Validation Disabled - - Don't run OpenAPI validation. +### Value Choice Secret Value - - -### Value Choice Secret Value - - Secret Value of the HTTP header.. +Secret Value of the HTTP header.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Value Blindfold Secret Info Internal ](#secret-value-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "vault_secret_info, clear_secret_info, wingman_secret_info, blindfold_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Value Type Check Presence +Parameter name taken which is exist in the query parameter. +### Vip Choice Default Vip -### Value Type Check Presence +Use the default VIP, system allocated or configured in the virtual network. - Parameter name taken which is exist in the query parameter. +### Waf Advanced Configuration App Firewall Detection Control - - -### Vip Choice Default Vip - - Use the default VIP, system allocated or configured in the virtual network. - - - -### Waf Advanced Configuration App Firewall Detection Control - - Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. +Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. `exclude_attack_type_contexts` - (Optional) Attack Types to be excluded for the defined match criteria. See [App Firewall Detection Control Exclude Attack Type Contexts ](#app-firewall-detection-control-exclude-attack-type-contexts) below for details. @@ -12182,29 +5718,21 @@ tls_fingerprint_matcher. `exclude_violation_contexts` - (Optional) Violations to be excluded for the defined match criteria. See [App Firewall Detection Control Exclude Violation Contexts ](#app-firewall-detection-control-exclude-violation-contexts) below for details. +### Waf Advanced Configuration Waf Skip Processing +Skip all App Firewall processing for this request. -### Waf Advanced Configuration Waf Skip Processing - - Skip all App Firewall processing for this request. +### Waf Choice Disable Waf +App Firewall configuration that is configured in the Load Balancer will not be enforced on this route. +### Waf Choice Inherited Waf -### Waf Choice Disable Waf +Hence no custom configuration is applied on the route. - App Firewall configuration that is configured in the Load Balancer will not be enforced on this route. +### Waf Exclusion Rules Metadata - - -### Waf Choice Inherited Waf - - Hence no custom configuration is applied on the route. - - - -### Waf Exclusion Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -12212,126 +5740,84 @@ tls_fingerprint_matcher. `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Web Mobile Header +Header that is used by mobile traffic.. -### Web Mobile Header - - Header that is used by mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Headers +Headers that can be used to identify mobile traffic.. -### Web Mobile Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "item, check_present, check_not_present" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Client Header +Header that is used by mobile traffic.. -### Web Mobile Client Header - - Header that is used by mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Web Mobile Client Headers +Headers that can be used to identify mobile traffic.. -### Web Mobile Client Headers - - Headers that can be used to identify mobile traffic.. - - - -###### One of the arguments from this list "check_present, check_not_present, item" must be set +###### One of the arguments from this list "check_not_present, check_present, item" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `name` - (Required) A case-insensitive HTTP header name. (`String`). +### Websocket Choice Disable Web Socket Config +Websocket upgrade is disabled. -### Websocket Choice Disable Web Socket Config - - Websocket upgrade is disabled. - - - -### Websocket Choice Web Socket Config - - Upgrade to Websocket for this route. +### Websocket Choice Web Socket Config -`idle_timeout` - (Optional) Idle Timeout for Websocket in milli seconds. After timeout, connection will be closed (`Int`).(Deprecated) - -`max_connect_attempts` - (Optional) giving up. Default is 1 (`Int`).(Deprecated) +Upgrade to Websocket for this route. `use_websocket` - (Optional) a WebSocket connection (`Bool`). +### Xfcc Header Xfcc Disabled +No X-Forwarded-Client-Cert header will be added. -### Xfcc Header Xfcc Disabled - - No X-Forwarded-Client-Cert header will be added. - - +### Xfcc Header Xfcc Options -### Xfcc Header Xfcc Options - - X-Forwarded-Client-Cert header will be added with the configured fields. +X-Forwarded-Client-Cert header will be added with the configured fields. `xfcc_header_elements` - (Required) X-Forwarded-Client-Cert header elements to be added to requests (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured http_loadbalancer. -* `cname` - This is the hostname of the configured http_loadbalancer. - +- `id` - This is the id of the configured http_loadbalancer. +- `cname` - This is the hostname of the configured http_loadbalancer. diff --git a/docs/resources/volterra_ip_prefix_set.md b/docs/resources/volterra_ip_prefix_set.md index 09f3a81ac..32b081049 100644 --- a/docs/resources/volterra_ip_prefix_set.md +++ b/docs/resources/volterra_ip_prefix_set.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: ip_prefix_set" -description: "The ip_prefix_set allows CRUD of Ip Prefix Set resource on Volterra SaaS" +description: "The ip_prefix_set allows CRUD of Ip Prefix Set resource on Volterra SaaS" + --- -# Resource volterra_ip_prefix_set -The Ip Prefix Set allows CRUD of Ip Prefix Set resource on Volterra SaaS +Resource volterra_ip_prefix_set +=============================== -~> **Note:** Please refer to [Ip Prefix Set API docs](https://docs.cloud.f5.com/docs-v2/api/ip-prefix-set) to learn more +The Ip Prefix Set allows CRUD of Ip Prefix Set resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Ip Prefix Set API docs](https://docs.cloud.f5.com/docs-v2/api/ip-prefix-set) to learn more + +Example Usage +------------- ```hcl resource "volterra_ip_prefix_set" "example" { @@ -30,39 +23,30 @@ resource "volterra_ip_prefix_set" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `ipv6_prefix` - (Optional) An unordered list of IPv6 prefixes. (`List of String`). - - `prefix` - (Optional) An unordered list of IPv4 prefixes. (`List of String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured ip_prefix_set. - +- `id` - This is the id of the configured ip_prefix_set. diff --git a/docs/resources/volterra_k8s_cluster.md b/docs/resources/volterra_k8s_cluster.md index 06dc50c4b..3da45ce02 100644 --- a/docs/resources/volterra_k8s_cluster.md +++ b/docs/resources/volterra_k8s_cluster.md @@ -1,41 +1,34 @@ - - - - - - - - - - - - --- + page_title: "Volterra: k8s_cluster" -description: "The k8s_cluster allows CRUD of K8s Cluster resource on Volterra SaaS" +description: "The k8s_cluster allows CRUD of K8s Cluster resource on Volterra SaaS" + --- -# Resource volterra_k8s_cluster -The K8s Cluster allows CRUD of K8s Cluster resource on Volterra SaaS +Resource volterra_k8s_cluster +============================= -~> **Note:** Please refer to [K8s Cluster API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster) to learn more +The K8s Cluster allows CRUD of K8s Cluster resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [K8s Cluster API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster) to learn more + +Example Usage +------------- ```hcl resource "volterra_k8s_cluster" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "no_cluster_wide_apps cluster_wide_app_list" must be set + // One of the arguments from this list "cluster_wide_app_list no_cluster_wide_apps" must be set no_cluster_wide_apps = true - // One of the arguments from this list "use_default_cluster_role_bindings use_custom_cluster_role_bindings" must be set + // One of the arguments from this list "use_custom_cluster_role_bindings use_default_cluster_role_bindings" must be set use_default_cluster_role_bindings = true - // One of the arguments from this list "use_default_cluster_roles use_custom_cluster_role_list" must be set + // One of the arguments from this list "use_custom_cluster_role_list use_default_cluster_roles" must be set use_default_cluster_roles = true @@ -43,29 +36,23 @@ resource "volterra_k8s_cluster" "example" { cluster_scoped_access_deny = true - // One of the arguments from this list "no_global_access global_access_enable" must be set + // One of the arguments from this list "global_access_enable no_global_access" must be set no_global_access = true - // One of the arguments from this list "no_insecure_registries insecure_registry_list" must be set + // One of the arguments from this list "insecure_registry_list no_insecure_registries" must be set no_insecure_registries = true - // One of the arguments from this list "no_local_access local_access_config" must be set - - local_access_config { - local_domain = "example.com" + // One of the arguments from this list "local_access_config no_local_access" must be set - // One of the arguments from this list "default_port port" must be set + no_local_access = true - default_port = true - } - - // One of the arguments from this list "use_default_pod_security_admission use_custom_pod_security_admission" must be set + // One of the arguments from this list "use_custom_pod_security_admission use_default_pod_security_admission" must be set use_default_pod_security_admission = true - // One of the arguments from this list "use_default_psp use_custom_psp_list" must be set + // One of the arguments from this list "use_custom_psp_list use_default_psp" must be set use_default_psp = true @@ -76,382 +63,196 @@ resource "volterra_k8s_cluster" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "cluster_wide_app_list, no_cluster_wide_apps" must be set `cluster_wide_app_list` - (Optional) Select cluster wide applications to be deployed. See [Apps Choice Cluster Wide App List ](#apps-choice-cluster-wide-app-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `no_cluster_wide_apps` - (Optional) There are no cluster wide applications to be deployed (`Bool`). - - - +###### One of the arguments from this list "use_custom_cluster_role_bindings, use_default_cluster_role_bindings" must be set `use_custom_cluster_role_bindings` - (Optional) Select custom K8s cluster role bindings for this K8s cluster. See [Cluster Role Bindings Choice Use Custom Cluster Role Bindings ](#cluster-role-bindings-choice-use-custom-cluster-role-bindings) below for details. - - - - `use_default_cluster_role_bindings` - (Optional) Select default K8s cluster role bindings for this K8s cluster (`Bool`). - - - +###### One of the arguments from this list "use_custom_cluster_role_list, use_default_cluster_roles" must be set `use_custom_cluster_role_list` - (Optional) Select custom K8s cluster roles for this K8s cluster. See [Cluster Role Choice Use Custom Cluster Role List ](#cluster-role-choice-use-custom-cluster-role-list) below for details. - - - - `use_default_cluster_roles` - (Optional) Select default K8s cluster roles for this K8s cluster (`Bool`). - - - +###### One of the arguments from this list "cluster_scoped_access_deny, cluster_scoped_access_permit" must be set `cluster_scoped_access_deny` - (Optional) Access to Create, Patch, Replace, Update and Delete for ClusterRoles, ClusterRoleBindings, MutatingWebhookConfiguration and ValidatingWebhookConfiguration will not be allowed through K8s cluster API. It can be managed only through VoltConsole. (`Bool`). - `cluster_scoped_access_permit` - (Optional) Access to Create, Patch, Replace, Update and Delete for ClusterRoles, ClusterRoleBindings, MutatingWebhookConfiguration and ValidatingWebhookConfiguration will be allowed through K8s cluster API. This allows native k8s API operation with ClusterRoles and ClusterRoleBindings. (`Bool`). - - - +###### One of the arguments from this list "global_access_enable, no_global_access" must be set `global_access_enable` - (Optional) Access via VoltConsole to site K8s API server is enabled (`Bool`). - `no_global_access` - (Optional) Access via VoltConsole to site K8s API server is not enabled (`Bool`). - - - +###### One of the arguments from this list "insecure_registry_list, no_insecure_registries" must be set `insecure_registry_list` - (Optional) Select Docker insecure registries for this K8s cluster. See [Insecure Registries Choice Insecure Registry List ](#insecure-registries-choice-insecure-registry-list) below for details. - - - - `no_insecure_registries` - (Optional) There are no Docker insecure registries to be configured (`Bool`). - - - +###### One of the arguments from this list "local_access_config, no_local_access" must be set `local_access_config` - (Optional) Local access to site K8s cluster is enabled. See [Local Access Choice Local Access Config ](#local-access-choice-local-access-config) below for details. - - - - - - - - - - `no_local_access` - (Optional) Local access to site K8s cluster is not enabled (`Bool`). - - - +###### One of the arguments from this list "use_custom_pod_security_admission, use_default_pod_security_admission" must be set `use_custom_pod_security_admission` - (Optional) Select Custom Pod Security Admission. See [ref](#ref) below for details. - `use_default_pod_security_admission` - (Optional) Select Default Pod Security Admission (`Bool`). - - - +###### One of the arguments from this list "use_custom_psp_list, use_default_psp" must be set `use_custom_psp_list` - (Optional) Select custom pod security policies for this K8s cluster. See [Pod Security Policy Choice Use Custom Psp List ](#pod-security-policy-choice-use-custom-psp-list) below for details. - - - - `use_default_psp` - (Optional) Select default pod security policies for this K8s cluster (`Bool`). - - - +###### One of the arguments from this list "vk8s_namespace_access_deny, vk8s_namespace_access_permit" must be set `vk8s_namespace_access_deny` - (Optional) Access to create, modify and delete resources in VK8s namespaces will be prevented for service accounts and Managed K8s clients. Resources in VK8s namespaces can be managed only through VK8s API or UI. (`Bool`). - `vk8s_namespace_access_permit` - (Optional) Access to create, modify and delete resources in VK8s namespaces will be allowed for service accounts and Managed K8s clients. (`Bool`). +### App Choice Argo Cd - - -### App Choice Argo Cd - - Deploy Argo Continuous Deployment(CD) application. +Deploy Argo Continuous Deployment(CD) application. `generated_yaml` - (Optional) Generated YAML (`String`).(Deprecated) `local_domain` - (Optional) Local domain to access argocd for example argocd.localdomain. See [Argo Cd Local Domain ](#argo-cd-local-domain) below for details. +### App Choice Dashboard - -### App Choice Dashboard - - Deploy Kubernetes Dashboard application. +Deploy Kubernetes Dashboard application. `generated_yaml` - (Optional) Generated YAML (`String`).(Deprecated) +### App Choice Metrics Server - -### App Choice Metrics Server - - Deploy Kubernetes Metrics Server application. +Deploy Kubernetes Metrics Server application. `generated_yaml` - (Optional) Generated YAML (`String`).(Deprecated) +### App Choice Prometheus - -### App Choice Prometheus - - Prometheus access via k8s api server endpoint. +Prometheus access via k8s api server endpoint. `generated_yaml` - (Optional) Generated YAML (`String`).(Deprecated) +### Apps Choice Cluster Wide App List - -### Apps Choice Cluster Wide App List - - Select cluster wide applications to be deployed. +Select cluster wide applications to be deployed. `cluster_wide_apps` - (Required) List of cluster wide applications. See [Cluster Wide App List Cluster Wide Apps ](#cluster-wide-app-list-cluster-wide-apps) below for details. +### Argo Cd Local Domain - -### Argo Cd Local Domain - - Local domain to access argocd for example argocd.localdomain. +Local domain to access argocd for example argocd.localdomain. `local_domain` - (Required) ArgoCD will be accessible at .. (`String`). `password` - (Required) Select blindfold or clear text password for ArgoCD admin.. See [Local Domain Password ](#local-domain-password) below for details. - - ###### One of the arguments from this list "default_port, port" must be set `default_port` - (Optional) Use default port 443 for ArgoCD server. (`Bool`). - `port` - (Optional) Available port range is less than 65000 except reserved ports. (`Int`). +### Cluster Role Bindings Choice Use Custom Cluster Role Bindings - - -### Cluster Role Bindings Choice Use Custom Cluster Role Bindings - - Select custom K8s cluster role bindings for this K8s cluster. +Select custom K8s cluster role bindings for this K8s cluster. `cluster_role_bindings` - (Required) List of active cluster role binding list for a K8s cluster. See [ref](#ref) below for details. +### Cluster Role Choice Use Custom Cluster Role List - -### Cluster Role Choice Use Custom Cluster Role List - - Select custom K8s cluster roles for this K8s cluster. +Select custom K8s cluster roles for this K8s cluster. `cluster_roles` - (Required) List of active cluster role list for a K8s cluster. See [ref](#ref) below for details. +### Cluster Wide App List Cluster Wide Apps +List of cluster wide applications. -### Cluster Wide App List Cluster Wide Apps - - List of cluster wide applications. - - - -###### One of the arguments from this list "dashboard, metrics_server, prometheus, argo_cd" must be set +###### One of the arguments from this list "argo_cd, dashboard, metrics_server, prometheus" must be set `argo_cd` - (Optional) Deploy Argo Continuous Deployment(CD) application. See [App Choice Argo Cd ](#app-choice-argo-cd) below for details. - `dashboard` - (Optional) Deploy Kubernetes Dashboard application. See [App Choice Dashboard ](#app-choice-dashboard) below for details. - `metrics_server` - (Optional) Deploy Kubernetes Metrics Server application. See [App Choice Metrics Server ](#app-choice-metrics-server) below for details. - `prometheus` - (Optional) Prometheus access via k8s api server endpoint. See [App Choice Prometheus ](#app-choice-prometheus) below for details. +### Insecure Registries Choice Insecure Registry List - - -### Insecure Registries Choice Insecure Registry List - - Select Docker insecure registries for this K8s cluster. +Select Docker insecure registries for this K8s cluster. `insecure_registries` - (Required) List of docker insecure registries in format "example.com:5000" (`String`). +### Local Access Choice Local Access Config - -### Local Access Choice Local Access Config - - Local access to site K8s cluster is enabled. +Local access to site K8s cluster is enabled. `local_domain` - (Required) Local K8s API server will be accessible at .. (`String`). - - ###### One of the arguments from this list "default_port, port" must be set `default_port` - (Optional) Use default port 65443 for K8s API server. (`Bool`). - `port` - (Optional) Available port range is less than 65000 except reserved ports. (`Int`). +### Local Domain Password - - -### Local Domain Password - - Select blindfold or clear text password for ArgoCD admin.. +Select blindfold or clear text password for ArgoCD admin.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Password Blindfold Secret Info Internal ](#password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Password Blindfold Secret Info Internal - - -### Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -459,24 +260,17 @@ resource "volterra_k8s_cluster" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Pod Security Policy Choice Use Custom Psp List - -### Pod Security Policy Choice Use Custom Psp List - - Select custom pod security policies for this K8s cluster. +Select custom pod security policies for this K8s cluster. `pod_security_policies` - (Required) List of active Pod security policies for a K8s cluster. See [ref](#ref) below for details. +### Port Choice Default Port +Use default port 443 for ArgoCD server.. -### Port Choice Default Port - - Use default port 443 for ArgoCD server.. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -486,11 +280,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -498,21 +290,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -524,17 +312,13 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured k8s_cluster. - +- `id` - This is the id of the configured k8s_cluster. diff --git a/docs/resources/volterra_k8s_cluster_role.md b/docs/resources/volterra_k8s_cluster_role.md index 393edffd4..0025afe89 100644 --- a/docs/resources/volterra_k8s_cluster_role.md +++ b/docs/resources/volterra_k8s_cluster_role.md @@ -1,130 +1,90 @@ - - - - - - - - - - - - --- + page_title: "Volterra: k8s_cluster_role" -description: "The k8s_cluster_role allows CRUD of K8s Cluster Role resource on Volterra SaaS" +description: "The k8s_cluster_role allows CRUD of K8s Cluster Role resource on Volterra SaaS" + --- -# Resource volterra_k8s_cluster_role -The K8s Cluster Role allows CRUD of K8s Cluster Role resource on Volterra SaaS +Resource volterra_k8s_cluster_role +================================== + +The K8s Cluster Role allows CRUD of K8s Cluster Role resource on Volterra SaaS -~> **Note:** Please refer to [K8s Cluster Role API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster-role) to learn more +~> **Note:** Please refer to [K8s Cluster Role API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster-role) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_k8s_cluster_role" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "policy_rule_list k8s_cluster_role_selector yaml" must be set + // One of the arguments from this list "k8s_cluster_role_selector policy_rule_list yaml" must be set + + policy_rule_list { + policy_rule { + // One of the arguments from this list "non_resource_url_list resource_list" must be set + + non_resource_url_list { + urls = ["value"] - yaml = "yaml" + verbs = ["get"] + } + } + } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "k8s_cluster_role_selector, policy_rule_list, yaml" must be set `k8s_cluster_role_selector` - (Optional) This role is aggregation of all rules in roles selected by the label expression. See [Rule Choice K8s Cluster Role Selector ](#rule-choice-k8s-cluster-role-selector) below for details. - - - - `policy_rule_list` - (Optional) Policy in terms of rule list.. See [Rule Choice Policy Rule List ](#rule-choice-policy-rule-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - `yaml` - (Optional) K8s YAML for ClusterRole (`String`). +### Policy Rule List Policy Rule +List of rules for role permissions. - -### Policy Rule List Policy Rule - - List of rules for role permissions. - - - -###### One of the arguments from this list "resource_list, non_resource_url_list" must be set +###### One of the arguments from this list "non_resource_url_list, resource_list" must be set `non_resource_url_list` - (Optional) permissions for URL(s) that do not represent K8s resource. See [Resource Choice Non Resource Url List ](#resource-choice-non-resource-url-list) below for details. - `resource_list` - (Optional) List of resources in terms of api groups/resource types/resource instances and verbs allowed. See [Resource Choice Resource List ](#resource-choice-resource-list) below for details. +### Resource Choice Non Resource Url List - - -### Resource Choice Non Resource Url List - - permissions for URL(s) that do not represent K8s resource. +permissions for URL(s) that do not represent K8s resource. `urls` - (Required) allowed URL(s) that do not represent any K8s resource. URL can be suffix or regex. (`String`). `verbs` - (Required) Allowed list of verbs(operations) on resources. Use VerbAll for all operations (`String`). +### Resource Choice Resource List - -### Resource Choice Resource List - - List of resources in terms of api groups/resource types/resource instances and verbs allowed. +List of resources in terms of api groups/resource types/resource instances and verbs allowed. `api_groups` - (Required) Allowed list of API group that contains resources, all resources of a given api group (`String`). @@ -134,25 +94,19 @@ resource "volterra_k8s_cluster_role" "example" { `verbs` - (Required) Allowed list of verbs(operations) on resources. Use * for all operations (`String`). +### Rule Choice K8s Cluster Role Selector - -### Rule Choice K8s Cluster Role Selector - - This role is aggregation of all rules in roles selected by the label expression. +This role is aggregation of all rules in roles selected by the label expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Rule Choice Policy Rule List - -### Rule Choice Policy Rule List - - Policy in terms of rule list.. +Policy in terms of rule list.. `policy_rule` - (Required) List of rules for role permissions. See [Policy Rule List Policy Rule ](#policy-rule-list-policy-rule) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured k8s_cluster_role. - +- `id` - This is the id of the configured k8s_cluster_role. diff --git a/docs/resources/volterra_k8s_cluster_role_binding.md b/docs/resources/volterra_k8s_cluster_role_binding.md index 9c7e00998..5b20fdd01 100644 --- a/docs/resources/volterra_k8s_cluster_role_binding.md +++ b/docs/resources/volterra_k8s_cluster_role_binding.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: k8s_cluster_role_binding" -description: "The k8s_cluster_role_binding allows CRUD of K8s Cluster Role Binding resource on Volterra SaaS" +description: "The k8s_cluster_role_binding allows CRUD of K8s Cluster Role Binding resource on Volterra SaaS" + --- -# Resource volterra_k8s_cluster_role_binding -The K8s Cluster Role Binding allows CRUD of K8s Cluster Role Binding resource on Volterra SaaS +Resource volterra_k8s_cluster_role_binding +========================================== + +The K8s Cluster Role Binding allows CRUD of K8s Cluster Role Binding resource on Volterra SaaS -~> **Note:** Please refer to [K8s Cluster Role Binding API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster-role-binding) to learn more +~> **Note:** Please refer to [K8s Cluster Role Binding API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-cluster-role-binding) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_k8s_cluster_role_binding" "example" { @@ -34,81 +27,50 @@ resource "volterra_k8s_cluster_role_binding" "example" { } subjects { - // One of the arguments from this list "user service_account group" must be set - - service_account { - name = "cd-app-controller" + // One of the arguments from this list "group service_account user" must be set - namespace = "cd-app-namespace" - } + user = "user1@example.com" } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `k8s_cluster_role` - (Required) K8s Cluster Role for which bindings are defined.. See [ref](#ref) below for details. - `subjects` - (Required) List of subjects (user, group or service account) to which this role is bound. See [Subjects ](#subjects) below for details. +### Subjects +List of subjects (user, group or service account) to which this role is bound. - - - - - - - - - - - -### Subjects - - List of subjects (user, group or service account) to which this role is bound. - - - -###### One of the arguments from this list "service_account, group, user" must be set +###### One of the arguments from this list "group, service_account, user" must be set `group` - (Optional) Group id of the user group (`String`). - `service_account` - (Optional) Name and Namespace of the service account. See [Subject Choice Service Account ](#subject-choice-service-account) below for details. - `user` - (Optional) User id of the user (`String`). - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -118,19 +80,15 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Subject Choice Service Account - -### Subject Choice Service Account - - Name and Namespace of the service account. +Name and Namespace of the service account. `name` - (Required) Name of the service account (`String`). `namespace` - (Required) Namespace of the service account (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured k8s_cluster_role_binding. - +- `id` - This is the id of the configured k8s_cluster_role_binding. diff --git a/docs/resources/volterra_k8s_pod_security_admission.md b/docs/resources/volterra_k8s_pod_security_admission.md index a06732568..bf3089005 100644 --- a/docs/resources/volterra_k8s_pod_security_admission.md +++ b/docs/resources/volterra_k8s_pod_security_admission.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: k8s_pod_security_admission" -description: "The k8s_pod_security_admission allows CRUD of K8s Pod Security Admission resource on Volterra SaaS" +description: "The k8s_pod_security_admission allows CRUD of K8s Pod Security Admission resource on Volterra SaaS" + --- -# Resource volterra_k8s_pod_security_admission -The K8s Pod Security Admission allows CRUD of K8s Pod Security Admission resource on Volterra SaaS +Resource volterra_k8s_pod_security_admission +============================================ + +The K8s Pod Security Admission allows CRUD of K8s Pod Security Admission resource on Volterra SaaS -~> **Note:** Please refer to [K8s Pod Security Admission API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-pod-security-admission) to learn more +~> **Note:** Please refer to [K8s Pod Security Admission API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-pod-security-admission) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_k8s_pod_security_admission" "example" { @@ -28,11 +21,11 @@ resource "volterra_k8s_pod_security_admission" "example" { namespace = "staging" pod_security_admission_specs { - // One of the arguments from this list "enforce audit warn" must be set + // One of the arguments from this list "audit enforce warn" must be set - audit = true + enforce = true - // One of the arguments from this list "privileged baseline restricted" must be set + // One of the arguments from this list "baseline privileged restricted" must be set privileged = true } @@ -40,137 +33,72 @@ resource "volterra_k8s_pod_security_admission" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `pod_security_admission_specs` - (Required) x-required. See [Pod Security Admission Specs ](#pod-security-admission-specs) below for details. +### Pod Security Admission Specs +x-required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Pod Security Admission Specs - - x-required. - - - -###### One of the arguments from this list "warn, enforce, audit" must be set +###### One of the arguments from this list "audit, enforce, warn" must be set `audit` - (Optional) Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed. (`Bool`). - `enforce` - (Optional) Policy violations will cause the pod to be rejected. (`Bool`). - `warn` - (Optional) Policy violations will trigger a user-facing warning, but are otherwise allowed. (`Bool`). - - - -###### One of the arguments from this list "privileged, baseline, restricted" must be set +###### One of the arguments from this list "baseline, privileged, restricted" must be set `baseline` - (Optional) Minimally restrictive policy which prevents known privilege escalations (`Bool`). - `privileged` - (Optional) Unrestricted policy, providing the widest possible level of permissions (`Bool`). - `restricted` - (Optional) Heavily restricted policy, following current Pod hardening best practices. (`Bool`). +### Admission Mode Choice Audit +Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed.. +### Admission Mode Choice Enforce -### Admission Mode Choice Audit - - Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed.. - - - -### Admission Mode Choice Enforce - - Policy violations will cause the pod to be rejected.. - - - -### Admission Mode Choice Warn - - Policy violations will trigger a user-facing warning, but are otherwise allowed.. - - - -### Policy Type Choice Baseline - - Minimally restrictive policy which prevents known privilege escalations. - - - -### Policy Type Choice Privileged +Policy violations will cause the pod to be rejected.. - Unrestricted policy, providing the widest possible level of permissions. +### Admission Mode Choice Warn +Policy violations will trigger a user-facing warning, but are otherwise allowed.. +### Policy Type Choice Baseline -### Policy Type Choice Restricted +Minimally restrictive policy which prevents known privilege escalations. - Heavily restricted policy, following current Pod hardening best practices.. +### Policy Type Choice Privileged +Unrestricted policy, providing the widest possible level of permissions. +### Policy Type Choice Restricted -## Attribute Reference +Heavily restricted policy, following current Pod hardening best practices.. -* `id` - This is the id of the configured k8s_pod_security_admission. +Attribute Reference +------------------- +- `id` - This is the id of the configured k8s_pod_security_admission. diff --git a/docs/resources/volterra_k8s_pod_security_policy.md b/docs/resources/volterra_k8s_pod_security_policy.md index 8a75a94f3..2368c8a0f 100644 --- a/docs/resources/volterra_k8s_pod_security_policy.md +++ b/docs/resources/volterra_k8s_pod_security_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: k8s_pod_security_policy" -description: "The k8s_pod_security_policy allows CRUD of K8s Pod Security Policy resource on Volterra SaaS" +description: "The k8s_pod_security_policy allows CRUD of K8s Pod Security Policy resource on Volterra SaaS" + --- -# Resource volterra_k8s_pod_security_policy -The K8s Pod Security Policy allows CRUD of K8s Pod Security Policy resource on Volterra SaaS +Resource volterra_k8s_pod_security_policy +========================================= + +The K8s Pod Security Policy allows CRUD of K8s Pod Security Policy resource on Volterra SaaS -~> **Note:** Please refer to [K8s Pod Security Policy API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-pod-security-policy) to learn more +~> **Note:** Please refer to [K8s Pod Security Policy API docs](https://docs.cloud.f5.com/docs-v2/api/k8s-pod-security-policy) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_k8s_pod_security_policy" "example" { @@ -34,9 +27,7 @@ resource "volterra_k8s_pod_security_policy" "example" { // One of the arguments from this list "allowed_capabilities no_allowed_capabilities" must be set - allowed_capabilities { - capabilities = ["value"] - } + no_allowed_capabilities = true allowed_csi_drivers = ["value"] allowed_flex_volumes = ["value"] allowed_host_paths { @@ -48,30 +39,22 @@ resource "volterra_k8s_pod_security_policy" "example" { allowed_unsafe_sysctls = ["value"] default_allow_privilege_escalation = true - // One of the arguments from this list "no_default_capabilities default_capabilities" must be set + // One of the arguments from this list "default_capabilities no_default_capabilities" must be set no_default_capabilities = true - // One of the arguments from this list "no_drop_capabilities drop_capabilities" must be set + // One of the arguments from this list "drop_capabilities no_drop_capabilities" must be set no_drop_capabilities = true forbidden_sysctls = ["value"] - // One of the arguments from this list "no_fs_groups fs_group_strategy_options" must be set + // One of the arguments from this list "fs_group_strategy_options no_fs_groups" must be set no_fs_groups = true // One of the arguments from this list "no_run_as_group run_as_group" must be set - run_as_group { - id_ranges { - max_id = "3000" - - min_id = "2000" - } - - rule = "MustRunAs" - } + no_run_as_group = true host_ipc = true host_network = true host_pid = true @@ -81,11 +64,7 @@ resource "volterra_k8s_pod_security_policy" "example" { // One of the arguments from this list "no_runtime_class runtime_class" must be set - runtime_class { - allowed_runtime_class_names = ["value"] - - default_runtime_class_name = "value" - } + no_runtime_class = true // One of the arguments from this list "no_se_linux_options se_linux_options" must be set @@ -104,232 +83,53 @@ resource "volterra_k8s_pod_security_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "psp_spec, yaml" must be set `psp_spec` - (Optional) Form based pod security specification. See [Config Method Choice Psp Spec ](#config-method-choice-psp-spec) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `yaml` - (Optional) K8s YAML for Pod Security Policy (`String`). +### Allowed Capabilities Choice Allowed Capabilities - - -### Allowed Capabilities Choice Allowed Capabilities - - Allowed Capabilities to add pod spec in addition to default capabilities. +Allowed Capabilities to add pod spec in addition to default capabilities. `capabilities` - (Required) List of capabilities that docker container has. (`String`). +### Allowed Capabilities Choice No Allowed Capabilities +Add capabilities is not allowed in POD.. -### Allowed Capabilities Choice No Allowed Capabilities - - Add capabilities is not allowed in POD.. +### Config Method Choice Psp Spec - - -### Config Method Choice Psp Spec - - Form based pod security specification. +Form based pod security specification. `allow_privilege_escalation` - (Optional) Pod can request to privilege escalation (`Bool`). - - ###### One of the arguments from this list "allowed_capabilities, no_allowed_capabilities" must be set `allowed_capabilities` - (Optional) Allowed Capabilities to add pod spec in addition to default capabilities. See [Allowed Capabilities Choice Allowed Capabilities ](#allowed-capabilities-choice-allowed-capabilities) below for details. - `no_allowed_capabilities` - (Optional) Add capabilities is not allowed in POD. (`Bool`). - `allowed_csi_drivers` - (Optional) Restrict the available CSI drivers for POD, default all drivers are available. (`String`). `allowed_flex_volumes` - (Optional) Restrict list of Flex volumes, default all volumes are allowed (`String`). @@ -342,48 +142,32 @@ resource "volterra_k8s_pod_security_policy" "example" { `default_allow_privilege_escalation` - (Optional) Pod has permission for privilege escalation by default (`Bool`). - - -###### One of the arguments from this list "no_default_capabilities, default_capabilities" must be set +###### One of the arguments from this list "default_capabilities, no_default_capabilities" must be set `default_capabilities` - (Optional) Default capabilities that will be added to container unless, Pod spec drops it.. See [Default Capabilities Choice Default Capabilities ](#default-capabilities-choice-default-capabilities) below for details. - `no_default_capabilities` - (Optional) K8s Default capabilities will be added to container unless pod spec drops it. (`Bool`). - - - -###### One of the arguments from this list "no_drop_capabilities, drop_capabilities" must be set +###### One of the arguments from this list "drop_capabilities, no_drop_capabilities" must be set `drop_capabilities` - (Optional) Capabilities to drop from K8s default capabilities, should not used with custom default capabilities. See [Drop Capabilities Choice Drop Capabilities ](#drop-capabilities-choice-drop-capabilities) below for details. - `no_drop_capabilities` - (Optional) Capabilities are not dropped from K8s default capabilities (`Bool`). - `forbidden_sysctls` - (Optional) Forbidden list of sysctls, empty list forbids none. supports prefix reg-ex (`String`). - - -###### One of the arguments from this list "no_fs_groups, fs_group_strategy_options" must be set +###### One of the arguments from this list "fs_group_strategy_options, no_fs_groups" must be set `fs_group_strategy_options` - (Optional) FS Groups that are used by security context. See [Fs Group Choice Fs Group Strategy Options ](#fs-group-choice-fs-group-strategy-options) below for details. - `no_fs_groups` - (Optional) Default K8s allowed FS group ids can be used (`Bool`). - - - ###### One of the arguments from this list "no_run_as_group, run_as_group" must be set `no_run_as_group` - (Optional) Default K8s allowed group ids can be used as run as group in POD spec. (`Bool`). - `run_as_group` - (Optional) Controls Allowable run as group values. See [Group Choice Run As Group ](#group-choice-run-as-group) below for details. - `host_ipc` - (Optional) Host IPC determines if the policy allows the use of host IPC in the pod spec. (`Bool`). `host_network` - (Optional) Host Network determines if the policy allows the use of host network in the pod spec. (`Bool`). @@ -396,175 +180,127 @@ resource "volterra_k8s_pod_security_policy" "example" { `read_only_root_filesystem` - (Optional) Containers can only run with read only root filesystem. (`Bool`). - - ###### One of the arguments from this list "no_runtime_class, runtime_class" must be set -`no_runtime_class` - (Optional) Default K8s allowed runtime class options can be used (`Bool`). - +`no_runtime_class` - (Optional) Default K8s allowed runtime class options can be used (`Bool`). `runtime_class` - (Optional) Controls Allowable Runtime Class values, if not present all values are allowed. See [Runtime Class Choice Runtime Class ](#runtime-class-choice-runtime-class) below for details.(Deprecated) - - - ###### One of the arguments from this list "no_se_linux_options, se_linux_options" must be set `no_se_linux_options` - (Optional) Default K8s allowed SE Linux options can be used (`Bool`). - `se_linux_options` - (Optional) Controls Allowable SE Linux labels, if not present all values are allowed. See [Se Linux Choice Se Linux Options ](#se-linux-choice-se-linux-options) below for details.(Deprecated) - - - -###### One of the arguments from this list "supplemental_groups, no_supplemental_groups" must be set +###### One of the arguments from this list "no_supplemental_groups, supplemental_groups" must be set `no_supplemental_groups` - (Optional) Default K8s allowed supplemental group ids can be used (`Bool`). - `supplemental_groups` - (Optional) Supplemental Groups that are used by security context. See [Supplemental Group Choice Supplemental Groups ](#supplemental-group-choice-supplemental-groups) below for details. - - - ###### One of the arguments from this list "no_run_as_user, run_as_user" must be set `no_run_as_user` - (Optional) Default K8s allowed user ids can be used as run as user in POD spec. (`Bool`). - `run_as_user` - (Optional) Controls Allowable run as user values. See [User Choice Run As User ](#user-choice-run-as-user) below for details. - `volumes` - (Optional) Allow List of volume plugins. Empty no volumes are allowed (`String`). +### Default Capabilities Choice Default Capabilities - -### Default Capabilities Choice Default Capabilities - - Default capabilities that will be added to container unless, Pod spec drops it.. +Default capabilities that will be added to container unless, Pod spec drops it.. `capabilities` - (Required) List of capabilities that docker container has. (`String`). +### Default Capabilities Choice No Default Capabilities +K8s Default capabilities will be added to container unless pod spec drops it.. -### Default Capabilities Choice No Default Capabilities - - K8s Default capabilities will be added to container unless pod spec drops it.. - - +### Drop Capabilities Choice Drop Capabilities -### Drop Capabilities Choice Drop Capabilities - - Capabilities to drop from K8s default capabilities, should not used with custom default capabilities. +Capabilities to drop from K8s default capabilities, should not used with custom default capabilities. `capabilities` - (Required) List of capabilities that docker container has. (`String`). +### Drop Capabilities Choice No Drop Capabilities +Capabilities are not dropped from K8s default capabilities. -### Drop Capabilities Choice No Drop Capabilities - - Capabilities are not dropped from K8s default capabilities. - - +### Fs Group Choice Fs Group Strategy Options -### Fs Group Choice Fs Group Strategy Options +FS Groups that are used by security context. - FS Groups that are used by security context. - -`id_ranges` - (Optional) List of range of ID(s). See [Fs Group Strategy Options Id Ranges ](#fs-group-strategy-options-id-ranges) below for details. +`id_ranges` - (Optional) List of range of ID(s). See [Fs Group Strategy Options Id Ranges ](#fs-group-strategy-options-id-ranges) below for details. `rule` - (Optional) Rule indicated how the FS group ID range is used (`String`). +### Fs Group Choice No Fs Groups +Default K8s allowed FS group ids can be used. -### Fs Group Choice No Fs Groups - - Default K8s allowed FS group ids can be used. - - +### Fs Group Strategy Options Id Ranges -### Fs Group Strategy Options Id Ranges - - List of range of ID(s). +List of range of ID(s). `max_id` - (Required) Ending(maximum) ID for for ID range (`Int`). `min_id` - (Required) Starting(minimum) ID for for ID range (`Int`). +### Group Choice No Run As Group +Default K8s allowed group ids can be used as run as group in POD spec.. -### Group Choice No Run As Group - - Default K8s allowed group ids can be used as run as group in POD spec.. - - +### Group Choice Run As Group -### Group Choice Run As Group +Controls Allowable run as group values. - Controls Allowable run as group values. - -`id_ranges` - (Optional) List of range of ID(s). See [Run As Group Id Ranges ](#run-as-group-id-ranges) below for details. +`id_ranges` - (Optional) List of range of ID(s). See [Run As Group Id Ranges ](#run-as-group-id-ranges) below for details. `rule` - (Optional) Rule indicated how the FS group ID range is used (`String`). +### Psp Spec Allowed Host Paths - -### Psp Spec Allowed Host Paths - - Restrict list of host paths, default all host paths are allowed. +Restrict list of host paths, default all host paths are allowed. `path_prefix` - (Required) Host path prefix is the path prefix that the host volume must match. It does not support *. (`String`). `read_only` - (Optional) This volume will be allowed to mount read only. (`Bool`). +### Run As Group Id Ranges - -### Run As Group Id Ranges - - List of range of ID(s). +List of range of ID(s). `max_id` - (Required) Ending(maximum) ID for for ID range (`Int`). `min_id` - (Required) Starting(minimum) ID for for ID range (`Int`). +### Run As User Id Ranges - -### Run As User Id Ranges - - List of range of ID(s). +List of range of ID(s). `max_id` - (Required) Ending(maximum) ID for for ID range (`Int`). `min_id` - (Required) Starting(minimum) ID for for ID range (`Int`). +### Runtime Class Choice No Runtime Class +Default K8s allowed runtime class options can be used. -### Runtime Class Choice No Runtime Class - - Default K8s allowed runtime class options can be used. +### Runtime Class Choice Runtime Class - - -### Runtime Class Choice Runtime Class - - Controls Allowable Runtime Class values, if not present all values are allowed. +Controls Allowable Runtime Class values, if not present all values are allowed. `allowed_runtime_class_names` - (Required) List of allowed runtime class names (`String`). `default_runtime_class_name` - (Optional) description (`String`). +### Se Linux Choice No Se Linux Options +Default K8s allowed SE Linux options can be used. -### Se Linux Choice No Se Linux Options - - Default K8s allowed SE Linux options can be used. +### Se Linux Choice Se Linux Options - - -### Se Linux Choice Se Linux Options - - Controls Allowable SE Linux labels, if not present all values are allowed. +Controls Allowable SE Linux labels, if not present all values are allowed. `Level` - (Optional) Run as SE linux level label (`String`). @@ -576,51 +312,39 @@ resource "volterra_k8s_pod_security_policy" "example" { `user` - (Optional) Run as SE linux user label (`String`). +### Supplemental Group Choice No Supplemental Groups +Default K8s allowed supplemental group ids can be used. -### Supplemental Group Choice No Supplemental Groups - - Default K8s allowed supplemental group ids can be used. +### Supplemental Group Choice Supplemental Groups +Supplemental Groups that are used by security context. - -### Supplemental Group Choice Supplemental Groups - - Supplemental Groups that are used by security context. - -`id_ranges` - (Optional) List of range of ID(s). See [Supplemental Groups Id Ranges ](#supplemental-groups-id-ranges) below for details. +`id_ranges` - (Optional) List of range of ID(s). See [Supplemental Groups Id Ranges ](#supplemental-groups-id-ranges) below for details. `rule` - (Optional) Rule indicated how the FS group ID range is used (`String`). +### Supplemental Groups Id Ranges - -### Supplemental Groups Id Ranges - - List of range of ID(s). +List of range of ID(s). `max_id` - (Required) Ending(maximum) ID for for ID range (`Int`). `min_id` - (Required) Starting(minimum) ID for for ID range (`Int`). +### User Choice No Run As User +Default K8s allowed user ids can be used as run as user in POD spec.. -### User Choice No Run As User - - Default K8s allowed user ids can be used as run as user in POD spec.. - - +### User Choice Run As User -### User Choice Run As User +Controls Allowable run as user values. - Controls Allowable run as user values. - -`id_ranges` - (Optional) List of range of ID(s). See [Run As User Id Ranges ](#run-as-user-id-ranges) below for details. +`id_ranges` - (Optional) List of range of ID(s). See [Run As User Id Ranges ](#run-as-user-id-ranges) below for details. `rule` - (Optional) Rule indicated how the FS group ID range is used (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured k8s_pod_security_policy. - +- `id` - This is the id of the configured k8s_pod_security_policy. diff --git a/docs/resources/volterra_known_label.md b/docs/resources/volterra_known_label.md index 0b2b9beac..99d1bf31c 100644 --- a/docs/resources/volterra_known_label.md +++ b/docs/resources/volterra_known_label.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_known_label" - description: "The volterra_known_label allows CRD of namespace resource on Volterra SaaS" ------------------------------------------------------------------------------------------ + +--- Resource: volterra_known_label ============================== diff --git a/docs/resources/volterra_known_label_key.md b/docs/resources/volterra_known_label_key.md index 140c2c803..b0c555ab3 100644 --- a/docs/resources/volterra_known_label_key.md +++ b/docs/resources/volterra_known_label_key.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_known_label_key" - description: "The volterra_known_label_key allows CRD of namespace resource on Volterra SaaS" ---------------------------------------------------------------------------------------------- + +--- Resource: volterra_known_label_key ================================== diff --git a/docs/resources/volterra_log_receiver.md b/docs/resources/volterra_log_receiver.md index ded237d9f..5397c6116 100644 --- a/docs/resources/volterra_log_receiver.md +++ b/docs/resources/volterra_log_receiver.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: log_receiver" -description: "The log_receiver allows CRUD of Log Receiver resource on Volterra SaaS" +description: "The log_receiver allows CRUD of Log Receiver resource on Volterra SaaS" + --- -# Resource volterra_log_receiver -The Log Receiver allows CRUD of Log Receiver resource on Volterra SaaS +Resource volterra_log_receiver +============================== + +The Log Receiver allows CRUD of Log Receiver resource on Volterra SaaS -~> **Note:** Please refer to [Log Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/log-receiver) to learn more +~> **Note:** Please refer to [Log Receiver API docs](https://docs.cloud.f5.com/docs-v2/api/log-receiver) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_log_receiver" "example" { @@ -30,11 +23,11 @@ resource "volterra_log_receiver" "example" { // One of the arguments from this list "data_dog splunk syslog" must be set syslog { - // One of the arguments from this list "syslog_rfc5424 syslog_rfc3164" must be set + // One of the arguments from this list "syslog_rfc3164 syslog_rfc5424" must be set syslog_rfc5424 = "500" - // One of the arguments from this list "udp_server tcp_server tls_server" must be set + // One of the arguments from this list "tcp_server tls_server udp_server" must be set udp_server { port = "514" @@ -50,338 +43,72 @@ resource "volterra_log_receiver" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "data_dog, splunk, syslog" must be set `data_dog` - (Optional) Stream log to Datadog receiver. See [Log Receiver Choice Data Dog ](#log-receiver-choice-data-dog) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `splunk` - (Optional) Stream log to Splunk HEC Receiver. See [Log Receiver Choice Splunk ](#log-receiver-choice-splunk) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `syslog` - (Optional) Stream log to syslog server. See [Log Receiver Choice Syslog ](#log-receiver-choice-syslog) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "log_receiver_sites, site_local" must be set `log_receiver_sites` - (Optional) Log receiver is accessible on a specific site.. See [Where Choice Log Receiver Sites ](#where-choice-log-receiver-sites) below for details.(Deprecated) - - - - - `site_local` - (Optional) Log receiver is accessible local to the site where it is used. (`Bool`). +### Ca Choice Volterra Ca +Use F5XC default CA. +### Compression Choice Compression Disabled -### Ca Choice Volterra Ca - - Use F5XC default CA. - - - -### Compression Choice Compression Disabled - - Disable compression of log messages. +Disable compression of log messages. +### Compression Choice Compression Enabled +Enable compression of log messages. -### Compression Choice Compression Enabled +### Data Dog Datadog Api Key - Enable compression of log messages. - - - -### Data Dog Datadog Api Key - - Secret API key to access datadog servers. +Secret API key to access datadog servers. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Datadog Api Key Blindfold Secret Info Internal ](#datadog-api-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Datadog Api Key Blindfold Secret Info Internal - - -### Datadog Api Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -389,11 +116,9 @@ resource "volterra_log_receiver" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Key Url Blindfold Secret Info Internal - -### Key Url Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -401,229 +126,153 @@ resource "volterra_log_receiver" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Log Receiver Choice Data Dog - -### Log Receiver Choice Data Dog - - Stream log to Datadog receiver. - - +Stream log to Datadog receiver. ###### One of the arguments from this list "trusted_ca_url, volterra_ca" must be set `trusted_ca_url` - (Optional) Certificates in PEM format including the PEM headers. (`String`). - `volterra_ca` - (Optional) Use F5XC default CA (`Bool`). - - - -###### One of the arguments from this list "compression_enabled, compression_disabled" must be set +###### One of the arguments from this list "compression_disabled, compression_enabled" must be set `compression_disabled` - (Optional) Disable compression of log messages (`Bool`). - `compression_enabled` - (Optional) Enable compression of log messages (`Bool`). - `datadog_api_key` - (Optional) Secret API key to access datadog servers. See [Data Dog Datadog Api Key ](#data-dog-datadog-api-key) below for details. - - ###### One of the arguments from this list "default_port, port" must be set `default_port` - (Optional) Default port number https is 443. (`Bool`). - `port` - (Optional) Custom port number used for communication (`Int`). - - - ###### One of the arguments from this list "datadog_default_server, server_name" must be set `datadog_default_server` - (Optional) Default Datadog server name (`Bool`). - `server_name` - (Optional) Custom fully qualified server name (`String`). +### Log Receiver Choice Splunk +Stream log to Splunk HEC Receiver. - -### Log Receiver Choice Splunk - - Stream log to Splunk HEC Receiver. - - - -###### One of the arguments from this list "splunk_server_ip, splunk_server_tls, splunk_server_name" must be set +###### One of the arguments from this list "splunk_server_ip, splunk_server_name, splunk_server_tls" must be set `splunk_server_ip` - (Optional) Splunk HEC server ip address and port number. See [Server Name Choice Splunk Server Ip ](#server-name-choice-splunk-server-ip) below for details. - `splunk_server_name` - (Optional) Fully qualified splunk HEC server name and port number. See [Server Name Choice Splunk Server Name ](#server-name-choice-splunk-server-name) below for details. - `splunk_server_tls` - (Optional) Splunk TLS Server Parameters. See [Server Name Choice Splunk Server Tls ](#server-name-choice-splunk-server-tls) below for details. - `splunk_hec_token` - (Optional) Secret splunk HEC token. See [Splunk Splunk Hec Token ](#splunk-splunk-hec-token) below for details. +### Log Receiver Choice Syslog +Stream log to syslog server. -### Log Receiver Choice Syslog - - Stream log to syslog server. - - - -###### One of the arguments from this list "syslog_rfc5424, syslog_rfc3164" must be set +###### One of the arguments from this list "syslog_rfc3164, syslog_rfc5424" must be set `syslog_rfc3164` - (Optional) Select RFC3164 syslog format and maximum message length. (`Int`).(Deprecated) - `syslog_rfc5424` - (Optional) Select RFC5424 syslog format and maximum message length. (`Int`). - - - -###### One of the arguments from this list "udp_server, tcp_server, tls_server" must be set +###### One of the arguments from this list "tcp_server, tls_server, udp_server" must be set `tcp_server` - (Optional) Syslog transport mode is TCP. See [Mode Choice Tcp Server ](#mode-choice-tcp-server) below for details. - `tls_server` - (Optional) Syslog transport mode is TLS. See [Mode Choice Tls Server ](#mode-choice-tls-server) below for details. - `udp_server` - (Optional) Syslog transport mode is UDP. See [Mode Choice Udp Server ](#mode-choice-udp-server) below for details. +### Mode Choice Tcp Server - - -### Mode Choice Tcp Server - - Syslog transport mode is TCP. +Syslog transport mode is TCP. `port` - (Required) Port number used for communication (`Int`). `server_name` - (Required) Server name is fully qualified domain name or IP address of the server (`String`). +### Mode Choice Tls Server +Syslog transport mode is TLS. -### Mode Choice Tls Server - - Syslog transport mode is TLS. - - - -###### One of the arguments from this list "volterra_ca, trusted_ca_url" must be set +###### One of the arguments from this list "trusted_ca_url, volterra_ca" must be set `trusted_ca_url` - (Optional) Certificates in PEM format including the PEM headers. (`String`). - `volterra_ca` - (Optional) Use F5XC default CA (`Bool`). - - - -###### One of the arguments from this list "mtls_enable, mtls_disabled" must be set +###### One of the arguments from this list "mtls_disabled, mtls_enable" must be set `mtls_disabled` - (Optional) mTLS is disabled (`Bool`). - `mtls_enable` - (Optional) Enable mTLS configuration. See [Mtls Choice Mtls Enable ](#mtls-choice-mtls-enable) below for details. - - - -###### One of the arguments from this list "port, default_syslog_tls_port, default_https_port" must be set +###### One of the arguments from this list "default_https_port, default_syslog_tls_port, port" must be set `default_https_port` - (Optional) Default port number for HTTPS is 443. (`Bool`). - `default_syslog_tls_port` - (Optional) Default port number for syslog TLS is 6514 (`Bool`). - `port` - (Optional) Custom port number used for communication (`Int`). - `server_name` - (Required) certificates against. (`String`). +### Mode Choice Udp Server - -### Mode Choice Udp Server - - Syslog transport mode is UDP. +Syslog transport mode is UDP. `port` - (Required) Port number used for communication (`Int`). `server_name` - (Required) Server name is fully qualified domain name or IP address of the server (`String`). +### Mtls Choice Mtls Disabled +mTLS is disabled. -### Mtls Choice Mtls Disabled - - mTLS is disabled. +### Mtls Choice Mtls Enable +Enable mTLS configuration. - -### Mtls Choice Mtls Enable - - Enable mTLS configuration. - -`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). +`certificate` - (Optional) Client certificate is PEM-encoded certificate or certificate-chain. (`String`). `key_url` - (Optional) The data may be optionally secured using BlindFold.. See [Mtls Enable Key Url ](#mtls-enable-key-url) below for details. +### Mtls Enable Key Url - -### Mtls Enable Key Url - - The data may be optionally secured using BlindFold.. +The data may be optionally secured using BlindFold.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Key Url Blindfold Secret Info Internal ](#key-url-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Port Choice Default Https Port +Default port number for HTTPS is 443.. +### Port Choice Default Port -### Port Choice Default Https Port - - Default port number for HTTPS is 443.. - - - -### Port Choice Default Port - - Default port number https is 443.. - - - -### Port Choice Default Syslog Tls Port +Default port number https is 443.. - Default port number for syslog TLS is 6514. +### Port Choice Default Syslog Tls Port +Default port number for syslog TLS is 6514. - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -633,11 +282,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -645,21 +292,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -671,112 +314,79 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Server Name Choice Datadog Default Server +Default Datadog server name. -### Server Name Choice Datadog Default Server - - Default Datadog server name. - +### Server Name Choice Splunk Server Ip - -### Server Name Choice Splunk Server Ip - - Splunk HEC server ip address and port number. +Splunk HEC server ip address and port number. `ip_address` - (Required) Ip address of the log receiver server (`String`). `port` - (Required) Port number used for communication (`Int`). +### Server Name Choice Splunk Server Name - -### Server Name Choice Splunk Server Name - - Fully qualified splunk HEC server name and port number. +Fully qualified splunk HEC server name and port number. `port` - (Required) Port number used for communication (`Int`). `server_name` - (Required) Server name is fully qualified domain name of the server (`String`). +### Server Name Choice Splunk Server Tls +Splunk TLS Server Parameters. -### Server Name Choice Splunk Server Tls - - Splunk TLS Server Parameters. - - - -###### One of the arguments from this list "volterra_ca, trusted_ca_url" must be set +###### One of the arguments from this list "trusted_ca_url, volterra_ca" must be set `trusted_ca_url` - (Optional) Certificates in PEM format including the PEM headers. (`String`). - `volterra_ca` - (Optional) Use F5XC default CA (`Bool`). - - - ###### One of the arguments from this list "mtls_disabled, mtls_enable" must be set `mtls_disabled` - (Optional) mTLS is disabled (`Bool`). - `mtls_enable` - (Optional) Enable mTLS configuration. See [Mtls Choice Mtls Enable ](#mtls-choice-mtls-enable) below for details. - - - -###### One of the arguments from this list "default_syslog_tls_port, default_https_port, port" must be set +###### One of the arguments from this list "default_https_port, default_syslog_tls_port, port" must be set `default_https_port` - (Optional) Default port number for HTTPS is 443. (`Bool`). - `default_syslog_tls_port` - (Optional) Default port number for syslog TLS is 6514 (`Bool`). - `port` - (Optional) Custom port number used for communication (`Int`). - `server_name` - (Required) certificates against. (`String`). +### Splunk Splunk Hec Token - -### Splunk Splunk Hec Token - - Secret splunk HEC token. +Secret splunk HEC token. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Splunk Hec Token Blindfold Secret Info Internal ](#splunk-hec-token-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Splunk Hec Token Blindfold Secret Info Internal - - -### Splunk Hec Token Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -784,19 +394,15 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Where Choice Log Receiver Sites - -### Where Choice Log Receiver Sites - - Log receiver is accessible on a specific site.. +Log receiver is accessible on a specific site.. `network` - (Required) Select Network through which log receiver is accessible (`String`). `site` - (Required) Reference to CE sites. See [ref](#ref) below for details. +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured log_receiver. - +- `id` - This is the id of the configured log_receiver. diff --git a/docs/resources/volterra_malicious_user_mitigation.md b/docs/resources/volterra_malicious_user_mitigation.md index ca36f6bd3..8e3869425 100644 --- a/docs/resources/volterra_malicious_user_mitigation.md +++ b/docs/resources/volterra_malicious_user_mitigation.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: malicious_user_mitigation" -description: "The malicious_user_mitigation allows CRUD of Malicious User Mitigation resource on Volterra SaaS" +description: "The malicious_user_mitigation allows CRUD of Malicious User Mitigation resource on Volterra SaaS" + --- -# Resource volterra_malicious_user_mitigation -The Malicious User Mitigation allows CRUD of Malicious User Mitigation resource on Volterra SaaS +Resource volterra_malicious_user_mitigation +=========================================== + +The Malicious User Mitigation allows CRUD of Malicious User Mitigation resource on Volterra SaaS -~> **Note:** Please refer to [Malicious User Mitigation API docs](https://docs.cloud.f5.com/docs-v2/api/malicious-user-mitigation) to learn more +~> **Note:** Please refer to [Malicious User Mitigation API docs](https://docs.cloud.f5.com/docs-v2/api/malicious-user-mitigation) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_malicious_user_mitigation" "example" { @@ -30,198 +23,102 @@ resource "volterra_malicious_user_mitigation" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `mitigation_type` - (Optional) Malicious user mitigation rules specifies the actions to be taken for users to different threat levels. See [Mitigation Type ](#mitigation-type) below for details. +### Mitigation Type - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Mitigation Type - - Malicious user mitigation rules specifies the actions to be taken for users to different threat levels. +Malicious user mitigation rules specifies the actions to be taken for users to different threat levels. `rules` - (Required) Define the threat levels and the corresponding mitigation actions to be taken. See [Mitigation Type Rules ](#mitigation-type-rules) below for details. +### Mitigation Action Alert Only +Generate alert while not taking any invasive actions. -### Mitigation Action Alert Only - - Generate alert while not taking any invasive actions. - - - -### Mitigation Action Block Temporarily - - assigned to this mitigation action. - - - -### Mitigation Action Captcha Challenge - - configured on the corresponding http load balancer. - - +### Mitigation Action Block Temporarily -### Mitigation Action Javascript Challenge +assigned to this mitigation action. - configured on the corresponding http load balancer. +### Mitigation Action Captcha Challenge +configured on the corresponding http load balancer. +### Mitigation Action Javascript Challenge -### Mitigation Action None +configured on the corresponding http load balancer. - No mitigation actions. +### Mitigation Action None +No mitigation actions. +### Mitigation Type Rules -### Mitigation Type Rules - - Define the threat levels and the corresponding mitigation actions to be taken. +Define the threat levels and the corresponding mitigation actions to be taken. `mitigation_action` - (Required) The action to be taken at the specified threat level. See [Rules Mitigation Action ](#rules-mitigation-action) below for details. `threat_level` - (Required) The threat level at which mitigation actions will be taken. See [Rules Threat Level ](#rules-threat-level) below for details. +### Rules Mitigation Action +The action to be taken at the specified threat level. -### Rules Mitigation Action - - The action to be taken at the specified threat level. - - - -###### One of the arguments from this list "none, alert_only, javascript_challenge, captcha_challenge, block_temporarily" must be set +###### One of the arguments from this list "alert_only, block_temporarily, captcha_challenge, javascript_challenge, none" must be set `alert_only` - (Optional) Generate alert while not taking any invasive actions (`Bool`).(Deprecated) - `block_temporarily` - (Optional) assigned to this mitigation action (`Bool`). - `captcha_challenge` - (Optional) configured on the corresponding http load balancer (`Bool`). - `javascript_challenge` - (Optional) configured on the corresponding http load balancer (`Bool`). - `none` - (Optional) No mitigation actions (`Bool`).(Deprecated) +### Rules Threat Level +The threat level at which mitigation actions will be taken. - -### Rules Threat Level - - The threat level at which mitigation actions will be taken. - - - -###### One of the arguments from this list "low, medium, high" must be set +###### One of the arguments from this list "high, low, medium" must be set `high` - (Optional) (`Bool`). - `low` - (Optional) (`Bool`). - `medium` - (Optional) (`Bool`). - - - -### Threat Level High +### Threat Level High . - - -### Threat Level Low +### Threat Level Low . - - -### Threat Level Medium +### Threat Level Medium . +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured malicious_user_mitigation. - +- `id` - This is the id of the configured malicious_user_mitigation. diff --git a/docs/resources/volterra_managed_tenant.md b/docs/resources/volterra_managed_tenant.md index bc1c7de34..400d86c69 100644 --- a/docs/resources/volterra_managed_tenant.md +++ b/docs/resources/volterra_managed_tenant.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: managed_tenant" - description: "The managed_tenant allows CRUD of Managed Tenant resource on Volterra SaaS" ------------------------------------------------------------------------------------------ + +--- Resource volterra_managed_tenant ================================ diff --git a/docs/resources/volterra_modify_site.md b/docs/resources/volterra_modify_site.md index ee63a3017..7c575722f 100644 --- a/docs/resources/volterra_modify_site.md +++ b/docs/resources/volterra_modify_site.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_modify_site" - description: "The volterra_modify_site helps update site fields Volterra SaaS" ------------------------------------------------------------------------------- + +--- Resource volterra_modify_site ============================= diff --git a/docs/resources/volterra_namespace.md b/docs/resources/volterra_namespace.md index ba4f5fa8f..13a60c4a0 100644 --- a/docs/resources/volterra_namespace.md +++ b/docs/resources/volterra_namespace.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_namespace" - description: "The volterra_namespace allows CRD of namespace resource on Volterra SaaS" ---------------------------------------------------------------------------------------- + +--- Resource: volterra_namespace ============================ diff --git a/docs/resources/volterra_network_connector.md b/docs/resources/volterra_network_connector.md index 7db01a1f8..779a93ec5 100644 --- a/docs/resources/volterra_network_connector.md +++ b/docs/resources/volterra_network_connector.md @@ -1,518 +1,238 @@ +--- +page_title: "Volterra: network_connector" +description: "The network_connector allows CRUD of Network Connector resource on Volterra SaaS" +--- +Resource volterra_network_connector +=================================== +The Network Connector allows CRUD of Network Connector resource on Volterra SaaS +~> **Note:** Please refer to [Network Connector API docs](https://docs.cloud.f5.com/docs-v2/api/network-connector) to learn more +Example Usage +------------- +```hcl +resource "volterra_network_connector" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "sli_to_global_dr sli_to_global_snat sli_to_slo_dr sli_to_slo_snat slo_to_global_dr slo_to_global_snat" must be set + sli_to_slo_snat { + // One of the arguments from this list "interface_ip snat_pool snat_pool_allocator" must be set + interface_ip = true + // One of the arguments from this list "default_gw_snat dynamic_routing" must be set ---- -page_title: "Volterra: network_connector" -description: "The network_connector allows CRUD of Network Connector resource on Volterra SaaS" ---- -# Resource volterra_network_connector - -The Network Connector allows CRUD of Network Connector resource on Volterra SaaS + default_gw_snat = true + } -~> **Note:** Please refer to [Network Connector API docs](https://docs.cloud.f5.com/docs-v2/api/network-connector) to learn more + // One of the arguments from this list "disable_forward_proxy enable_forward_proxy" must be set -## Example Usage + enable_forward_proxy { + connection_timeout = "4000" -```hcl -resource "volterra_network_connector" "example" { - name = "acmecorp-web" - namespace = "staging" + max_connect_attempts = "3" - // One of the arguments from this list "slo_to_global_dr slo_to_global_snat sli_to_slo_snat sli_to_slo_dr sli_to_global_dr sli_to_global_snat" must be set + // One of the arguments from this list "no_interception tls_intercept" can be set - sli_to_global_dr { - global_vn { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } + no_interception = true + white_listed_ports = ["[22, 9400]"] + white_listed_prefixes = ["['10.2.1.0/24', '192.168.8.0/29', '10.7.64.160/27']"] } - - // One of the arguments from this list "enable_forward_proxy disable_forward_proxy" must be set - - disable_forward_proxy = true } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "sli_to_global_dr, sli_to_global_snat, sli_to_slo_dr, sli_to_slo_snat, slo_to_global_dr, slo_to_global_snat" must be set `sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connector Choice Sli To Global Dr ](#connector-choice-sli-to-global-dr) below for details. - - - - `sli_to_global_snat` - (Optional) Site local inside is connected to a given global network, using SNAT. See [Connector Choice Sli To Global Snat ](#connector-choice-sli-to-global-snat) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - - - - - `sli_to_slo_dr` - (Optional) Site local inside is connected directly to site local outside (`Bool`).(Deprecated) - `sli_to_slo_snat` - (Optional) Site local inside is connected to site local outside, using SNAT. See [Connector Choice Sli To Slo Snat ](#connector-choice-sli-to-slo-snat) below for details. - - - - - - - - - - - - - - - - - - `slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connector Choice Slo To Global Dr ](#connector-choice-slo-to-global-dr) below for details. - - - - `slo_to_global_snat` - (Optional) Site local outside is connected directly to a given global network. See [Connector Choice Slo To Global Snat ](#connector-choice-slo-to-global-snat) below for details.(Deprecated) - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" must be set `disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`). - `enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +### Connector Choice Sli To Global Dr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Connector Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. +Site local inside is connected directly to a given global network. `global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connector Choice Sli To Global Snat - -### Connector Choice Sli To Global Snat - - Site local inside is connected to a given global network, using SNAT. +Site local inside is connected to a given global network, using SNAT. `global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. `snat_config` - (Optional) SNAT configuration to connect to global network. See [Sli To Global Snat Snat Config ](#sli-to-global-snat-snat-config) below for details. +### Connector Choice Sli To Slo Snat - -### Connector Choice Sli To Slo Snat - - Site local inside is connected to site local outside, using SNAT. - - +Site local inside is connected to site local outside, using SNAT. ###### One of the arguments from this list "interface_ip, snat_pool, snat_pool_allocator" must be set `interface_ip` - (Optional) Interface IP of the outgoing interface will be used for SNAT (`Bool`). - `snat_pool` - (Optional) IP from the ip pool prefix will be used for SNAT (`String`).(Deprecated) - `snat_pool_allocator` - (Optional) IP from the ip pool prefix will be used for SNAT. See [ref](#ref) below for details.(Deprecated) - - - ###### One of the arguments from this list "default_gw_snat, dynamic_routing" must be set `default_gw_snat` - (Optional) Default route in inside network to SNATed network (`Bool`). - `dynamic_routing` - (Optional) Routes are imported in inside network from SNATed network (`Bool`).(Deprecated) +### Connector Choice Slo To Global Dr - - -### Connector Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. +Site local outside is connected directly to a given global network. `global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connector Choice Slo To Global Snat - -### Connector Choice Slo To Global Snat - - Site local outside is connected directly to a given global network. +Site local outside is connected directly to a given global network. `global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. `snat_config` - (Optional) SNAT configuration to connect to global network. See [Slo To Global Snat Snat Config ](#slo-to-global-snat-snat-config) below for details. +### Custom Certificate Private Key - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Enable Disable Choice Disable Interception +Disable Interception. +### Enable Disable Choice Enable Interception -### Enable Disable Choice Disable Interception +Enable Interception. - Disable Interception. +### Forward Proxy Choice Enable Forward Proxy - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. +Forward Proxy is enabled for this connector. `connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). `max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - ###### One of the arguments from this list "no_interception, tls_intercept" can be set `no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - `tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - `white_listed_ports` - (Optional) Example "tmate" server port (`Int`). `white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). +### Interception Policy Choice Enable For All Domains +Enable interception for all domains. -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy +### Interception Policy Choice Policy - Policy to enable/disable specific domains, with implicit enable all domains. +Policy to enable/disable specific domains, with implicit enable all domains. `interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match +Domain value or regular expression to match. -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set `exact_value` - (Optional) Exact domain name. (`String`). - `regex_value` - (Optional) Regular Expression value for the domain name (`String`). - `suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Ocsp Stapling Choice Custom Hash Algorithms - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - +### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. -### Ocsp Stapling Choice Use System Defaults +### Policy Interception Rules - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Policy Interception Rules - - List of ordered rules to enable or disable for TLS interception. +List of ordered rules to enable or disable for TLS interception. `domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. - - ###### One of the arguments from this list "disable_interception, enable_interception" must be set `disable_interception` - (Optional) Disable Interception (`Bool`). - `enable_interception` - (Optional) Enable Interception (`Bool`). +### Pool Choice Interface Ip +Interface IP of the outgoing interface will be used for SNAT. +### Private Key Blindfold Secret Info Internal -### Pool Choice Interface Ip - - Interface IP of the outgoing interface will be used for SNAT. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -520,10 +240,7 @@ resource "volterra_network_connector" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -533,23 +250,17 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Routing Choice Default Gw Snat +Default route in inside network to SNATed network. -### Routing Choice Default Gw Snat - - Default route in inside network to SNATed network. +### Routing Choice Dynamic Routing +Routes are imported in inside network from SNATed network. +### Secret Info Oneof Blindfold Secret Info -### Routing Choice Dynamic Routing - - Routes are imported in inside network from SNATed network. - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -557,21 +268,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -583,155 +290,101 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Signing Cert Choice Custom Certificate - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. +Certificates for generating intermediate certificate for TLS interception.. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. -### Signing Cert Choice Volterra Certificate - - F5XC certificates for generating intermediate certificate for TLS interception.. - - - -### Sli To Global Snat Snat Config - - SNAT configuration to connect to global network. - +### Sli To Global Snat Snat Config +SNAT configuration to connect to global network. ###### One of the arguments from this list "interface_ip, snat_pool, snat_pool_allocator" must be set `interface_ip` - (Optional) Interface IP of the outgoing interface will be used for SNAT (`Bool`). - `snat_pool` - (Optional) IP from the ip pool prefix will be used for SNAT (`String`).(Deprecated) - `snat_pool_allocator` - (Optional) IP from the ip pool prefix will be used for SNAT. See [ref](#ref) below for details.(Deprecated) - - - ###### One of the arguments from this list "default_gw_snat, dynamic_routing" must be set `default_gw_snat` - (Optional) Default route in inside network to SNATed network (`Bool`). - `dynamic_routing` - (Optional) Routes are imported in inside network from SNATed network (`Bool`).(Deprecated) +### Slo To Global Snat Snat Config - - -### Slo To Global Snat Snat Config - - SNAT configuration to connect to global network. - - +SNAT configuration to connect to global network. ###### One of the arguments from this list "interface_ip, snat_pool, snat_pool_allocator" must be set `interface_ip` - (Optional) Interface IP of the outgoing interface will be used for SNAT (`Bool`). - `snat_pool` - (Optional) IP from the ip pool prefix will be used for SNAT (`String`).(Deprecated) - `snat_pool_allocator` - (Optional) IP from the ip pool prefix will be used for SNAT. See [ref](#ref) below for details.(Deprecated) - - - ###### One of the arguments from this list "default_gw_snat, dynamic_routing" must be set `default_gw_snat` - (Optional) Default route in inside network to SNATed network (`Bool`). - `dynamic_routing` - (Optional) Routes are imported in inside network from SNATed network (`Bool`).(Deprecated) +### Tls Interception Choice No Interception +No TLS interception is enabled for this network connector. +### Tls Interception Choice Tls Intercept -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. +Specify TLS interception configuration for the network connector. - - -### Tls Interception Choice Tls Intercept - - Specify TLS interception configuration for the network connector. - - - -###### One of the arguments from this list "policy, enable_for_all_domains" must be set +###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - ###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +Attribute Reference +------------------- -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. - - - -## Attribute Reference - -* `id` - This is the id of the configured network_connector. - +- `id` - This is the id of the configured network_connector. diff --git a/docs/resources/volterra_network_firewall.md b/docs/resources/volterra_network_firewall.md index 2d4375c4a..f64e230e2 100644 --- a/docs/resources/volterra_network_firewall.md +++ b/docs/resources/volterra_network_firewall.md @@ -1,156 +1,116 @@ - - - - - - - - - - - - --- + page_title: "Volterra: network_firewall" -description: "The network_firewall allows CRUD of Network Firewall resource on Volterra SaaS" +description: "The network_firewall allows CRUD of Network Firewall resource on Volterra SaaS" + --- -# Resource volterra_network_firewall -The Network Firewall allows CRUD of Network Firewall resource on Volterra SaaS +Resource volterra_network_firewall +================================== + +The Network Firewall allows CRUD of Network Firewall resource on Volterra SaaS -~> **Note:** Please refer to [Network Firewall API docs](https://docs.cloud.f5.com/docs-v2/api/network-firewall) to learn more +~> **Note:** Please refer to [Network Firewall API docs](https://docs.cloud.f5.com/docs-v2/api/network-firewall) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_network_firewall" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "disable_fast_acl active_fast_acls fast_acl_set" must be set + // One of the arguments from this list "active_fast_acls disable_fast_acl fast_acl_set" must be set disable_fast_acl = true - // One of the arguments from this list "disable_forward_proxy_policy active_forward_proxy_policies forward_proxy_policy_set" must be set + // One of the arguments from this list "active_forward_proxy_policies disable_forward_proxy_policy forward_proxy_policy_set" must be set disable_forward_proxy_policy = true - // One of the arguments from this list "active_enhanced_firewall_policies disable_network_policy active_network_policies network_policy_set" must be set + // One of the arguments from this list "active_enhanced_firewall_policies active_network_policies disable_network_policy network_policy_set" must be set - disable_network_policy = true + active_enhanced_firewall_policies { + enhanced_firewall_policies { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "active_fast_acls, disable_fast_acl, fast_acl_set" must be set `active_fast_acls` - (Optional) Fast ACL Active for ths network firewall.. See [Fast Acl Choice Active Fast Acls ](#fast-acl-choice-active-fast-acls) below for details. - - - - `disable_fast_acl` - (Optional) Fast ACL is disabled for this network firewall (`Bool`). - `fast_acl_set` - (Optional) The list of Virtual Networks / Interfaces is selected by the Fast ACL set object. See [ref](#ref) below for details.(Deprecated) - - - +###### One of the arguments from this list "active_forward_proxy_policies, disable_forward_proxy_policy, forward_proxy_policy_set" must be set `active_forward_proxy_policies` - (Optional) L7 firewall for forward proxy.. See [Forward Proxy Policy Choice Active Forward Proxy Policies ](#forward-proxy-policy-choice-active-forward-proxy-policies) below for details. - - - - `disable_forward_proxy_policy` - (Optional) Forward Proxy Policy is disabled for this network firewall (`Bool`). - `forward_proxy_policy_set` - (Optional) L7 firewall for forward proxy. Assign service_policy_set to be used for forward proxies in this firewall.. See [ref](#ref) below for details.(Deprecated) - - - +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, disable_network_policy, network_policy_set" must be set `active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - - - - `active_network_policies` - (Optional) Active firewall policies for this network firewall(L3/L4 firewall).. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - - - - `disable_network_policy` - (Optional) Firewall Policy is disabled for this network firewall (`Bool`). +`network_policy_set` - (Optional) - Site Local. See [ref](#ref) below for details.(Deprecated) -`network_policy_set` - (Optional) - Site Local. See [ref](#ref) below for details.(Deprecated) - - +### Fast Acl Choice Active Fast Acls - -### Fast Acl Choice Active Fast Acls - - Fast ACL Active for ths network firewall.. +Fast ACL Active for ths network firewall.. `fast_acls` - (Required) Ordered List of Fast ACL(s) active for this network firewall. See [ref](#ref) below for details. +### Forward Proxy Policy Choice Active Forward Proxy Policies - -### Forward Proxy Policy Choice Active Forward Proxy Policies - - L7 firewall for forward proxy.. +L7 firewall for forward proxy.. `forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Enhanced Firewall Policies - -### Network Policy Choice Active Enhanced Firewall Policies - - with an additional option for service insertion.. +with an additional option for service insertion.. `enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Network Policies - -### Network Policy Choice Active Network Policies - - Active firewall policies for this network firewall(L3/L4 firewall).. +Active firewall policies for this network firewall(L3/L4 firewall).. `network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -160,9 +120,7 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured network_firewall. - +- `id` - This is the id of the configured network_firewall. diff --git a/docs/resources/volterra_network_interface.md b/docs/resources/volterra_network_interface.md index 94eb7c3de..097b891c7 100644 --- a/docs/resources/volterra_network_interface.md +++ b/docs/resources/volterra_network_interface.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: network_interface" - description: "The network_interface allows CRUD of Network Interface resource on Volterra SaaS" ------------------------------------------------------------------------------------------------ + +--- Resource volterra_network_interface =================================== diff --git a/docs/resources/volterra_network_policy.md b/docs/resources/volterra_network_policy.md index 420ea0cf7..778d1ac5c 100644 --- a/docs/resources/volterra_network_policy.md +++ b/docs/resources/volterra_network_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: network_policy" -description: "The network_policy allows CRUD of Network Policy resource on Volterra SaaS" +description: "The network_policy allows CRUD of Network Policy resource on Volterra SaaS" + --- -# Resource volterra_network_policy -The Network Policy allows CRUD of Network Policy resource on Volterra SaaS +Resource volterra_network_policy +================================ -~> **Note:** Please refer to [Network Policy API docs](https://docs.cloud.f5.com/docs-v2/api/network-policy) to learn more +The Network Policy allows CRUD of Network Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Network Policy API docs](https://docs.cloud.f5.com/docs-v2/api/network-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_network_policy" "example" { @@ -28,285 +21,84 @@ resource "volterra_network_policy" "example" { namespace = "staging" endpoint { - // One of the arguments from this list "prefix_list any outside_endpoints inside_endpoints interface namespace label_selector" must be set + // One of the arguments from this list "any inside_endpoints interface label_selector namespace outside_endpoints prefix_list" must be set - outside_endpoints = true + interface { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `endpoint` - (Required) Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. See [Endpoint ](#endpoint) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `rules` - (Optional) Network Policy Rules. See [Rules ](#rules) below for details. +### Endpoint - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Endpoint - - Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. - - - -###### One of the arguments from this list "namespace, label_selector, prefix_list, any, outside_endpoints, inside_endpoints, interface" must be set +###### One of the arguments from this list "any, inside_endpoints, interface, label_selector, namespace, outside_endpoints, prefix_list" must be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `interface` - (Optional) All ip prefixes that are reachable via an interfaces are chosen as Endpoints. See [ref](#ref) below for details.(Deprecated) - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Endpoint Choice Label Selector ](#endpoint-choice-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. See [Endpoint Choice Prefix List ](#endpoint-choice-prefix-list) below for details. +### Rules - - -### Rules - - Network Policy Rules. +Network Policy Rules. `egress_rules` - (Optional) Ordered list of rules applied to connections from policy endpoints.. See [Rules Egress Rules ](#rules-egress-rules) below for details. `ingress_rules` - (Optional) Ordered list of rules applied to connections to policy endpoints.. See [Rules Ingress Rules ](#rules-ingress-rules) below for details. +### Egress Rules Adv Action - -### Egress Rules Adv Action - - Enable or disable logging.. +Enable or disable logging.. `action` - (Optional) Enable or disable logging. (`String`). +### Egress Rules Label Matcher - -### Egress Rules Label Matcher - - not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. +not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Egress Rules Metadata - -### Egress Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -314,63 +106,47 @@ resource "volterra_network_policy" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Endpoint Choice Any +Any Endpoint that matches 0/0 ip prefix. -### Endpoint Choice Any - - Any Endpoint that matches 0/0 ip prefix. - - - -### Endpoint Choice Inside Endpoints - - All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. - +### Endpoint Choice Inside Endpoints +All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. -### Endpoint Choice Label Selector +### Endpoint Choice Label Selector - local end point is set of prefixes determined by label selector expression. +local end point is set of prefixes determined by label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Endpoint Choice Outside Endpoints +All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. -### Endpoint Choice Outside Endpoints +### Endpoint Choice Prefix List - All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. - - - -### Endpoint Choice Prefix List - - For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. +For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Ingress Rules Adv Action - -### Ingress Rules Adv Action - - Enable or disable logging.. +Enable or disable logging.. `action` - (Optional) Enable or disable logging. (`String`). +### Ingress Rules Label Matcher - -### Ingress Rules Label Matcher - - not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. +not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Ingress Rules Metadata - -### Ingress Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -378,54 +154,39 @@ resource "volterra_network_policy" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Other Endpoint Any +Any Endpoint that matches 0/0 ip prefix. -### Other Endpoint Any - - Any Endpoint that matches 0/0 ip prefix. - - +### Other Endpoint Inside Endpoints -### Other Endpoint Inside Endpoints +All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. - All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. +### Other Endpoint Ip Prefix Set - - -### Other Endpoint Ip Prefix Set - - Reference to object which represents list of IP prefixes that will be referred as remote endpoint. +Reference to object which represents list of IP prefixes that will be referred as remote endpoint. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Other Endpoint Label Selector - -### Other Endpoint Label Selector - - local end point is set of prefixes determined by label selector expression. +local end point is set of prefixes determined by label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Other Endpoint Outside Endpoints +All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. -### Other Endpoint Outside Endpoints - - All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. - - - -### Other Endpoint Prefix List +### Other Endpoint Prefix List - For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. +For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -435,11 +196,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rules Egress Rules - -### Rules Egress Rules - - Ordered list of rules applied to connections from policy endpoints.. +Ordered list of rules applied to connections from policy endpoints.. `action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). @@ -451,61 +210,41 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `metadata` - (Required) Common attributes for the rule including name and description.. See [Egress Rules Metadata ](#egress-rules-metadata) below for details. - - - -###### One of the arguments from this list "any, prefix_list, outside_endpoints, inside_endpoints, namespace, label_selector, ip_prefix_set" can be set +###### One of the arguments from this list "any, inside_endpoints, ip_prefix_set, label_selector, namespace, outside_endpoints, prefix_list" can be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `ip_prefix_set` - (Optional) Reference to object which represents list of IP prefixes that will be referred as remote endpoint. See [Other Endpoint Ip Prefix Set ](#other-endpoint-ip-prefix-set) below for details. - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Other Endpoint Label Selector ](#other-endpoint-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. See [Other Endpoint Prefix List ](#other-endpoint-prefix-list) below for details. - `rule_description` - (Optional) Human readable description for the rule (`String`).(Deprecated) `rule_name` - (Optional) Rule Name that will be used to query metrics for this rule. (`String`).(Deprecated) - - - -###### One of the arguments from this list "all_traffic, all_tcp_traffic, all_udp_traffic, applications, protocol_port_range" can be set +###### One of the arguments from this list "all_tcp_traffic, all_traffic, all_udp_traffic, applications, protocol_port_range" can be set `all_tcp_traffic` - (Optional) Select all TCP traffic to match (`Bool`). - `all_traffic` - (Optional) Select all traffic to match (`Bool`). - `all_udp_traffic` - (Optional) Select all UDP traffic to match (`Bool`). - `applications` - (Optional) Select Application traffic to match. See [Traffic Choice Applications ](#traffic-choice-applications) below for details. - `protocol_port_range` - (Optional) Select specific protocol and port ranges traffic to match. See [Traffic Choice Protocol Port Range ](#traffic-choice-protocol-port-range) below for details. +### Rules Ingress Rules - - -### Rules Ingress Rules - - Ordered list of rules applied to connections to policy endpoints.. +Ordered list of rules applied to connections to policy endpoints.. `action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). @@ -517,95 +256,65 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `metadata` - (Required) Common attributes for the rule including name and description.. See [Ingress Rules Metadata ](#ingress-rules-metadata) below for details. - - - -###### One of the arguments from this list "label_selector, ip_prefix_set, any, prefix_list, outside_endpoints, inside_endpoints, namespace" can be set +###### One of the arguments from this list "any, inside_endpoints, ip_prefix_set, label_selector, namespace, outside_endpoints, prefix_list" can be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `ip_prefix_set` - (Optional) Reference to object which represents list of IP prefixes that will be referred as remote endpoint. See [Other Endpoint Ip Prefix Set ](#other-endpoint-ip-prefix-set) below for details. - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Other Endpoint Label Selector ](#other-endpoint-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. See [Other Endpoint Prefix List ](#other-endpoint-prefix-list) below for details. - `rule_description` - (Optional) Human readable description for the rule (`String`).(Deprecated) `rule_name` - (Optional) Rule Name that will be used to query metrics for this rule. (`String`).(Deprecated) - - - -###### One of the arguments from this list "all_traffic, all_tcp_traffic, all_udp_traffic, applications, protocol_port_range" can be set +###### One of the arguments from this list "all_tcp_traffic, all_traffic, all_udp_traffic, applications, protocol_port_range" can be set `all_tcp_traffic` - (Optional) Select all TCP traffic to match (`Bool`). - `all_traffic` - (Optional) Select all traffic to match (`Bool`). - `all_udp_traffic` - (Optional) Select all UDP traffic to match (`Bool`). - `applications` - (Optional) Select Application traffic to match. See [Traffic Choice Applications ](#traffic-choice-applications) below for details. - `protocol_port_range` - (Optional) Select specific protocol and port ranges traffic to match. See [Traffic Choice Protocol Port Range ](#traffic-choice-protocol-port-range) below for details. +### Traffic Choice All Tcp Traffic +Select all TCP traffic to match. +### Traffic Choice All Traffic -### Traffic Choice All Tcp Traffic - - Select all TCP traffic to match. - - - -### Traffic Choice All Traffic - - Select all traffic to match. - +Select all traffic to match. +### Traffic Choice All Udp Traffic -### Traffic Choice All Udp Traffic +Select all UDP traffic to match. - Select all UDP traffic to match. +### Traffic Choice Applications - - -### Traffic Choice Applications - - Select Application traffic to match. +Select Application traffic to match. `applications` - (Optional) Application protocols like HTTP, SNMP (`List of Strings`). +### Traffic Choice Protocol Port Range - -### Traffic Choice Protocol Port Range - - Select specific protocol and port ranges traffic to match. +Select specific protocol and port ranges traffic to match. `port_ranges` - (Optional) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). `protocol` - (Optional) Values are tcp, udp, and icmp (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured network_policy. - +- `id` - This is the id of the configured network_policy. diff --git a/docs/resources/volterra_network_policy_rule.md b/docs/resources/volterra_network_policy_rule.md index 7945d5ed6..9cbb28b3a 100644 --- a/docs/resources/volterra_network_policy_rule.md +++ b/docs/resources/volterra_network_policy_rule.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: network_policy_rule" -description: "The network_policy_rule allows CRUD of Network Policy Rule resource on Volterra SaaS" +description: "The network_policy_rule allows CRUD of Network Policy Rule resource on Volterra SaaS" + --- -# Resource volterra_network_policy_rule -The Network Policy Rule allows CRUD of Network Policy Rule resource on Volterra SaaS +Resource volterra_network_policy_rule +===================================== + +The Network Policy Rule allows CRUD of Network Policy Rule resource on Volterra SaaS -~> **Note:** Please refer to [Network Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/network-policy-rule) to learn more +~> **Note:** Please refer to [Network Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/network-policy-rule) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_network_policy_rule" "example" { @@ -30,91 +23,56 @@ resource "volterra_network_policy_rule" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). - +`action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). `advanced_action` - (Optional) Enable or disable logging.. See [Advanced Action ](#advanced-action) below for details. - - - `label_matcher` - (Optional) List of label keys to be matched in prefix_selector configured in remote_endpoint. See [Label Matcher ](#label-matcher) below for details. - - - `ports` - (Optional) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`List of String`). - - `protocol` - (Optional) Values are tcp, udp, and icmp (`String`). - - +###### One of the arguments from this list "ip_prefix_set, prefix, prefix_selector" can be set `ip_prefix_set` - (Optional) Reference to object which represents list of IP prefixes that will be referred as remote endpoint. See [Remote Endpoint Ip Prefix Set ](#remote-endpoint-ip-prefix-set) below for details. - - - - `prefix` - (Optional) these IP prefixes are destination. See [Remote Endpoint Prefix ](#remote-endpoint-prefix) below for details. - - - - - `prefix_selector` - (Optional) Only first expression is selected even though LabelSelectorType can provide multiple. See [Remote Endpoint Prefix Selector ](#remote-endpoint-prefix-selector) below for details. - - - - - +### Advanced Action -### Advanced Action - - Enable or disable logging.. +Enable or disable logging.. `action` - (Optional) Enable or disable logging. (`String`). +### Label Matcher - -### Label Matcher - - List of label keys to be matched in prefix_selector configured in remote_endpoint. +List of label keys to be matched in prefix_selector configured in remote_endpoint. `keys` - (Optional) The list of label key names that have to match (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -124,35 +82,27 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Remote Endpoint Ip Prefix Set - -### Remote Endpoint Ip Prefix Set - - Reference to object which represents list of IP prefixes that will be referred as remote endpoint. +Reference to object which represents list of IP prefixes that will be referred as remote endpoint. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Remote Endpoint Prefix - -### Remote Endpoint Prefix - - these IP prefixes are destination. +these IP prefixes are destination. `ipv6_prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). `prefix` - (Optional) IP Address prefix in string format. String must contain both prefix and prefix-length (`String`). +### Remote Endpoint Prefix Selector - -### Remote Endpoint Prefix Selector - - Only first expression is selected even though LabelSelectorType can provide multiple. +Only first expression is selected even though LabelSelectorType can provide multiple. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured network_policy_rule. - +- `id` - This is the id of the configured network_policy_rule. diff --git a/docs/resources/volterra_network_policy_view.md b/docs/resources/volterra_network_policy_view.md index 3abfdcd1a..00aecd5fd 100644 --- a/docs/resources/volterra_network_policy_view.md +++ b/docs/resources/volterra_network_policy_view.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: network_policy_view" -description: "The network_policy_view allows CRUD of Network Policy View resource on Volterra SaaS" +description: "The network_policy_view allows CRUD of Network Policy View resource on Volterra SaaS" + --- -# Resource volterra_network_policy_view -The Network Policy View allows CRUD of Network Policy View resource on Volterra SaaS +Resource volterra_network_policy_view +===================================== -~> **Note:** Please refer to [Network Policy View API docs](https://docs.cloud.f5.com/docs-v2/api/views-network-policy-view) to learn more +The Network Policy View allows CRUD of Network Policy View resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Network Policy View API docs](https://docs.cloud.f5.com/docs-v2/api/views-network-policy-view) to learn more + +Example Usage +------------- ```hcl resource "volterra_network_policy_view" "example" { @@ -28,228 +21,42 @@ resource "volterra_network_policy_view" "example" { namespace = "staging" endpoint { - // One of the arguments from this list "label_selector prefix_list any outside_endpoints inside_endpoints interface namespace" must be set - - prefix_list { - ipv6_prefixes = ["fd48:fa09:d9d4::/48"] + // One of the arguments from this list "any inside_endpoints interface label_selector namespace outside_endpoints prefix_list" must be set - prefixes = ["192.168.20.0/24"] - } + any = true } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `egress_rules` - (Optional) Ordered list of rules applied to connections from policy endpoints.. See [Egress Rules ](#egress-rules) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `endpoint` - (Required) Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. See [Endpoint ](#endpoint) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `ingress_rules` - (Optional) Ordered list of rules applied to connections to policy endpoints.. See [Ingress Rules ](#ingress-rules) below for details. +### Egress Rules - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Egress Rules - - Ordered list of rules applied to connections from policy endpoints.. +Ordered list of rules applied to connections from policy endpoints.. `action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). @@ -261,92 +68,61 @@ resource "volterra_network_policy_view" "example" { `metadata` - (Required) Common attributes for the rule including name and description.. See [Egress Rules Metadata ](#egress-rules-metadata) below for details. - - - -###### One of the arguments from this list "any, prefix_list, outside_endpoints, inside_endpoints, namespace, label_selector, ip_prefix_set" can be set +###### One of the arguments from this list "any, inside_endpoints, ip_prefix_set, label_selector, namespace, outside_endpoints, prefix_list" can be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `ip_prefix_set` - (Optional) Reference to object which represents list of IP prefixes that will be referred as remote endpoint. See [Other Endpoint Ip Prefix Set ](#other-endpoint-ip-prefix-set) below for details. - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Other Endpoint Label Selector ](#other-endpoint-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. See [Other Endpoint Prefix List ](#other-endpoint-prefix-list) below for details. - `rule_description` - (Optional) Human readable description for the rule (`String`).(Deprecated) `rule_name` - (Optional) Rule Name that will be used to query metrics for this rule. (`String`).(Deprecated) - - - -###### One of the arguments from this list "applications, protocol_port_range, all_traffic, all_tcp_traffic, all_udp_traffic" can be set +###### One of the arguments from this list "all_tcp_traffic, all_traffic, all_udp_traffic, applications, protocol_port_range" can be set `all_tcp_traffic` - (Optional) Select all TCP traffic to match (`Bool`). - `all_traffic` - (Optional) Select all traffic to match (`Bool`). - `all_udp_traffic` - (Optional) Select all UDP traffic to match (`Bool`). - `applications` - (Optional) Select Application traffic to match. See [Traffic Choice Applications ](#traffic-choice-applications) below for details. - `protocol_port_range` - (Optional) Select specific protocol and port ranges traffic to match. See [Traffic Choice Protocol Port Range ](#traffic-choice-protocol-port-range) below for details. +### Endpoint +Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. - -### Endpoint - - Policy is for set of endpoints defined, rules are applied to connections to or from these endpoints.. - - - -###### One of the arguments from this list "inside_endpoints, interface, namespace, label_selector, prefix_list, any, outside_endpoints" must be set +###### One of the arguments from this list "any, inside_endpoints, interface, label_selector, namespace, outside_endpoints, prefix_list" must be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `interface` - (Optional) All ip prefixes that are reachable via an interfaces are chosen as Endpoints. See [ref](#ref) below for details.(Deprecated) - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Endpoint Choice Label Selector ](#endpoint-choice-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. See [Endpoint Choice Prefix List ](#endpoint-choice-prefix-list) below for details. +### Ingress Rules - - -### Ingress Rules - - Ordered list of rules applied to connections to policy endpoints.. +Ordered list of rules applied to connections to policy endpoints.. `action` - (Optional) Action to be taken at rule match. Currently supported actions are Allow and Deny (`String`). @@ -358,75 +134,51 @@ resource "volterra_network_policy_view" "example" { `metadata` - (Required) Common attributes for the rule including name and description.. See [Ingress Rules Metadata ](#ingress-rules-metadata) below for details. - - - -###### One of the arguments from this list "any, prefix_list, outside_endpoints, inside_endpoints, namespace, label_selector, ip_prefix_set" can be set +###### One of the arguments from this list "any, inside_endpoints, ip_prefix_set, label_selector, namespace, outside_endpoints, prefix_list" can be set `any` - (Optional) Any Endpoint that matches 0/0 ip prefix (`Bool`). - `inside_endpoints` - (Optional) All ip prefixes that are reachable via inside interfaces are chosen as Endpoints (`Bool`). - `ip_prefix_set` - (Optional) Reference to object which represents list of IP prefixes that will be referred as remote endpoint. See [Other Endpoint Ip Prefix Set ](#other-endpoint-ip-prefix-set) below for details. - `label_selector` - (Optional) local end point is set of prefixes determined by label selector expression. See [Other Endpoint Label Selector ](#other-endpoint-label-selector) below for details. - `namespace` - (Optional) All ip prefixes that are of a namespace are chosen as Endpoints (`String`).(Deprecated) - `outside_endpoints` - (Optional) All ip prefixes that are reachable via outside interfaces are chosen as Endpoints (`Bool`). - `prefix_list` - (Optional) For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. See [Other Endpoint Prefix List ](#other-endpoint-prefix-list) below for details. - `rule_description` - (Optional) Human readable description for the rule (`String`).(Deprecated) `rule_name` - (Optional) Rule Name that will be used to query metrics for this rule. (`String`).(Deprecated) - - - -###### One of the arguments from this list "all_traffic, all_tcp_traffic, all_udp_traffic, applications, protocol_port_range" can be set +###### One of the arguments from this list "all_tcp_traffic, all_traffic, all_udp_traffic, applications, protocol_port_range" can be set `all_tcp_traffic` - (Optional) Select all TCP traffic to match (`Bool`). - `all_traffic` - (Optional) Select all traffic to match (`Bool`). - `all_udp_traffic` - (Optional) Select all UDP traffic to match (`Bool`). - `applications` - (Optional) Select Application traffic to match. See [Traffic Choice Applications ](#traffic-choice-applications) below for details. - `protocol_port_range` - (Optional) Select specific protocol and port ranges traffic to match. See [Traffic Choice Protocol Port Range ](#traffic-choice-protocol-port-range) below for details. +### Egress Rules Adv Action +Enable or disable logging.. +### Egress Rules Label Matcher -### Egress Rules Adv Action - - Enable or disable logging.. - - - -### Egress Rules Label Matcher - - not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. +not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Egress Rules Metadata - -### Egress Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -434,61 +186,45 @@ resource "volterra_network_policy_view" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Endpoint Choice Any +Any Endpoint that matches 0/0 ip prefix. -### Endpoint Choice Any - - Any Endpoint that matches 0/0 ip prefix. - +### Endpoint Choice Inside Endpoints +All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. -### Endpoint Choice Inside Endpoints +### Endpoint Choice Label Selector - All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. - - - -### Endpoint Choice Label Selector - - local end point is set of prefixes determined by label selector expression. +local end point is set of prefixes determined by label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Endpoint Choice Outside Endpoints +All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. -### Endpoint Choice Outside Endpoints - - All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. - - - -### Endpoint Choice Prefix List +### Endpoint Choice Prefix List - For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. +For Ingress rules: To this endpoints from remote endpoints these ip prefixes are destination ip.. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). +### Ingress Rules Adv Action +Enable or disable logging.. -### Ingress Rules Adv Action +### Ingress Rules Label Matcher - Enable or disable logging.. - - - -### Ingress Rules Label Matcher - - not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. +not specified here, just the label keys. This facilitates reuse of policies across multiple dimensions such as deployment, environment, and location.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Ingress Rules Metadata - -### Ingress Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -496,54 +232,39 @@ resource "volterra_network_policy_view" "example" { `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Other Endpoint Any +Any Endpoint that matches 0/0 ip prefix. -### Other Endpoint Any - - Any Endpoint that matches 0/0 ip prefix. - - +### Other Endpoint Inside Endpoints -### Other Endpoint Inside Endpoints +All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. - All ip prefixes that are reachable via inside interfaces are chosen as Endpoints. +### Other Endpoint Ip Prefix Set - - -### Other Endpoint Ip Prefix Set - - Reference to object which represents list of IP prefixes that will be referred as remote endpoint. +Reference to object which represents list of IP prefixes that will be referred as remote endpoint. `ref` - (Optional) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. +### Other Endpoint Label Selector - -### Other Endpoint Label Selector - - local end point is set of prefixes determined by label selector expression. +local end point is set of prefixes determined by label selector expression. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Other Endpoint Outside Endpoints +All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. -### Other Endpoint Outside Endpoints - - All ip prefixes that are reachable via outside interfaces are chosen as Endpoints. - - +### Other Endpoint Prefix List -### Other Endpoint Prefix List - - For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. +For Ingress rules: To these endpoints from remote endpoints these ip prefixes are destination IPs.. `ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). `prefixes` - (Optional) List of IPv4 prefixes that represent an endpoint (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -553,45 +274,33 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Traffic Choice All Tcp Traffic +Select all TCP traffic to match. -### Traffic Choice All Tcp Traffic - - Select all TCP traffic to match. - - - -### Traffic Choice All Traffic - - Select all traffic to match. +### Traffic Choice All Traffic +Select all traffic to match. +### Traffic Choice All Udp Traffic -### Traffic Choice All Udp Traffic +Select all UDP traffic to match. - Select all UDP traffic to match. +### Traffic Choice Applications - - -### Traffic Choice Applications - - Select Application traffic to match. +Select Application traffic to match. `applications` - (Optional) Application protocols like HTTP, SNMP (`List of Strings`). +### Traffic Choice Protocol Port Range - -### Traffic Choice Protocol Port Range - - Select specific protocol and port ranges traffic to match. +Select specific protocol and port ranges traffic to match. `port_ranges` - (Optional) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). `protocol` - (Optional) Values are tcp, udp, and icmp (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured network_policy_view. - +- `id` - This is the id of the configured network_policy_view. diff --git a/docs/resources/volterra_nfv_service.md b/docs/resources/volterra_nfv_service.md index eea1d70f7..ef2ea0f9f 100644 --- a/docs/resources/volterra_nfv_service.md +++ b/docs/resources/volterra_nfv_service.md @@ -1,842 +1,153 @@ +--- +page_title: "Volterra: nfv_service" +description: "The nfv_service allows CRUD of Nfv Service resource on Volterra SaaS" +--- +Resource volterra_nfv_service +============================= +The Nfv Service allows CRUD of Nfv Service resource on Volterra SaaS +~> **Note:** Please refer to [Nfv Service API docs](https://docs.cloud.f5.com/docs-v2/api/nfv-service) to learn more +Example Usage +------------- +```hcl +resource "volterra_nfv_service" "example" { + name = "acmecorp-web" + namespace = "staging" + // One of the arguments from this list "disable_https_management https_management" must be set + disable_https_management = true + // One of the arguments from this list "f5_big_ip_aws_service palo_alto_fw_service" must be set + f5_big_ip_aws_service { + admin_password { ---- -page_title: "Volterra: nfv_service" -description: "The nfv_service allows CRUD of Nfv Service resource on Volterra SaaS" ---- -# Resource volterra_nfv_service - -The Nfv Service allows CRUD of Nfv Service resource on Volterra SaaS - -~> **Note:** Please refer to [Nfv Service API docs](https://docs.cloud.f5.com/docs-v2/api/nfv-service) to learn more - -## Example Usage - -```hcl -resource "volterra_nfv_service" "example" { - name = "acmecorp-web" - namespace = "staging" - - // One of the arguments from this list "disable_https_management https_management" must be set - - disable_https_management = true - - // One of the arguments from this list "f5_big_ip_aws_service palo_alto_fw_service" must be set - - palo_alto_fw_service { - // One of the arguments from this list "pan_ami_bundle1 pan_ami_bundle2" must be set - - pan_ami_bundle1 = true - - aws_tgw_site { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } - - instance_type = "m4.large" - - // One of the arguments from this list "disable_panaroma panorama_server" can be set - - disable_panaroma = true - service_nodes { - nodes { - aws_az_name = "us-west-2a" - - // One of the arguments from this list "reserved_mgmt_subnet mgmt_subnet" must be set - - reserved_mgmt_subnet = true - node_name = "node1" - } - } - - // One of the arguments from this list "ssh_key auto_setup" must be set - - ssh_key = "ssh-rsa AAAAB..." - tags = { - "key1" = "value1" - } - version = "11.0.0" - } - - // One of the arguments from this list "enabled_ssh_access disable_ssh_access" must be set - - enabled_ssh_access { - // One of the arguments from this list "advertise_on_public_default_vip advertise_on_public advertise_on_sli advertise_on_slo advertise_on_slo_sli" can be set - - advertise_on_slo = true - - domain_suffix = "foo.com" - - node_ssh_ports { - node_name = "node1" - - ssh_port = "2222" - } - } -} - -``` - -## Argument Reference - -### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). - - -`description` - (Optional) Human readable description for the object (`String`). - - -`disable` - (Optional) A value of true will administratively disable the object (`Bool`). - - -`labels` - (Optional) by selector expression (`String`). - - -`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - - -`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - - -### Spec Argument Reference - - -`disable_https_management` - (Optional) HTTPS based management is not enabled (`Bool`). - - -`https_management` - (Optional) Enable HTTPS based management. See [Http Management Choice Https Management ](#http-management-choice-https-management) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`f5_big_ip_aws_service` - (Optional) Virtual BIG-IP service to be deployed on AWS. See [Service Provider Choice F5 Big Ip Aws Service ](#service-provider-choice-f5-big-ip-aws-service) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`palo_alto_fw_service` - (Optional) Palo Alto Networks VM-Series Firewall to be deployed on AWS Cloud. See [Service Provider Choice Palo Alto Fw Service ](#service-provider-choice-palo-alto-fw-service) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + secret_encoding_type = "secret_encoding_type" + // One of the arguments from this list "blindfold_secret_info clear_secret_info vault_secret_info wingman_secret_info" must be set + blindfold_secret_info { + decryption_provider = "value" + location = "string:///U2VjcmV0SW5mb3JtYXRpb24=" + store_provider = "value" + } + } + admin_username = "admin" - + endpoint_service { + // One of the arguments from this list "advertise_on_slo_ip advertise_on_slo_ip_external disable_advertise_on_slo_ip" must be set + disable_advertise_on_slo_ip = true + // One of the arguments from this list "automatic_vip configured_vip" must be set + automatic_vip = true - + // One of the arguments from this list "custom_tcp_ports default_tcp_ports http_port https_port no_tcp_ports" must be set + custom_tcp_ports { + ports = ["100-200"] + } - + // One of the arguments from this list "custom_udp_ports no_udp_ports" must be set + custom_udp_ports { + ports = ["100-200"] + } + } + // One of the arguments from this list "byol_image market_place_image" must be set + market_place_image { + // One of the arguments from this list "awaf_pay_g200_mbps awaf_pay_g3_gbps AWAFPayG3Gbps" must be set + awaf_pay_g200_mbps = true + } + nodes { + aws_az_name = "us-west-2a" + // One of the arguments from this list "mgmt_subnet reserved_mgmt_subnet" must be set + reserved_mgmt_subnet = true + node_name = "node1" + // One of the arguments from this list "automatic_prefix tunnel_prefix" must be set + automatic_prefix = true + } + // One of the arguments from this list "aws_tgw_site_params aws_vpc_site_params" must be set + aws_vpc_site_params { + aws_vpc_site { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } + ssh_key = "ssh-rsa AAAAB..." + tags = { + "key1" = "value1" + } + } + // One of the arguments from this list "disable_ssh_access enabled_ssh_access" must be set + disable_ssh_access = true +} +``` +Argument Reference +------------------ +### Metadata Argument Reference +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`description` - (Optional) Human readable description for the object (`String`). +`disable` - (Optional) A value of true will administratively disable the object (`Bool`). +`labels` - (Optional) by selector expression (`String`). +`name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +`namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). +### Spec Argument Reference +###### One of the arguments from this list "disable_https_management, https_management" must be set +`disable_https_management` - (Optional) HTTPS based management is not enabled (`Bool`). +`https_management` - (Optional) Enable HTTPS based management. See [Http Management Choice Https Management ](#http-management-choice-https-management) below for details. +###### One of the arguments from this list "f5_big_ip_aws_service, palo_alto_fw_service" must be set +`f5_big_ip_aws_service` - (Optional) Virtual BIG-IP service to be deployed on AWS. See [Service Provider Choice F5 Big Ip Aws Service ](#service-provider-choice-f5-big-ip-aws-service) below for details. +`palo_alto_fw_service` - (Optional) Palo Alto Networks VM-Series Firewall to be deployed on AWS Cloud. See [Service Provider Choice Palo Alto Fw Service ](#service-provider-choice-palo-alto-fw-service) below for details. +###### One of the arguments from this list "disable_ssh_access, enabled_ssh_access" must be set `disable_ssh_access` - (Optional) SSH based access is disabled (`Bool`). - `enabled_ssh_access` - (Optional) Enable SSH access to nodes. See [Ssh Management Choice Enabled Ssh Access ](#ssh-management-choice-enabled-ssh-access) below for details. - - - - - - - - - - - +### Admin Password Blindfold Secret Info Internal - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Admin Password Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -844,365 +155,249 @@ resource "volterra_nfv_service" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Advertise Choice Advertise On Internet - -### Advertise Choice Advertise On Internet - - Advertise this loadbalancer on public network. +Advertise this loadbalancer on public network. `public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Advertise Choice Advertise On Internet Default Vip +Enable management access on internet with default VIP. -### Advertise Choice Advertise On Internet Default Vip - - Enable management access on internet with default VIP. - +### Advertise Choice Advertise On Public - -### Advertise Choice Advertise On Public - - Advertise this loadbalancer on public network. +Advertise this loadbalancer on public network. `public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Advertise Choice Advertise On Public Default Vip +Enable management access on internet with default VIP. -### Advertise Choice Advertise On Public Default Vip - - Enable management access on internet with default VIP. - +### Advertise Choice Advertise On Sli +Enable on Site local inside network, default VIP will be used. -### Advertise Choice Advertise On Sli - - Enable on Site local inside network, default VIP will be used. - - - -### Advertise Choice Advertise On Sli Vip - - Enable on Site local inside network, default VIP will be used. - +### Advertise Choice Advertise On Sli Vip +Enable on Site local inside network, default VIP will be used. ###### One of the arguments from this list "no_mtls, use_mtls" must be set `no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - `tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Sli Vip Tls Certificates ](#advertise-on-sli-vip-tls-certificates) below for details. `tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Sli Vip Tls Config ](#advertise-on-sli-vip-tls-config) below for details. +### Advertise Choice Advertise On Slo +Enable on Site local outside network, default VIP will be used. -### Advertise Choice Advertise On Slo - - Enable on Site local outside network, default VIP will be used. - - - -### Advertise Choice Advertise On Slo Internet Vip - - Enable On Site Local Outside Internet VIP. - +### Advertise Choice Advertise On Slo Internet Vip +Enable On Site Local Outside Internet VIP. ###### One of the arguments from this list "no_mtls, use_mtls" must be set `no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - `tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Internet Vip Tls Certificates ](#advertise-on-slo-internet-vip-tls-certificates) below for details. `tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Internet Vip Tls Config ](#advertise-on-slo-internet-vip-tls-config) below for details. +### Advertise Choice Advertise On Slo Sli - -### Advertise Choice Advertise On Slo Sli - - Enable on Site local inside and outside network, default VIP will be used. - - +Enable on Site local inside and outside network, default VIP will be used. ###### One of the arguments from this list "no_mtls, use_mtls" must be set `no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - `tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Sli Tls Certificates ](#advertise-on-slo-sli-tls-certificates) below for details. `tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Sli Tls Config ](#advertise-on-slo-sli-tls-config) below for details. +### Advertise Choice Advertise On Slo Sli +Enable on Site local inside and outside network, default VIP will be used. -### Advertise Choice Advertise On Slo Sli - - Enable on Site local inside and outside network, default VIP will be used. - - - -### Advertise Choice Advertise On Slo Vip - - Enable on Site local outside network, default VIP will be used. - +### Advertise Choice Advertise On Slo Vip +Enable on Site local outside network, default VIP will be used. ###### One of the arguments from this list "no_mtls, use_mtls" must be set `no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_mtls` - (Optional) x-displayName: "Enable". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - `tls_certificates` - (Required) for example, domain.com and *.domain.com - but use different signature algorithms. See [Advertise On Slo Vip Tls Certificates ](#advertise-on-slo-vip-tls-certificates) below for details. `tls_config` - (Optional) Configuration of TLS settings such as min/max TLS version and ciphersuites. See [Advertise On Slo Vip Tls Config ](#advertise-on-slo-vip-tls-config) below for details. +### Advertise Choice Disable Local +Disable on Site local network. -### Advertise Choice Disable Local - - Disable on Site local network. - +### Advertise Choice Do Not Advertise On Internet +Do not enable access to management from internet. -### Advertise Choice Do Not Advertise On Internet +### Advertise On Sli Vip Tls Certificates - Do not enable access to management from internet. - - - -### Advertise On Sli Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. +for example, domain.com and *.domain.com - but use different signature algorithms. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Sli Vip Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. -### Advertise On Sli Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "medium_security, low_security, custom_security, default_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Internet Vip Tls Certificates - - -### Advertise On Slo Internet Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. +for example, domain.com and *.domain.com - but use different signature algorithms. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Slo Internet Vip Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. -### Advertise On Slo Internet Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "low_security, custom_security, default_security, medium_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Sli Tls Certificates - - -### Advertise On Slo Sli Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. +for example, domain.com and *.domain.com - but use different signature algorithms. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Slo Sli Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. -### Advertise On Slo Sli Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "custom_security, default_security, medium_security, low_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Advertise On Slo Vip Tls Certificates - - -### Advertise On Slo Vip Tls Certificates - - for example, domain.com and *.domain.com - but use different signature algorithms. +for example, domain.com and *.domain.com - but use different signature algorithms. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Advertise On Slo Vip Tls Config +Configuration of TLS settings such as min/max TLS version and ciphersuites. -### Advertise On Slo Vip Tls Config - - Configuration of TLS settings such as min/max TLS version and ciphersuites. - - - -###### One of the arguments from this list "medium_security, low_security, custom_security, default_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +### Ami Choice AWAFPayG200Mbps +F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 200Mbps). +### Ami Choice AWAFPayG3Gbps -### Ami Choice AWAFPayG200Mbps - - F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 200Mbps). - - - -### Ami Choice AWAFPayG3Gbps - - F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 3Gbps). - - +F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 3Gbps). -### Ami Choice Pan Ami Bundle1 +### Ami Choice Pan Ami Bundle1 - VM-Series Next-Generation Firewall Bundle 1. +VM-Series Next-Generation Firewall Bundle 1. +### Ami Choice Pan Ami Bundle2 +VM-Series Next-Generation Firewall Bundle 2. -### Ami Choice Pan Ami Bundle2 +### Authorization Key Blindfold Secret Info Internal - VM-Series Next-Generation Firewall Bundle 2. - - - -### Authorization Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1210,363 +405,247 @@ resource "volterra_nfv_service" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Auto Setup Admin Password - -### Auto Setup Admin Password - - Firewall Admin Password. +Firewall Admin Password. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "clear_secret_info, wingman_secret_info, blindfold_secret_info, vault_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Byol Image License - - Secret License data. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [License Blindfold Secret Info Internal ](#license-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Choice Custom Security - - Custom selection of TLS versions and cipher suites. - -`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). - -`max_version` - (Optional) Maximum TLS protocol version. (`String`). - -`min_version` - (Optional) Minimum TLS protocol version. (`String`). - +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set -### Choice Default Security +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) -### Choice Low Security +### Byol Image License - TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. +Secret License data. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [License Blindfold Secret Info Internal ](#license-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) -### Choice Medium Security +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set - TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) -### Choice Subnet Param +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - Parameters for creating new subnet. +### Choice Custom Security -`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +Custom selection of TLS versions and cipher suites. -`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). +`cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). +`max_version` - (Optional) Maximum TLS protocol version. (`String`). +`min_version` - (Optional) Minimum TLS protocol version. (`String`). -### Crl Choice No Crl +### Choice Default Security - Client certificate revocation status is not verified. +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. +### Choice Low Security +TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. -### Enabled Ssh Access Node Ssh Ports +### Choice Medium Security - Enter TCP port and node name per node. +TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. -`node_name` - (Required) Node name will be used to match a particular node with the desired TCP port (`String`). +### Choice Subnet Param -`ssh_port` - (Required) Enter TCP port per node (`Int`). +Parameters for creating new subnet. +`ipv4` - (Required) IPv4 subnet prefix for this subnet (`String`). +`ipv6` - (Optional) IPv6 subnet prefix for this subnet (`String`). -### External Vip Choice Advertise On Slo Ip +### Crl Choice No Crl - Advertise this loadbalancer on Site Local Outside network address. +Client certificate revocation status is not verified. +### Enabled Ssh Access Node Ssh Ports +Enter TCP port and node name per node. -### External Vip Choice Advertise On Slo Ip External +`node_name` - (Required) Node name will be used to match a particular node with the desired TCP port (`String`). - Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP. +`ssh_port` - (Required) Enter TCP port per node (`Int`). +### External Vip Choice Advertise On Slo Ip +Advertise this loadbalancer on Site Local Outside network address. -### External Vip Choice Disable Advertise On Slo Ip +### External Vip Choice Advertise On Slo Ip External - Do not Advertise this loadbalancer on Site Local Outside network address. +Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP. +### External Vip Choice Disable Advertise On Slo Ip +Do not Advertise this loadbalancer on Site Local Outside network address. -### F5 Big Ip Aws Service Admin Password +### F5 Big Ip Aws Service Admin Password - Secret admin password for BIG ip. +Secret admin password for BIG ip. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Admin Password Blindfold Secret Info Internal ](#admin-password-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### F5 Big Ip Aws Service Endpoint Service +External service type is Endpoint service. - -### F5 Big Ip Aws Service Endpoint Service - - External service type is Endpoint service. - - - -###### One of the arguments from this list "disable_advertise_on_slo_ip, advertise_on_slo_ip, advertise_on_slo_ip_external" must be set +###### One of the arguments from this list "advertise_on_slo_ip, advertise_on_slo_ip_external, disable_advertise_on_slo_ip" must be set `advertise_on_slo_ip` - (Optional) Advertise this loadbalancer on Site Local Outside network address (`Bool`). - `advertise_on_slo_ip_external` - (Optional) Advertise this loadbalancer on Site Local Outside network address and enable cloud external IP (`Bool`). - `disable_advertise_on_slo_ip` - (Optional) Do not Advertise this loadbalancer on Site Local Outside network address (`Bool`). - - - ###### One of the arguments from this list "automatic_vip, configured_vip" must be set `automatic_vip` - (Optional) System will automatically select a VIP (`Bool`). - `configured_vip` - (Optional) Enter IP address for the default VIP (`String`). - - - -###### One of the arguments from this list "no_tcp_ports, default_tcp_ports, http_port, https_port, custom_tcp_ports" must be set +###### One of the arguments from this list "custom_tcp_ports, default_tcp_ports, http_port, https_port, no_tcp_ports" must be set `custom_tcp_ports` - (Optional) select custom tcp ports. See [Tcp Port Choice Custom Tcp Ports ](#tcp-port-choice-custom-tcp-ports) below for details. - -`default_tcp_ports` - (Optional) Select default TCP ports, 80 and 443 (`Bool`). - +`default_tcp_ports` - (Optional) Select default TCP ports, 80 and 443 (`Bool`). `http_port` - (Optional) Select HTTP Port 80 (`Bool`). - `https_port` - (Optional) Select HTTPS Port 443 (`Bool`). - `no_tcp_ports` - (Optional) do not select tcp ports (`Bool`). - - - ###### One of the arguments from this list "custom_udp_ports, no_udp_ports" must be set `custom_udp_ports` - (Optional) select custom udp ports. See [Udp Port Choice Custom Udp Ports ](#udp-port-choice-custom-udp-ports) below for details. - `no_udp_ports` - (Optional) do not select udp ports (`Bool`). +### F5 Big Ip Aws Service Nodes - - -### F5 Big Ip Aws Service Nodes - - Specify how and where the service nodes are spawned. +Specify how and where the service nodes are spawned. `aws_az_name` - (Required) The AWS Availability Zone must be consistent with the AWS Region chosen. Please select an AZ in the same Region as your TGW Site (`String`). - - ###### One of the arguments from this list "mgmt_subnet, reserved_mgmt_subnet" must be set `mgmt_subnet` - (Optional) Select Existing Subnet or Create New. See [Mgmt Subnet Choice Mgmt Subnet ](#mgmt-subnet-choice-mgmt-subnet) below for details. - `reserved_mgmt_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - `node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). - - ###### One of the arguments from this list "automatic_prefix, tunnel_prefix" must be set `automatic_prefix` - (Optional) System will automatically select tunnel prefix (`Bool`). - `tunnel_prefix` - (Optional) Enter IP prefix for the tunnel, it has to be /30 (`String`). +### Http Management Choice Https Management +Enable HTTPS based management. - -### Http Management Choice Https Management - - Enable HTTPS based management. - - - -###### One of the arguments from this list "advertise_on_sli_vip, advertise_on_slo_vip, advertise_on_slo_sli, disable_local, do_not_advertise_on_internet, advertise_on_internet_default_vip, advertise_on_internet, advertise_on_slo_internet_vip" must be set +###### One of the arguments from this list "advertise_on_internet, advertise_on_internet_default_vip, advertise_on_sli_vip, advertise_on_slo_internet_vip, advertise_on_slo_sli, advertise_on_slo_vip, disable_local, do_not_advertise_on_internet" must be set `advertise_on_internet` - (Optional) Advertise this loadbalancer on public network. See [Advertise Choice Advertise On Internet ](#advertise-choice-advertise-on-internet) below for details. - `advertise_on_internet_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`). - `advertise_on_sli_vip` - (Optional) Enable on Site local inside network, default VIP will be used. See [Advertise Choice Advertise On Sli Vip ](#advertise-choice-advertise-on-sli-vip) below for details. - `advertise_on_slo_internet_vip` - (Optional) Enable On Site Local Outside Internet VIP. See [Advertise Choice Advertise On Slo Internet Vip ](#advertise-choice-advertise-on-slo-internet-vip) below for details. - `advertise_on_slo_sli` - (Optional) Enable on Site local inside and outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Sli ](#advertise-choice-advertise-on-slo-sli) below for details. - `advertise_on_slo_vip` - (Optional) Enable on Site local outside network, default VIP will be used. See [Advertise Choice Advertise On Slo Vip ](#advertise-choice-advertise-on-slo-vip) below for details. - `disable_local` - (Optional) Disable on Site local network (`Bool`).(Deprecated) - `do_not_advertise_on_internet` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) - `domain_suffix` - (Required) Domain suffix will be used along with node name to form URL to access node management (`String`). - - - -###### One of the arguments from this list "do_not_advertise, advertise_on_public_default_vip, advertise_on_public" can be set +###### One of the arguments from this list "advertise_on_public, advertise_on_public_default_vip, do_not_advertise" can be set `advertise_on_public` - (Optional) Advertise this loadbalancer on public network. See [Internet Choice Advertise On Public ](#internet-choice-advertise-on-public) below for details.(Deprecated) - `advertise_on_public_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`).(Deprecated) - `do_not_advertise` - (Optional) Do not enable access to management from internet (`Bool`).(Deprecated) - - - ###### One of the arguments from this list "default_https_port, https_port" must be set `default_https_port` - (Optional) Select default HTTPS 443 (`Bool`). - `https_port` - (Optional) Enter TCP port number (`Int`). +### Image Choice Byol Image - - -### Image Choice Byol Image - - Select the BIG-IP bring your own license image to be used for this service. +Select the BIG-IP bring your own license image to be used for this service. `image` - (Required) Select the BIG-IP pay as you go image to be used for this service (`String`). `license` - (Optional) Secret License data. See [Byol Image License ](#byol-image-license) below for details. +### Image Choice Market Place Image +Select the BIG-IP pay as you go image to be used for this service. -### Image Choice Market Place Image - - Select the BIG-IP pay as you go image to be used for this service. - - - -###### One of the arguments from this list "AWAFPayG200Mbps, AWAFPayG3Gbps, BestPlusPayG200Mbps, best_plus_payg_1gbps" must be set +###### One of the arguments from this list "awaf_pay_g200_mbps, awaf_pay_g3_gbps" must be set -`AWAFPayG200Mbps` - (Optional) F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 200Mbps) (`Bool`). +`awaf_pay_g200_mbps` - (Optional) F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 200Mbps) (`Bool`). +`awaf_pay_g3_gbps` - (Optional) F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 3Gbps) (`Bool`). -`AWAFPayG3Gbps` - (Optional) F5 Advanced WAF with LTM, IPI, and Threat Campaigns (PAYG, 3Gbps) (`Bool`). +### Inside Vip Choice Automatic Vip +System will automatically select a VIP. +### Internet Choice Advertise On Public - -### Inside Vip Choice Automatic Vip - - System will automatically select a VIP. - - - -### Internet Choice Advertise On Public - - Advertise this loadbalancer on public network. +Advertise this loadbalancer on public network. `public_ip` - (Required) Dedicated Public IP, which is allocated by F5 Distributed Cloud on request, is used as a VIP.. See [ref](#ref) below for details. +### Internet Choice Advertise On Public Default Vip +Enable management access on internet with default VIP. -### Internet Choice Advertise On Public Default Vip - - Enable management access on internet with default VIP. - +### Internet Choice Do Not Advertise +Do not enable access to management from internet. -### Internet Choice Do Not Advertise +### License Blindfold Secret Info Internal - Do not enable access to management from internet. - - - -### License Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1574,139 +653,93 @@ resource "volterra_nfv_service" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Manual Ssh Keys Private Key - -### Manual Ssh Keys Private Key - - Authorized Public SSH key which will be programmed on the node. +Authorized Public SSH key which will be programmed on the node. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Mgmt Subnet Choice Mgmt Subnet +Select Existing Subnet or Create New. - -### Mgmt Subnet Choice Mgmt Subnet - - Select Existing Subnet or Create New. - - - -###### One of the arguments from this list "subnet_param, existing_subnet_id" must be set +###### One of the arguments from this list "existing_subnet_id, subnet_param" must be set `existing_subnet_id` - (Optional) Information about existing subnet ID (`String`). - `subnet_param` - (Optional) Parameters for creating new subnet. See [Choice Subnet Param ](#choice-subnet-param) below for details. +### Mgmt Subnet Choice Reserved Mgmt Subnet +Autogenerate and reserve a subnet from the Primary CIDR. +### Mtls Choice No Mtls -### Mgmt Subnet Choice Reserved Mgmt Subnet - - Autogenerate and reserve a subnet from the Primary CIDR. - - - -### Mtls Choice No Mtls - - x-displayName: "Disable". - - +x-displayName: "Disable". -### Mtls Choice Use Mtls +### Mtls Choice Use Mtls - x-displayName: "Enable". +x-displayName: "Enable". `client_certificate_optional` - (Optional) the connection will be accepted. (`Bool`). - - - -###### One of the arguments from this list "no_crl, crl" can be set +###### One of the arguments from this list "crl, no_crl" can be set `crl` - (Optional) Specify the CRL server information to download the certificate revocation list. See [ref](#ref) below for details. - `no_crl` - (Optional) Client certificate revocation status is not verified (`Bool`). - - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set `trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Load Balancer. See [ref](#ref) below for details. - `trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Load Balancer (`String`). - - - - ###### One of the arguments from this list "xfcc_disabled, xfcc_options" can be set `xfcc_disabled` - (Optional) No X-Forwarded-Client-Cert header will be added (`Bool`). - `xfcc_options` - (Optional) X-Forwarded-Client-Cert header will be added with the configured fields. See [Xfcc Header Xfcc Options ](#xfcc-header-xfcc-options) below for details. +### Ocsp Stapling Choice Custom Hash Algorithms - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling +### Ocsp Stapling Choice Use System Defaults - This is the default behavior if no choice is selected.. +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Palo Alto Fw Service Service Nodes - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Palo Alto Fw Service Service Nodes - - Specify how and where the Palo Alto Networks Vm-Series AZ Nodes are spawned. +Specify how and where the Palo Alto Networks Vm-Series AZ Nodes are spawned. `nodes` - (Required) x-required. See [Service Nodes Nodes ](#service-nodes-nodes) below for details. +### Panaroma Connection Disable Panaroma +Disable Panorama connection during bootstrap, user can always enable it using firewall management console. -### Panaroma Connection Disable Panaroma - - Disable Panorama connection during bootstrap, user can always enable it using firewall management console. - +### Panaroma Connection Panorama Server - -### Panaroma Connection Panorama Server - - Enabled adding firewall instances to Panorama for config management during bootstrap. +Enabled adding firewall instances to Panorama for config management during bootstrap. `authorization_key` - (Required) Authentication key for Panorama. See [Panorama Server Authorization Key ](#panorama-server-authorization-key) below for details. @@ -1716,43 +749,31 @@ resource "volterra_nfv_service" "example" { `template_stack_name` - (Optional) Template Stack Name (`String`). +### Panorama Server Authorization Key - -### Panorama Server Authorization Key - - Authentication key for Panorama. +Authentication key for Panorama. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Authorization Key Blindfold Secret Info Internal ](#authorization-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Port Choice Default Https Port +Select default HTTPS 443. +### Private Key Blindfold Secret Info Internal -### Port Choice Default Https Port - - Select default HTTPS 443. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1760,10 +781,7 @@ resource "volterra_nfv_service" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -1773,11 +791,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1785,21 +801,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -1811,39 +823,29 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Service Nodes Nodes - -### Service Nodes Nodes - - x-required. +x-required. `aws_az_name` - (Required) AWS availability zone, must be consistent with the selected AWS region. It is recommended that AZ is one of the AZ for sites (`String`). - - -###### One of the arguments from this list "reserved_mgmt_subnet, mgmt_subnet" must be set +###### One of the arguments from this list "mgmt_subnet, reserved_mgmt_subnet" must be set `mgmt_subnet` - (Optional) Select Existing Subnet or Create New. See [Mgmt Subnet Choice Mgmt Subnet ](#mgmt-subnet-choice-mgmt-subnet) below for details. - `reserved_mgmt_subnet` - (Optional) Autogenerate and reserve a subnet from the Primary CIDR (`Bool`). - `node_name` - (Required) Node Name will be used to assign as hostname to the service (`String`). +### Service Provider Choice F5 Big Ip Aws Service - -### Service Provider Choice F5 Big Ip Aws Service - - Virtual BIG-IP service to be deployed on AWS. +Virtual BIG-IP service to be deployed on AWS. `admin_password` - (Required) Secret admin password for BIG ip. See [F5 Big Ip Aws Service Admin Password ](#f5-big-ip-aws-service-admin-password) below for details. @@ -1851,256 +853,179 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `endpoint_service` - (Optional) External service type is Endpoint service. See [F5 Big Ip Aws Service Endpoint Service ](#f5-big-ip-aws-service-endpoint-service) below for details. - - -###### One of the arguments from this list "market_place_image, byol_image" must be set +###### One of the arguments from this list "byol_image, market_place_image" must be set `byol_image` - (Optional) Select the BIG-IP bring your own license image to be used for this service. See [Image Choice Byol Image ](#image-choice-byol-image) below for details.(Deprecated) - `market_place_image` - (Optional) Select the BIG-IP pay as you go image to be used for this service. See [Image Choice Market Place Image ](#image-choice-market-place-image) below for details. - `nodes` - (Required) Specify how and where the service nodes are spawned. See [F5 Big Ip Aws Service Nodes ](#f5-big-ip-aws-service-nodes) below for details. - - ###### One of the arguments from this list "aws_tgw_site_params, aws_vpc_site_params" must be set `aws_tgw_site_params` - (Optional) Select AWS transit gateway site. See [Site Type Choice Aws Tgw Site Params ](#site-type-choice-aws-tgw-site-params) below for details. - `aws_vpc_site_params` - (Optional) Select AWS VPC site. See [Site Type Choice Aws Vpc Site Params ](#site-type-choice-aws-vpc-site-params) below for details.(Deprecated) - `ssh_key` - (Required) Public SSH key for accessing the Big IP nodes. (`String`). `tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). +### Service Provider Choice Palo Alto Fw Service - -### Service Provider Choice Palo Alto Fw Service - - Palo Alto Networks VM-Series Firewall to be deployed on AWS Cloud. - - +Palo Alto Networks VM-Series Firewall to be deployed on AWS Cloud. ###### One of the arguments from this list "pan_ami_bundle1, pan_ami_bundle2" must be set `pan_ami_bundle1` - (Optional) VM-Series Next-Generation Firewall Bundle 1 (`Bool`). - `pan_ami_bundle2` - (Optional) VM-Series Next-Generation Firewall Bundle 2 (`Bool`). - `aws_tgw_site` - (Required) Select AWS transit gateway site. See [ref](#ref) below for details. `instance_type` - (Required) AWS Instance type (`String`). - - - ###### One of the arguments from this list "disable_panaroma, panorama_server" can be set `disable_panaroma` - (Optional) Disable Panorama connection during bootstrap, user can always enable it using firewall management console (`Bool`). - `panorama_server` - (Optional) Enabled adding firewall instances to Panorama for config management during bootstrap. See [Panaroma Connection Panorama Server ](#panaroma-connection-panorama-server) below for details. - `service_nodes` - (Required) Specify how and where the Palo Alto Networks Vm-Series AZ Nodes are spawned. See [Palo Alto Fw Service Service Nodes ](#palo-alto-fw-service-service-nodes) below for details. - - ###### One of the arguments from this list "auto_setup, ssh_key" must be set `auto_setup` - (Optional) Auto Setup API Access & Users. With this firewall api access and given admin user will be auto setup. See [Setup Options Auto Setup ](#setup-options-auto-setup) below for details. - `ssh_key` - (Optional) its corresponding ssh private key. (`String`). - `tags` - (Optional) It helps to manage, identify, organize, search for, and filter resources in AWS console. (`String`). `version` - (Optional) PAN-OS version (`String`). +### Setup Options Auto Setup - -### Setup Options Auto Setup - - Auto Setup API Access & Users. With this firewall api access and given admin user will be auto setup. +Auto Setup API Access & Users. With this firewall api access and given admin user will be auto setup. `admin_password` - (Required) Firewall Admin Password. See [Auto Setup Admin Password ](#auto-setup-admin-password) below for details. `admin_username` - (Required) Firewall Admin Username (`String`). - - -###### One of the arguments from this list "manual_ssh_keys, autogenerated_ssh_keys" must be set +###### One of the arguments from this list "autogenerated_ssh_keys, manual_ssh_keys" must be set `autogenerated_ssh_keys` - (Optional) Autogenerated SSH Keys, users will be able to download the keys after external service is created (`Bool`).(Deprecated) - `manual_ssh_keys` - (Optional) User given public and private SSH keys. See [Ssh Keys Choice Manual Ssh Keys ](#ssh-keys-choice-manual-ssh-keys) below for details. +### Site Type Choice Aws Tgw Site Params - - -### Site Type Choice Aws Tgw Site Params - - Select AWS transit gateway site. +Select AWS transit gateway site. `aws_tgw_site` - (Required) Reference to AWS transit gateway site. See [ref](#ref) below for details. +### Site Type Choice Aws Vpc Site Params - -### Site Type Choice Aws Vpc Site Params - - Select AWS VPC site. +Select AWS VPC site. `aws_vpc_site` - (Required) Reference to AWS VPC site. See [ref](#ref) below for details. +### Ssh Keys Choice Autogenerated Ssh Keys +Autogenerated SSH Keys, users will be able to download the keys after external service is created. -### Ssh Keys Choice Autogenerated Ssh Keys - - Autogenerated SSH Keys, users will be able to download the keys after external service is created. +### Ssh Keys Choice Manual Ssh Keys - - -### Ssh Keys Choice Manual Ssh Keys - - User given public and private SSH keys. +User given public and private SSH keys. `private_key` - (Required) Authorized Public SSH key which will be programmed on the node. See [Manual Ssh Keys Private Key ](#manual-ssh-keys-private-key) below for details. `public_key` - (Required) Authorized Public SSH key which will be programmed on the node (`String`). +### Ssh Management Choice Enabled Ssh Access +Enable SSH access to nodes. -### Ssh Management Choice Enabled Ssh Access - - Enable SSH access to nodes. - - - - -###### One of the arguments from this list "advertise_on_public_default_vip, advertise_on_public, advertise_on_sli, advertise_on_slo, advertise_on_slo_sli" can be set +###### One of the arguments from this list "advertise_on_public, advertise_on_public_default_vip, advertise_on_sli, advertise_on_slo, advertise_on_slo_sli" can be set `advertise_on_public` - (Optional) Advertise this loadbalancer on public network. See [Advertise Choice Advertise On Public ](#advertise-choice-advertise-on-public) below for details.(Deprecated) - `advertise_on_public_default_vip` - (Optional) Enable management access on internet with default VIP (`Bool`).(Deprecated) - `advertise_on_sli` - (Optional) Enable on Site local inside network, default VIP will be used (`Bool`). - `advertise_on_slo` - (Optional) Enable on Site local outside network, default VIP will be used (`Bool`). - `advertise_on_slo_sli` - (Optional) Enable on Site local inside and outside network, default VIP will be used (`Bool`). - `domain_suffix` - (Required) Domain suffix will be used along with node name to form the hostname for ssh node management (`String`). `node_ssh_ports` - (Required) Enter TCP port and node name per node. See [Enabled Ssh Access Node Ssh Ports ](#enabled-ssh-access-node-ssh-ports) below for details. +### Tcp Port Choice Custom Tcp Ports - -### Tcp Port Choice Custom Tcp Ports - - select custom tcp ports. +select custom tcp ports. `ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). +### Tcp Port Choice Default Tcp Ports +Select default TCP ports, 80 and 443. -### Tcp Port Choice Default Tcp Ports - - Select default TCP ports, 80 and 443. - - - -### Tcp Port Choice Http Port - - Select HTTP Port 80. +### Tcp Port Choice Http Port +Select HTTP Port 80. +### Tcp Port Choice Https Port -### Tcp Port Choice Https Port +Select HTTPS Port 443. - Select HTTPS Port 443. +### Tcp Port Choice No Tcp Ports +do not select tcp ports. +### Tls Certificates Private Key -### Tcp Port Choice No Tcp Ports - - do not select tcp ports. - - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tunnel Prefix Choice Automatic Prefix +System will automatically select tunnel prefix. +### Udp Port Choice Custom Udp Ports -### Tunnel Prefix Choice Automatic Prefix - - System will automatically select tunnel prefix. - - - -### Udp Port Choice Custom Udp Ports - - select custom udp ports. +select custom udp ports. `ports` - (Required) List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192 (`String`). +### Udp Port Choice No Udp Ports +do not select udp ports. -### Udp Port Choice No Udp Ports - - do not select udp ports. +### Xfcc Header Xfcc Disabled +No X-Forwarded-Client-Cert header will be added. +### Xfcc Header Xfcc Options -### Xfcc Header Xfcc Disabled - - No X-Forwarded-Client-Cert header will be added. - - - -### Xfcc Header Xfcc Options - - X-Forwarded-Client-Cert header will be added with the configured fields. +X-Forwarded-Client-Cert header will be added with the configured fields. `xfcc_header_elements` - (Required) X-Forwarded-Client-Cert header elements to be added to requests (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured nfv_service. - +- `id` - This is the id of the configured nfv_service. diff --git a/docs/resources/volterra_origin_pool.md b/docs/resources/volterra_origin_pool.md index c839af4a6..1ce339359 100644 --- a/docs/resources/volterra_origin_pool.md +++ b/docs/resources/volterra_origin_pool.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: origin_pool" -description: "The origin_pool allows CRUD of Origin Pool resource on Volterra SaaS" +description: "The origin_pool allows CRUD of Origin Pool resource on Volterra SaaS" + --- -# Resource volterra_origin_pool -The Origin Pool allows CRUD of Origin Pool resource on Volterra SaaS +Resource volterra_origin_pool +============================= -~> **Note:** Please refer to [Origin Pool API docs](https://docs.cloud.f5.com/docs-v2/api/views-origin-pool) to learn more +The Origin Pool allows CRUD of Origin Pool resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Origin Pool API docs](https://docs.cloud.f5.com/docs-v2/api/views-origin-pool) to learn more + +Example Usage +------------- ```hcl resource "volterra_origin_pool" "example" { @@ -30,24 +23,12 @@ resource "volterra_origin_pool" "example" { loadbalancer_algorithm = ["loadbalancer_algorithm"] origin_servers { - // One of the arguments from this list "private_ip private_name k8s_service custom_endpoint_object vn_private_ip vn_private_name public_ip public_name consul_service" must be set - - consul_service { - // One of the arguments from this list "inside_network outside_network" must be set + // One of the arguments from this list "consul_service custom_endpoint_object k8s_service private_ip private_name public_ip public_name vn_private_ip vn_private_name" must be set - inside_network = true + public_ip { + // One of the arguments from this list "ip ipv6" must be set - service_name = "matching:production" - - site_locator { - // One of the arguments from this list "site virtual_site" must be set - - site { - name = "test1" - namespace = "staging" - tenant = "acmecorp" - } - } + ip = "8.8.8.8" } labels = { @@ -55,7 +36,7 @@ resource "volterra_origin_pool" "example" { } } - // One of the arguments from this list "port automatic_port lb_port" must be set + // One of the arguments from this list "automatic_port lb_port port" must be set port = "9080" @@ -66,739 +47,176 @@ resource "volterra_origin_pool" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `advanced_options` - (Optional) Advanced options configuration like timeouts, circuit breaker, subset load balancing. See [Advanced Options ](#advanced-options) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `endpoint_selection` - (Required) Policy for selection of endpoints from local site or remote site or both (`String`). - - +###### One of the arguments from this list "health_check_port, same_as_endpoint_port" can be set `health_check_port` - (Optional) Port used for performing health check (`Int`). - `same_as_endpoint_port` - (Optional) Health check is performed on endpoint port itself (`Bool`). - - - `healthcheck` - (Optional) Reference to healthcheck configuration objects. See [ref](#ref) below for details. `loadbalancer_algorithm` - (Required) loadbalancer_algorithm to determine which host is selected. (`String`). - - `origin_servers` - (Required) List of origin servers in this pool. See [Origin Servers ](#origin-servers) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "automatic_port, lb_port, port" must be set `automatic_port` - (Optional) For other origin server types, port will be automatically set as 443 if TLS is enabled at Origin Pool and 80 if TLS is disabled (`Bool`). - `lb_port` - (Optional) Endpoint port is selected based on loadbalancer port (`Bool`). - `port` - (Optional) Endpoint service is available on this port (`Int`). - - - +###### One of the arguments from this list "no_tls, use_tls" must be set `no_tls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_tls` - (Optional) x-displayName: "Enable". See [Tls Choice Use Tls ](#tls-choice-use-tls) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +### Advanced Options +Advanced options configuration like timeouts, circuit breaker, subset load balancing. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Advanced Options - - Advanced options configuration like timeouts, circuit breaker, subset load balancing. - - - -###### One of the arguments from this list "default_circuit_breaker, disable_circuit_breaker, circuit_breaker" must be set +###### One of the arguments from this list "circuit_breaker, default_circuit_breaker, disable_circuit_breaker" must be set `circuit_breaker` - (Optional) allows to apply back pressure on downstream quickly.. See [Circuit Breaker Choice Circuit Breaker ](#circuit-breaker-choice-circuit-breaker) below for details. - `default_circuit_breaker` - (Optional) requests are 1024 and the default value for retries is 3 (`Bool`). - `disable_circuit_breaker` - (Optional) Circuit Breaker is disabled (`Bool`). - `connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2 seconds (`Int`). `header_transformation_type` - (Optional) Settings to normalize the headers of upstream requests.. See [Advanced Options Header Transformation Type ](#advanced-options-header-transformation-type) below for details.(Deprecated) `http_idle_timeout` - (Optional) This is specified in milliseconds. The default value is 5 minutes. (`Int`). - - -###### One of the arguments from this list "http1_config, http2_options, auto_http_config" must be set +###### One of the arguments from this list "auto_http_config, http1_config, http2_options" must be set `auto_http_config` - (Optional) and will use whichever protocol is negotiated by ALPN with the upstream. (`Bool`). - `http1_config` - (Optional) Enable HTTP/1.1 for upstream connections. See [Http Protocol Type Http1 Config ](#http-protocol-type-http1-config) below for details. - `http2_options` - (Optional) Enable HTTP/2 for upstream connections.. See [Http Protocol Type Http2 Options ](#http-protocol-type-http2-options) below for details. - - - - -###### One of the arguments from this list "enable_lb_source_ip_persistance, disable_lb_source_ip_persistance" can be set +###### One of the arguments from this list "disable_lb_source_ip_persistance, enable_lb_source_ip_persistance" can be set `disable_lb_source_ip_persistance` - (Optional) Disable LB source IP persistence (`Bool`). - `enable_lb_source_ip_persistance` - (Optional) Enable LB source IP persistence (`Bool`). - - - ###### One of the arguments from this list "disable_outlier_detection, outlier_detection" must be set `disable_outlier_detection` - (Optional) Outlier detection is disabled (`Bool`). - `outlier_detection` - (Optional) healthy load balancing set. Outlier detection is a form of passive health checking.. See [Outlier Detection Choice Outlier Detection ](#outlier-detection-choice-outlier-detection) below for details. - - - ###### One of the arguments from this list "no_panic_threshold, panic_threshold" must be set `no_panic_threshold` - (Optional) Disable panic threshold. Only healthy endpoints are considered for load balancing. (`Bool`). - `panic_threshold` - (Optional) all endpoints will be considered for load balancing ignoring its health status. (`Int`). - - - - ###### One of the arguments from this list "disable_proxy_protocol, proxy_protocol_v1, proxy_protocol_v2" can be set `disable_proxy_protocol` - (Optional) Disable Proxy Protocol for upstream connections (`Bool`). - `proxy_protocol_v1` - (Optional) Enable Proxy Protocol Version 1 for upstream connections (`Bool`). - `proxy_protocol_v2` - (Optional) Enable Proxy Protocol Version 2 for upstream connections (`Bool`). - - - ###### One of the arguments from this list "disable_subsets, enable_subsets" must be set `disable_subsets` - (Optional) Subset load balancing is disabled. All eligible origin servers will be considered for load balancing. (`Bool`). - `enable_subsets` - (Optional) Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. See [Subset Choice Enable Subsets ](#subset-choice-enable-subsets) below for details. +### Origin Servers +List of origin servers in this pool. - -### Origin Servers - - List of origin servers in this pool. - - - -###### One of the arguments from this list "private_ip, private_name, k8s_service, custom_endpoint_object, vn_private_ip, vn_private_name, public_ip, public_name, consul_service" must be set +###### One of the arguments from this list "consul_service, custom_endpoint_object, k8s_service, private_ip, private_name, public_ip, public_name, vn_private_ip, vn_private_name" must be set `consul_service` - (Optional) Specify origin server with Hashi Corp Consul service name and site information. See [Choice Consul Service ](#choice-consul-service) below for details. - `custom_endpoint_object` - (Optional) Specify origin server with a reference to endpoint object. See [Choice Custom Endpoint Object ](#choice-custom-endpoint-object) below for details. - `k8s_service` - (Optional) Specify origin server with K8s service name and site information. See [Choice K8s Service ](#choice-k8s-service) below for details. - `private_ip` - (Optional) Specify origin server with private or public IP address and site information. See [Choice Private Ip ](#choice-private-ip) below for details. - `private_name` - (Optional) Specify origin server with private or public DNS name and site information. See [Choice Private Name ](#choice-private-name) below for details. - `public_ip` - (Optional) Specify origin server with public IP. See [Choice Public Ip ](#choice-public-ip) below for details. - `public_name` - (Optional) Specify origin server with public DNS name. See [Choice Public Name ](#choice-public-name) below for details. - `vn_private_ip` - (Optional) Specify origin server IP address on virtual network other than inside or outside network. See [Choice Vn Private Ip ](#choice-vn-private-ip) below for details. - `vn_private_name` - (Optional) Specify origin server name on virtual network other than inside or outside network. See [Choice Vn Private Name ](#choice-vn-private-name) below for details. - `labels` - (Optional) Add Labels for this origin server, these labels can be used to form subset. (`String`). +### Advanced Options Header Transformation Type +Settings to normalize the headers of upstream requests.. -### Advanced Options Header Transformation Type - - Settings to normalize the headers of upstream requests.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set `default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - `legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - `preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - `proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Choice Consul Service - - -### Choice Consul Service - - Specify origin server with Hashi Corp Consul service name and site information. - - +Specify origin server with Hashi Corp Consul service name and site information. ###### One of the arguments from this list "inside_network, outside_network" must be set `inside_network` - (Optional) Inside network on the site (`Bool`). - `outside_network` - (Optional) Outside network on the site (`Bool`). - `service_name` - (Required) cluster-id is optional. (`String`). `site_locator` - (Required) Site or Virtual site where this origin server is located. See [Consul Service Site Locator ](#consul-service-site-locator) below for details. +### Choice Custom Endpoint Object - -### Choice Custom Endpoint Object - - Specify origin server with a reference to endpoint object. +Specify origin server with a reference to endpoint object. `endpoint` - (Required) Reference to an endpoint object. See [ref](#ref) below for details. +### Choice Custom Security - -### Choice Custom Security - - Custom selection of TLS versions and cipher suites. +Custom selection of TLS versions and cipher suites. `cipher_suites` - (Required) The TLS listener will only support the specified cipher list. (`String`). @@ -806,408 +224,281 @@ resource "volterra_origin_pool" "example" { `min_version` - (Optional) Minimum TLS protocol version. (`String`). +### Choice Default Security +TLS v1.2+ with PFS ciphers and strong crypto algorithms.. -### Choice Default Security - - TLS v1.2+ with PFS ciphers and strong crypto algorithms.. - - - -### Choice K8s Service - - Specify origin server with K8s service name and site information. - +### Choice K8s Service +Specify origin server with K8s service name and site information. ###### One of the arguments from this list "inside_network, outside_network, vk8s_networks" must be set `inside_network` - (Optional) Inside network on the site (`Bool`). - `outside_network` - (Optional) Outside network on the site (`Bool`). - `vk8s_networks` - (Optional) origin server are on vK8s network on the site (`Bool`). - - - ###### One of the arguments from this list "service_name, service_selector" must be set `service_name` - (Optional) Both namespace and cluster-id are optional. (`String`). - `service_selector` - (Optional) discovery has to happen. This implicit label is added to service_selector. See [Service Info Service Selector ](#service-info-service-selector) below for details.(Deprecated) - `site_locator` - (Required) Site or Virtual site where this origin server is located. See [K8s Service Site Locator ](#k8s-service-site-locator) below for details. +### Choice Low Security +TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. -### Choice Low Security - - TLS v1.0+ including non-PFS ciphers and weak crypto algorithms.. - - - -### Choice Medium Security - - TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. +### Choice Medium Security +TLS v1.0+ with PFS ciphers and medium strength crypto algorithms.. +### Choice Private Ip -### Choice Private Ip - - Specify origin server with private or public IP address and site information. - - +Specify origin server with private or public IP address and site information. ###### One of the arguments from this list "inside_network, outside_network, segment" must be set `inside_network` - (Optional) Inside network on the site (`Bool`). - `outside_network` - (Optional) Outside network on the site (`Bool`). - `segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. - - - ###### One of the arguments from this list "ip, ipv6" must be set `ip` - (Optional) Private IPV4 address (`String`). - `ipv6` - (Optional) Private IPV6 address (`String`). - `site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Ip Site Locator ](#private-ip-site-locator) below for details. +### Choice Private Name - -### Choice Private Name - - Specify origin server with private or public DNS name and site information. +Specify origin server with private or public DNS name and site information. `dns_name` - (Required) DNS Name (`String`). - - ###### One of the arguments from this list "inside_network, outside_network, segment" must be set `inside_network` - (Optional) Inside network on the site (`Bool`). - `outside_network` - (Optional) Outside network on the site (`Bool`). - `segment` - (Optional) Segment where this origin server is located. See [ref](#ref) below for details. - `refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). `site_locator` - (Required) Site or Virtual site where this origin server is located. See [Private Name Site Locator ](#private-name-site-locator) below for details. +### Choice Public Ip - -### Choice Public Ip - - Specify origin server with public IP. - - +Specify origin server with public IP. ###### One of the arguments from this list "ip, ipv6" must be set `ip` - (Optional) Public IPV4 address (`String`). - `ipv6` - (Optional) Public IPV6 address (`String`). +### Choice Public Name - - -### Choice Public Name - - Specify origin server with public DNS name. +Specify origin server with public DNS name. `dns_name` - (Required) DNS Name (`String`). `refresh_interval` - (Optional) Max value is 7 days as per https://datatracker.ietf.org/doc/html/rfc8767 (`Int`). +### Choice Vn Private Ip - -### Choice Vn Private Ip - - Specify origin server IP address on virtual network other than inside or outside network. +Specify origin server IP address on virtual network other than inside or outside network. `virtual_network` - (Required) Virtual Network where this IP will be present. See [ref](#ref) below for details. - - ###### One of the arguments from this list "ip, ipv6" must be set `ip` - (Optional) IPV4 address (`String`). - `ipv6` - (Optional) IPV6 address (`String`). +### Choice Vn Private Name - - -### Choice Vn Private Name - - Specify origin server name on virtual network other than inside or outside network. +Specify origin server name on virtual network other than inside or outside network. `dns_name` - (Required) DNS Name (`String`). `private_network` - (Required) Virtual Network where this Name will be present. See [ref](#ref) below for details. +### Circuit Breaker Choice Circuit Breaker - -### Circuit Breaker Choice Circuit Breaker - - allows to apply back pressure on downstream quickly.. +allows to apply back pressure on downstream quickly.. `connection_limit` - (Optional) Remove endpoint out of load balancing decision, if number of connections reach connection limit. (`Int`). `max_requests` - (Optional) Remove endpoint out of load balancing decision, if requests exceed this count. (`Int`). -`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). +`pending_requests` - (Optional) Remove endpoint out of load balancing decision, if pending request reach pending_request. (`Int`). `priority` - (Optional) matched with priority of CircuitBreaker to select the CircuitBreaker (`String`). `retries` - (Optional) Remove endpoint out of load balancing decision, if retries for request exceed this count. (`Int`). +### Circuit Breaker Choice Default Circuit Breaker +requests are 1024 and the default value for retries is 3. -### Circuit Breaker Choice Default Circuit Breaker - - requests are 1024 and the default value for retries is 3. - - - -### Circuit Breaker Choice Disable Circuit Breaker - - Circuit Breaker is disabled. +### Circuit Breaker Choice Disable Circuit Breaker +Circuit Breaker is disabled. +### Consul Service Site Locator -### Consul Service Site Locator - - Site or Virtual site where this origin server is located. - - +Site or Virtual site where this origin server is located. ###### One of the arguments from this list "site, virtual_site" must be set `site` - (Optional) Reference to site object. See [ref](#ref) below for details. - `virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Enable Subsets Endpoint Subsets - - -### Enable Subsets Endpoint Subsets - - List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. +List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. `keys` - (Required) List of keys that define a cluster subset class. (`String`). +### Fallback Policy Choice Any Endpoint +Select any origin server from available healthy origin servers in this pool. -### Fallback Policy Choice Any Endpoint - - Select any origin server from available healthy origin servers in this pool. +### Fallback Policy Choice Default Subset - - -### Fallback Policy Choice Default Subset - - Use the default subset provided here. Select endpoints matching default subset.. +Use the default subset provided here. Select endpoints matching default subset.. `default_subset` - (Optional) which gets used when route specifies no metadata or no subset matching the metadata exists. (`String`). +### Fallback Policy Choice Fail Request +Request will be failed and error returned, as if cluster has no origin servers.. -### Fallback Policy Choice Fail Request - - Request will be failed and error returned, as if cluster has no origin servers.. - - - -### Header Transformation Choice Default Header Transformation - - Normalize the headers to lower case. +### Header Transformation Choice Default Header Transformation +Normalize the headers to lower case. +### Header Transformation Choice Legacy Header Transformation -### Header Transformation Choice Legacy Header Transformation +Use old header transformation if configured earlier. - Use old header transformation if configured earlier. +### Header Transformation Choice Preserve Case Header Transformation +Preserves the original case of headers without any modifications.. +### Header Transformation Choice Proper Case Header Transformation -### Header Transformation Choice Preserve Case Header Transformation +For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. - Preserves the original case of headers without any modifications.. +### Http1 Config Header Transformation +the stateful formatter will take effect, and the stateless formatter will be disregarded.. - -### Header Transformation Choice Proper Case Header Transformation - - For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. - - - -### Http1 Config Header Transformation - - the stateful formatter will take effect, and the stateless formatter will be disregarded.. - - - -###### One of the arguments from this list "legacy_header_transformation, default_header_transformation, proper_case_header_transformation, preserve_case_header_transformation" must be set +###### One of the arguments from this list "default_header_transformation, legacy_header_transformation, preserve_case_header_transformation, proper_case_header_transformation" must be set `default_header_transformation` - (Optional) Normalize the headers to lower case (`Bool`). - `legacy_header_transformation` - (Optional) Use old header transformation if configured earlier (`Bool`). - `preserve_case_header_transformation` - (Optional) Preserves the original case of headers without any modifications. (`Bool`). - `proper_case_header_transformation` - (Optional) For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are” (`Bool`). +### Http Protocol Type Auto Http Config +and will use whichever protocol is negotiated by ALPN with the upstream.. +### Http Protocol Type Http1 Config -### Http Protocol Type Auto Http Config - - and will use whichever protocol is negotiated by ALPN with the upstream.. - - - -### Http Protocol Type Http1 Config - - Enable HTTP/1.1 for upstream connections. +Enable HTTP/1.1 for upstream connections. `header_transformation` - (Optional) the stateful formatter will take effect, and the stateless formatter will be disregarded.. See [Http1 Config Header Transformation ](#http1-config-header-transformation) below for details. +### Http Protocol Type Http2 Options - -### Http Protocol Type Http2 Options - - Enable HTTP/2 for upstream connections.. +Enable HTTP/2 for upstream connections.. `enabled` - (Optional) Enable/disable HTTP2 Protocol for upstream connections (`Bool`). +### K8s Service Site Locator - -### K8s Service Site Locator - - Site or Virtual site where this origin server is located. - - +Site or Virtual site where this origin server is located. ###### One of the arguments from this list "site, virtual_site" must be set `site` - (Optional) Reference to site object. See [ref](#ref) below for details. - `virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Lb Source Ip Persistance Choice Disable Lb Source Ip Persistance +Disable LB source IP persistence. +### Lb Source Ip Persistance Choice Enable Lb Source Ip Persistance -### Lb Source Ip Persistance Choice Disable Lb Source Ip Persistance - - Disable LB source IP persistence. - - - -### Lb Source Ip Persistance Choice Enable Lb Source Ip Persistance - - Enable LB source IP persistence. - - - -### Max Session Keys Type Default Session Key Caching +Enable LB source IP persistence. - Default session key caching. Only one session key will be cached.. +### Max Session Keys Type Default Session Key Caching +Default session key caching. Only one session key will be cached.. +### Max Session Keys Type Disable Session Key Caching -### Max Session Keys Type Disable Session Key Caching +Disable session key caching. This will disable TLS session resumption.. - Disable session key caching. This will disable TLS session resumption.. +### Mtls Choice No Mtls +x-displayName: "Disable". +### Mtls Choice Use Mtls -### Mtls Choice No Mtls - - x-displayName: "Disable". - - - -### Mtls Choice Use Mtls - - x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". +x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". `tls_certificates` - (Required) mTLS Client Certificate. See [Use Mtls Tls Certificates ](#use-mtls-tls-certificates) below for details. +### Network Choice Inside Network +Inside network on the site. -### Network Choice Inside Network - - Inside network on the site. - - +### Network Choice Outside Network -### Network Choice Outside Network +Outside network on the site. - Outside network on the site. +### Network Choice Vk8s Networks +origin server are on vK8s network on the site. +### Ocsp Stapling Choice Custom Hash Algorithms -### Network Choice Vk8s Networks - - origin server are on vK8s network on the site. - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - +### Ocsp Stapling Choice Use System Defaults -### Ocsp Stapling Choice Use System Defaults +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. +### Outlier Detection Choice Disable Outlier Detection +Outlier detection is disabled. +### Outlier Detection Choice Outlier Detection -### Outlier Detection Choice Disable Outlier Detection - - Outlier detection is disabled. - - - -### Outlier Detection Choice Outlier Detection - - healthy load balancing set. Outlier detection is a form of passive health checking.. +healthy load balancing set. Outlier detection is a form of passive health checking.. `base_ejection_time` - (Optional) Defaults to 30000ms or 30s. Specified in milliseconds. (`Int`). @@ -1219,33 +510,23 @@ resource "volterra_origin_pool" "example" { `max_ejection_percent` - (Optional) detection. Defaults to 10% but will eject at least one host regardless of the value. (`Int`). +### Panic Threshold Type No Panic Threshold +Disable panic threshold. Only healthy endpoints are considered for load balancing.. -### Panic Threshold Type No Panic Threshold - - Disable panic threshold. Only healthy endpoints are considered for load balancing.. - - - -### Private Ip Site Locator - - Site or Virtual site where this origin server is located. - +### Private Ip Site Locator +Site or Virtual site where this origin server is located. ###### One of the arguments from this list "site, virtual_site" must be set `site` - (Optional) Reference to site object. See [ref](#ref) below for details. - `virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Private Key Blindfold Secret Info Internal - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1253,44 +534,29 @@ resource "volterra_origin_pool" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Private Name Site Locator - -### Private Name Site Locator - - Site or Virtual site where this origin server is located. - - +Site or Virtual site where this origin server is located. ###### One of the arguments from this list "site, virtual_site" must be set `site` - (Optional) Reference to site object. See [ref](#ref) below for details. - `virtual_site` - (Optional) Reference to virtual site object. See [ref](#ref) below for details. +### Proxy Protocol Choice Disable Proxy Protocol +Disable Proxy Protocol for upstream connections. +### Proxy Protocol Choice Proxy Protocol V1 -### Proxy Protocol Choice Disable Proxy Protocol - - Disable Proxy Protocol for upstream connections. - - - -### Proxy Protocol Choice Proxy Protocol V1 +Enable Proxy Protocol Version 1 for upstream connections. - Enable Proxy Protocol Version 1 for upstream connections. +### Proxy Protocol Choice Proxy Protocol V2 +Enable Proxy Protocol Version 2 for upstream connections. - -### Proxy Protocol Choice Proxy Protocol V2 - - Enable Proxy Protocol Version 2 for upstream connections. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -1300,11 +566,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Secret Info Oneof Blindfold Secret Info - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -1312,21 +576,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -1338,226 +598,151 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Server Validation Choice Skip Server Verification +Skip origin server verification. -### Server Validation Choice Skip Server Verification - - Skip origin server verification. - +### Server Validation Choice Use Server Verification +Perform origin server verification using the provided Root CA Certificate. -### Server Validation Choice Use Server Verification - - Perform origin server verification using the provided Root CA Certificate. - - - -###### One of the arguments from this list "trusted_ca_url, trusted_ca" must be set +###### One of the arguments from this list "trusted_ca, trusted_ca_url" must be set `trusted_ca` - (Optional) Select/Add a Root CA Certificate object to associate with this Origin Pool for verification of server's certificate. See [ref](#ref) below for details. - `trusted_ca_url` - (Optional) Upload a Root CA Certificate specifically for this Origin Pool for verification of server's certificate (`String`). +### Server Validation Choice Volterra Trusted Ca +Perform origin server verification using F5XC Default Root CA Certificate. +### Service Info Service Selector -### Server Validation Choice Volterra Trusted Ca - - Perform origin server verification using F5XC Default Root CA Certificate. - - - -### Service Info Service Selector - - discovery has to happen. This implicit label is added to service_selector. +discovery has to happen. This implicit label is added to service_selector. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +### Sni Choice Disable Sni +Do not use SNI.. -### Sni Choice Disable Sni - - Do not use SNI.. - - - -### Sni Choice Use Host Header As Sni - - Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. - +### Sni Choice Use Host Header As Sni +Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied.. -### Subset Choice Disable Subsets +### Subset Choice Disable Subsets - Subset load balancing is disabled. All eligible origin servers will be considered for load balancing.. +Subset load balancing is disabled. All eligible origin servers will be considered for load balancing.. +### Subset Choice Enable Subsets - -### Subset Choice Enable Subsets - - Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. +Subset load balancing is enabled. Based on route, subset of origin servers will be considered for load balancing.. `endpoint_subsets` - (Required) List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset withing the class.. See [Enable Subsets Endpoint Subsets ](#enable-subsets-endpoint-subsets) below for details. - - ###### One of the arguments from this list "any_endpoint, default_subset, fail_request" must be set `any_endpoint` - (Optional) Select any origin server from available healthy origin servers in this pool (`Bool`). - `default_subset` - (Optional) Use the default subset provided here. Select endpoints matching default subset.. See [Fallback Policy Choice Default Subset ](#fallback-policy-choice-default-subset) below for details. - `fail_request` - (Optional) Request will be failed and error returned, as if cluster has no origin servers. (`Bool`). +### Tls Certificates Private Key - - -### Tls Certificates Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. `blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) `secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - -###### One of the arguments from this list "wingman_secret_info, blindfold_secret_info, vault_secret_info, clear_secret_info" must be set +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set `blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - `clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - `vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Tls Choice Use Tls - - -### Tls Choice Use Tls - - x-displayName: "Enable". - - +x-displayName: "Enable". ###### One of the arguments from this list "default_session_key_caching, disable_session_key_caching, max_session_keys" must be set `default_session_key_caching` - (Optional) Default session key caching. Only one session key will be cached. (`Bool`). - `disable_session_key_caching` - (Optional) Disable session key caching. This will disable TLS session resumption. (`Bool`). - `max_session_keys` - (Optional) Number of session keys that are cached. (`Int`). - - - ###### One of the arguments from this list "no_mtls, use_mtls, use_mtls_obj" must be set `no_mtls` - (Optional) x-displayName: "Disable" (`Bool`). - `use_mtls` - (Optional) x-displayName: "Upload a client authentication certificate specifically for this Origin Pool". See [Mtls Choice Use Mtls ](#mtls-choice-use-mtls) below for details. - `use_mtls_obj` - (Optional) x-displayName: "Select/add a TLS Certificate object for client authentication". See [ref](#ref) below for details. - - - -###### One of the arguments from this list "skip_server_verification, volterra_trusted_ca, use_server_verification" must be set +###### One of the arguments from this list "skip_server_verification, use_server_verification, volterra_trusted_ca" must be set `skip_server_verification` - (Optional) Skip origin server verification (`Bool`). - `use_server_verification` - (Optional) Perform origin server verification using the provided Root CA Certificate. See [Server Validation Choice Use Server Verification ](#server-validation-choice-use-server-verification) below for details. - `volterra_trusted_ca` - (Optional) Perform origin server verification using F5XC Default Root CA Certificate (`Bool`). - - - -###### One of the arguments from this list "sni, use_host_header_as_sni, disable_sni" must be set +###### One of the arguments from this list "disable_sni, sni, use_host_header_as_sni" must be set `disable_sni` - (Optional) Do not use SNI. (`Bool`). - `sni` - (Optional) SNI value to be used. (`String`). - `use_host_header_as_sni` - (Optional) Use the host header as SNI. The host header value is extracted after any configured rewrites have been applied. (`Bool`). - `tls_config` - (Required) TLS parameters such as min/max TLS version and ciphers. See [Use Tls Tls Config ](#use-tls-tls-config) below for details. +### Use Mtls Tls Certificates - -### Use Mtls Tls Certificates - - mTLS Client Certificate. +mTLS Client Certificate. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "disable_ocsp_stapling, custom_hash_algorithms, use_system_defaults" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Tls Certificates Private Key ](#tls-certificates-private-key) below for details. +### Use Tls Tls Config +TLS parameters such as min/max TLS version and ciphers. -### Use Tls Tls Config - - TLS parameters such as min/max TLS version and ciphers. - - - -###### One of the arguments from this list "medium_security, low_security, custom_security, default_security" must be set +###### One of the arguments from this list "custom_security, default_security, low_security, medium_security" must be set `custom_security` - (Optional) Custom selection of TLS versions and cipher suites. See [Choice Custom Security ](#choice-custom-security) below for details. - `default_security` - (Optional) TLS v1.2+ with PFS ciphers and strong crypto algorithms. (`Bool`). - `low_security` - (Optional) TLS v1.0+ including non-PFS ciphers and weak crypto algorithms. (`Bool`). - `medium_security` - (Optional) TLS v1.0+ with PFS ciphers and medium strength crypto algorithms. (`Bool`). +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured origin_pool. - +- `id` - This is the id of the configured origin_pool. diff --git a/docs/resources/volterra_policer.md b/docs/resources/volterra_policer.md index cb7539984..db4a7d0d8 100644 --- a/docs/resources/volterra_policer.md +++ b/docs/resources/volterra_policer.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: policer" -description: "The policer allows CRUD of Policer resource on Volterra SaaS" +description: "The policer allows CRUD of Policer resource on Volterra SaaS" + --- -# Resource volterra_policer -The Policer allows CRUD of Policer resource on Volterra SaaS +Resource volterra_policer +========================= + +The Policer allows CRUD of Policer resource on Volterra SaaS -~> **Note:** Please refer to [Policer API docs](https://docs.cloud.f5.com/docs-v2/api/policer) to learn more +~> **Note:** Please refer to [Policer API docs](https://docs.cloud.f5.com/docs-v2/api/policer) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_policer" "example" { @@ -32,45 +25,34 @@ resource "volterra_policer" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `burst_size` - (Required) e.g. 10000 pps burst (`Int`). - - `committed_information_rate` - (Required) e.g. 10000 pps (`Int`). - `policer_mode` - (Optional) be created with mode as "Shared" (`String`). - `policer_type` - (Optional) policer (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured policer. - +- `id` - This is the id of the configured policer. diff --git a/docs/resources/volterra_protocol_inspection.md b/docs/resources/volterra_protocol_inspection.md index d03d1bc68..d054dfb3d 100644 --- a/docs/resources/volterra_protocol_inspection.md +++ b/docs/resources/volterra_protocol_inspection.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: protocol_inspection" -description: "The protocol_inspection allows CRUD of Protocol Inspection resource on Volterra SaaS" +description: "The protocol_inspection allows CRUD of Protocol Inspection resource on Volterra SaaS" + --- -# Resource volterra_protocol_inspection -The Protocol Inspection allows CRUD of Protocol Inspection resource on Volterra SaaS +Resource volterra_protocol_inspection +===================================== -~> **Note:** Please refer to [Protocol Inspection API docs](https://docs.cloud.f5.com/docs-v2/api/protocol-inspection) to learn more +The Protocol Inspection allows CRUD of Protocol Inspection resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Protocol Inspection API docs](https://docs.cloud.f5.com/docs-v2/api/protocol-inspection) to learn more + +Example Usage +------------- ```hcl resource "volterra_protocol_inspection" "example" { @@ -28,7 +21,7 @@ resource "volterra_protocol_inspection" "example" { namespace = "staging" enable_disable_compliance_checks { - // One of the arguments from this list "enable_compliance_checks disable_compliance_checks" must be set + // One of the arguments from this list "disable_compliance_checks enable_compliance_checks" must be set enable_compliance_checks { name = "test1" @@ -38,109 +31,64 @@ resource "volterra_protocol_inspection" "example" { } enable_disable_signatures { - // One of the arguments from this list "enable_signature disable_signature" must be set + // One of the arguments from this list "disable_signature enable_signature" must be set - enable_signature = true + disable_signature = true } } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`action` - (Optional) Action to take based on inspection (`String`). - +`action` - (Optional) Action to take based on inspection (`String`). `enable_disable_compliance_checks` - (Required) Enable or Disable Compliance Checks. See [Enable Disable Compliance Checks ](#enable-disable-compliance-checks) below for details. - - - - - - - - - - `enable_disable_signatures` - (Required) Confirmation of applying IPS. See [Enable Disable Signatures ](#enable-disable-signatures) below for details. +### Enable Disable Compliance Checks +Enable or Disable Compliance Checks. - - - - - - - - - - - - -### Enable Disable Compliance Checks - - Enable or Disable Compliance Checks. - - - -###### One of the arguments from this list "enable_compliance_checks, disable_compliance_checks" must be set +###### One of the arguments from this list "disable_compliance_checks, enable_compliance_checks" must be set `disable_compliance_checks` - (Optional) x-displayName: "Disable" (`Bool`). - `enable_compliance_checks` - (Optional) Enabling compliance checks and selecting a type by default (right now this enables dns_compliance_checks). See [ref](#ref) below for details. +### Enable Disable Signatures +Confirmation of applying IPS. - -### Enable Disable Signatures - - Confirmation of applying IPS. - - - -###### One of the arguments from this list "enable_signature, disable_signature" must be set +###### One of the arguments from this list "disable_signature, enable_signature" must be set `disable_signature` - (Optional) x-displayName: "Disable" (`Bool`). - `enable_signature` - (Optional) x-displayName: "Enable" (`Bool`). +### Compliance Check Choice Disable Compliance Checks +x-displayName: "Disable". - -### Compliance Check Choice Disable Compliance Checks - - x-displayName: "Disable". - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -150,21 +98,15 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Signature Choice Disable Signature +x-displayName: "Disable". -### Signature Choice Disable Signature - - x-displayName: "Disable". - - - -### Signature Choice Enable Signature - - x-displayName: "Enable". - - +### Signature Choice Enable Signature -## Attribute Reference +x-displayName: "Enable". -* `id` - This is the id of the configured protocol_inspection. +Attribute Reference +------------------- +- `id` - This is the id of the configured protocol_inspection. diff --git a/docs/resources/volterra_protocol_policer.md b/docs/resources/volterra_protocol_policer.md index 39419ecac..7dc4885c0 100644 --- a/docs/resources/volterra_protocol_policer.md +++ b/docs/resources/volterra_protocol_policer.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: protocol_policer" -description: "The protocol_policer allows CRUD of Protocol Policer resource on Volterra SaaS" +description: "The protocol_policer allows CRUD of Protocol Policer resource on Volterra SaaS" + --- -# Resource volterra_protocol_policer -The Protocol Policer allows CRUD of Protocol Policer resource on Volterra SaaS +Resource volterra_protocol_policer +================================== -~> **Note:** Please refer to [Protocol Policer API docs](https://docs.cloud.f5.com/docs-v2/api/protocol-policer) to learn more +The Protocol Policer allows CRUD of Protocol Policer resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Protocol Policer API docs](https://docs.cloud.f5.com/docs-v2/api/protocol-policer) to learn more + +Example Usage +------------- ```hcl resource "volterra_protocol_policer" "example" { @@ -30,97 +23,50 @@ resource "volterra_protocol_policer" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `protocol_policer` - (Optional) List of L4 protocol match condition and associated traffic rate limits. See [Protocol Policer ](#protocol-policer) below for details. +### Protocol Policer - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Protocol Policer - - List of L4 protocol match condition and associated traffic rate limits. +List of L4 protocol match condition and associated traffic rate limits. `policer` - (Required) Reference to policer object to apply traffic rate limits. See [ref](#ref) below for details. `protocol` - (Required) Protocol specifys L4 match criteria in a packet. See [Protocol Policer Protocol ](#protocol-policer-protocol) below for details. +### Protocol Policer Protocol +Protocol specifys L4 match criteria in a packet. -### Protocol Policer Protocol - - Protocol specifys L4 match criteria in a packet. - - - - -###### One of the arguments from this list "tcp, icmp, udp, dns" can be set +###### One of the arguments from this list "dns, icmp, tcp, udp" can be set `dns` - (Optional) Match all DNS packets. See [Type Dns ](#type-dns) below for details. - `icmp` - (Optional) ICMP message types to be matched in packet. See [Type Icmp ](#type-icmp) below for details. - `tcp` - (Optional) TCP flags to be matched in packet. See [Type Tcp ](#type-tcp) below for details. - `udp` - (Optional) Match all UDP packets. See [Type Udp ](#type-udp) below for details. - - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -130,37 +76,27 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Type Dns +Match all DNS packets. -### Type Dns - - Match all DNS packets. - - +### Type Icmp -### Type Icmp - - ICMP message types to be matched in packet. +ICMP message types to be matched in packet. `type` - (Optional) ICMP message type to be matched in packet (`List of Strings`). +### Type Tcp - -### Type Tcp - - TCP flags to be matched in packet. +TCP flags to be matched in packet. `flags` - (Optional) TCP flag to be matched in a TCP packet (`List of Strings`). +### Type Udp +Match all UDP packets. -### Type Udp - - Match all UDP packets. - - - -## Attribute Reference - -* `id` - This is the id of the configured protocol_policer. +Attribute Reference +------------------- +- `id` - This is the id of the configured protocol_policer. diff --git a/docs/resources/volterra_public_ip.md b/docs/resources/volterra_public_ip.md index 23c675b26..496ca4c04 100644 --- a/docs/resources/volterra_public_ip.md +++ b/docs/resources/volterra_public_ip.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_public_ip" - description: "The volterra_public_ip helps update public IP fields on Volterra SaaS" ------------------------------------------------------------------------------------- + +--- Resource volterra_public_ip =========================== diff --git a/docs/resources/volterra_rate_limiter.md b/docs/resources/volterra_rate_limiter.md index ca837e920..199409258 100644 --- a/docs/resources/volterra_rate_limiter.md +++ b/docs/resources/volterra_rate_limiter.md @@ -1,26 +1,19 @@ +--- +page_title: "Volterra: rate_limiter" +description: "The rate_limiter allows CRUD of Rate Limiter resource on Volterra SaaS" +---- +Resource volterra_rate_limiter +============================== +The Rate Limiter allows CRUD of Rate Limiter resource on Volterra SaaS +~> **Note:** Please refer to [Rate Limiter API docs](https://docs.cloud.f5.com/docs-v2/api/rate-limiter) to learn more - - - - - - ---- -page_title: "Volterra: rate_limiter" -description: "The rate_limiter allows CRUD of Rate Limiter resource on Volterra SaaS" ---- -# Resource volterra_rate_limiter - -The Rate Limiter allows CRUD of Rate Limiter resource on Volterra SaaS - -~> **Note:** Please refer to [Rate Limiter API docs](https://docs.cloud.f5.com/docs-v2/api/rate-limiter) to learn more - -## Example Usage +Example Usage +------------- ```hcl resource "volterra_rate_limiter" "example" { @@ -38,43 +31,32 @@ resource "volterra_rate_limiter" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `limits` - (Required) A list of RateLimitValues that specifies the total number of allowed requests for each specified period.. See [Limits ](#limits) below for details. - - - - - `user_identification` - (Optional) The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.. See [ref](#ref) below for details. +### Limits -### Limits - - A list of RateLimitValues that specifies the total number of allowed requests for each specified period.. +A list of RateLimitValues that specifies the total number of allowed requests for each specified period.. `burst_multiplier` - (Optional) The maximum burst of requests to accommodate, expressed as a multiple of the rate. (`Int`). @@ -82,10 +64,7 @@ resource "volterra_rate_limiter" "example" { `unit` - (Required) Unit for the period per which the rate limit is applied. (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -95,9 +74,7 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured rate_limiter. - +- `id` - This is the id of the configured rate_limiter. diff --git a/docs/resources/volterra_rate_limiter_policy.md b/docs/resources/volterra_rate_limiter_policy.md index 58bf8ce30..0bb9c3010 100644 --- a/docs/resources/volterra_rate_limiter_policy.md +++ b/docs/resources/volterra_rate_limiter_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: rate_limiter_policy" -description: "The rate_limiter_policy allows CRUD of Rate Limiter Policy resource on Volterra SaaS" +description: "The rate_limiter_policy allows CRUD of Rate Limiter Policy resource on Volterra SaaS" + --- -# Resource volterra_rate_limiter_policy -The Rate Limiter Policy allows CRUD of Rate Limiter Policy resource on Volterra SaaS +Resource volterra_rate_limiter_policy +===================================== -~> **Note:** Please refer to [Rate Limiter Policy API docs](https://docs.cloud.f5.com/docs-v2/api/views-rate-limiter-policy) to learn more +The Rate Limiter Policy allows CRUD of Rate Limiter Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Rate Limiter Policy API docs](https://docs.cloud.f5.com/docs-v2/api/views-rate-limiter-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_rate_limiter_policy" "example" { @@ -30,244 +23,86 @@ resource "volterra_rate_limiter_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `rules` - (Optional) A list of RateLimiterRules that are evaluated sequentially till a matching rule is identified.. See [Rules ](#rules) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "any_server, server_name, server_name_matcher, server_selector" can be set `any_server` - (Optional) Any Server (`Bool`).(Deprecated) - `server_name` - (Optional) The expected name of the server. The actual names for the server are extracted from the HTTP Host header and the name of the virtual_host for the request. (`String`).(Deprecated) - `server_name_matcher` - (Optional) regular expressions.. See [Server Choice Server Name Matcher ](#server-choice-server-name-matcher) below for details.(Deprecated) - - - - - `server_selector` - (Optional) true if the expressions in the label selector are true for the server labels.. See [Server Choice Server Selector ](#server-choice-server-selector) below for details.(Deprecated) - +### Rules - - - - -### Rules - - A list of RateLimiterRules that are evaluated sequentially till a matching rule is identified.. +A list of RateLimiterRules that are evaluated sequentially till a matching rule is identified.. `metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. `spec` - (Required) Specification for the rule including match preicates and actions.. See [Rules Spec ](#rules-spec) below for details. +### Action Choice Apply Rate Limiter +Apply the rate limiter configured on the HTTP loadbalancer.. -### Action Choice Apply Rate Limiter - - Apply the rate limiter configured on the HTTP loadbalancer.. - +### Action Choice Bypass Rate Limiter +Bypass the rate limiter configured on the HTTP loadbalancer.. -### Action Choice Bypass Rate Limiter - - Bypass the rate limiter configured on the HTTP loadbalancer.. - - - -### Asn Choice Any Asn +### Asn Choice Any Asn any_asn. - - -### Asn Choice Asn List +### Asn Choice Asn List asn_list. `as_numbers` - (Required) An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. (`Int`). - - -### Asn Choice Asn Matcher +### Asn Choice Asn Matcher asn_matcher. `asn_sets` - (Required) A list of references to bgp_asn_set objects.. See [ref](#ref) below for details. +### Country Choice Any Country +x-displayName: "Any Country". -### Country Choice Any Country - - x-displayName: "Any Country". - +### Country Choice Country List - -### Country Choice Country List - - x-displayName: "Country List". +x-displayName: "Country List". `country_codes` - (Required) List of Country Codes (`List of Strings`). `invert_match` - (Optional) Invert the match result. (`Bool`). - - -### Ip Choice Any Ip +### Ip Choice Any Ip any_ip. - - -### Ip Choice Ip Matcher +### Ip Choice Ip Matcher ip_matcher. @@ -275,9 +110,7 @@ ip_matcher. `prefix_sets` - (Required) A list of references to ip_prefix_set objects.. See [ref](#ref) below for details. - - -### Ip Choice Ip Prefix List +### Ip Choice Ip Prefix List ip_prefix_list. @@ -285,23 +118,19 @@ ip_prefix_list. `ip_prefixes` - (Optional) List of IPv4 prefix strings. (`String`). +`ipv6_prefixes` - (Optional) List of IPv6 prefix strings. (`String`). +### Match Check Not Present -### Match Check Not Present - - Check that the header is not present.. +Check that the header is not present.. +### Match Check Present +Check that the header is present.. -### Match Check Present +### Match Item - Check that the header is present.. - - - -### Match Item - - Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. +Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. `exact_values` - (Optional) A list of exact values to match the input against. (`String`). @@ -309,10 +138,7 @@ ip_prefix_list. `transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -322,11 +148,9 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rules Metadata - -### Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -334,92 +158,63 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Rules Spec +Specification for the rule including match preicates and actions.. -### Rules Spec - - Specification for the rule including match preicates and actions.. - - - -###### One of the arguments from this list "bypass_rate_limiter, apply_rate_limiter, custom_rate_limiter" must be set +###### One of the arguments from this list "apply_rate_limiter, bypass_rate_limiter, custom_rate_limiter" must be set `apply_rate_limiter` - (Optional) Apply the rate limiter configured on the HTTP loadbalancer. (`Bool`). - `bypass_rate_limiter` - (Optional) Bypass the rate limiter configured on the HTTP loadbalancer. (`Bool`). - `custom_rate_limiter` - (Optional) Apply a custom rate limiter.. See [ref](#ref) below for details. - - - - ###### One of the arguments from this list "any_asn, asn_list, asn_matcher" can be set `any_asn` - (Optional)any_asn (`Bool`). - `asn_list` - (Optional)asn_list. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. - `asn_matcher` - (Optional)asn_matcher. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - - - -###### One of the arguments from this list "country_list, any_country" must be set +###### One of the arguments from this list "any_country, country_list" must be set `any_country` - (Optional) x-displayName: "Any Country" (`Bool`). - `country_list` - (Optional) x-displayName: "Country List". See [Country Choice Country List ](#country-choice-country-list) below for details. - `domain_matcher` - (Optional)domain_matcher. See [Spec Domain Matcher ](#spec-domain-matcher) below for details. `headers` - (Optional)headers. See [Spec Headers ](#spec-headers) below for details. `http_method` - (Optional)http_method. See [Spec Http Method ](#spec-http-method) below for details. - - - -###### One of the arguments from this list "any_ip, ip_prefix_list, ip_matcher" can be set +###### One of the arguments from this list "any_ip, ip_matcher, ip_prefix_list" can be set `any_ip` - (Optional)any_ip (`Bool`). - `ip_matcher` - (Optional)ip_matcher. See [Ip Choice Ip Matcher ](#ip-choice-ip-matcher) below for details. - `ip_prefix_list` - (Optional)ip_prefix_list. See [Ip Choice Ip Prefix List ](#ip-choice-ip-prefix-list) below for details. - `path` - (Optional)path. See [Spec Path ](#spec-path) below for details. +### Server Choice Server Name Matcher - -### Server Choice Server Name Matcher - - regular expressions.. +regular expressions.. `exact_values` - (Optional) A list of exact values to match the input against. (`String`). `regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +### Server Choice Server Selector - -### Server Choice Server Selector - - true if the expressions in the label selector are true for the server labels.. +true if the expressions in the label selector are true for the server labels.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - -### Spec Domain Matcher +### Spec Domain Matcher domain_matcher. @@ -427,35 +222,25 @@ domain_matcher. `regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). - - -### Spec Headers +### Spec Headers headers. `invert_matcher` - (Optional) Invert the match result. (`Bool`). - - -###### One of the arguments from this list "check_not_present, item, presence, check_present" must be set +###### One of the arguments from this list "check_not_present, check_present, item, presence" must be set `check_not_present` - (Optional) Check that the header is not present. (`Bool`). - `check_present` - (Optional) Check that the header is present. (`Bool`). - `item` - (Optional) Criteria for matching the values for the header. The match is successful if any of the values in the input satisfies the criteria in the matcher.. See [Match Item ](#match-item) below for details. - `presence` - (Optional) Check if the header is present or absent. (`Bool`).(Deprecated) - `name` - (Required) A case-insensitive HTTP header name. (`String`). - - -### Spec Http Method +### Spec Http Method http_method. @@ -463,9 +248,7 @@ http_method. `methods` - (Optional) x-example: "['GET', 'POST', 'DELETE']" (`List of Strings`). - - -### Spec Path +### Spec Path path. @@ -481,9 +264,7 @@ path. `transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured rate_limiter_policy. - +- `id` - This is the id of the configured rate_limiter_policy. diff --git a/docs/resources/volterra_registration_approval.md b/docs/resources/volterra_registration_approval.md index c220e14f3..15d254180 100644 --- a/docs/resources/volterra_registration_approval.md +++ b/docs/resources/volterra_registration_approval.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: volterra_registration_approval" - description: "The volterra_registration_approval helps approve registration request" ------------------------------------------------------------------------------------- + +--- Resource volterra_registration_approval ======================================= diff --git a/docs/resources/volterra_role.md b/docs/resources/volterra_role.md index f44771b56..2694ba287 100644 --- a/docs/resources/volterra_role.md +++ b/docs/resources/volterra_role.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: role" -description: "The role allows CRUD of Role resource on Volterra SaaS" +description: "The role allows CRUD of Role resource on Volterra SaaS" + --- -# Resource volterra_role -The Role allows CRUD of Role resource on Volterra SaaS +Resource volterra_role +====================== + +The Role allows CRUD of Role resource on Volterra SaaS -~> **Note:** Please refer to [Role API docs](https://docs.cloud.f5.com/docs-v2/api/role) to learn more +~> **Note:** Please refer to [Role API docs](https://docs.cloud.f5.com/docs-v2/api/role) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_role" "example" { @@ -30,31 +23,26 @@ resource "volterra_role" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -## Attribute Reference - -* `id` - This is the id of the configured role. +Attribute Reference +------------------- +- `id` - This is the id of the configured role. diff --git a/docs/resources/volterra_route.md b/docs/resources/volterra_route.md index 87a57a0f9..5d68ca063 100644 --- a/docs/resources/volterra_route.md +++ b/docs/resources/volterra_route.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: route" -description: "The route allows CRUD of Route resource on Volterra SaaS" +description: "The route allows CRUD of Route resource on Volterra SaaS" + --- -# Resource volterra_route -The Route allows CRUD of Route resource on Volterra SaaS +Resource volterra_route +======================= -~> **Note:** Please refer to [Route API docs](https://docs.cloud.f5.com/docs-v2/api/route) to learn more +The Route allows CRUD of Route resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Route API docs](https://docs.cloud.f5.com/docs-v2/api/route) to learn more + +Example Usage +------------- ```hcl resource "volterra_route" "example" { @@ -50,7 +43,7 @@ resource "volterra_route" "example" { name = "Content-Type" - // One of the arguments from this list "exact regex presence" can be set + // One of the arguments from this list "exact presence regex" can be set exact = "application/json" } @@ -58,15 +51,15 @@ resource "volterra_route" "example" { http_method = "http_method" incoming_port { - // One of the arguments from this list "port port_ranges no_port_match" can be set + // One of the arguments from this list "no_port_match port port_ranges" can be set port = "6443" } path { - // One of the arguments from this list "prefix path regex" must be set + // One of the arguments from this list "path prefix regex" must be set - prefix = "/register/" + regex = "regex" } query_params { @@ -83,7 +76,7 @@ resource "volterra_route" "example" { name = "value" - // One of the arguments from this list "value secret_value" must be set + // One of the arguments from this list "secret_value value" must be set value = "value" } @@ -95,14 +88,14 @@ resource "volterra_route" "example" { name = "value" - // One of the arguments from this list "value secret_value" must be set + // One of the arguments from this list "secret_value value" must be set value = "value" } response_headers_to_remove = ["host"] - // One of the arguments from this list "route_direct_response route_destination route_redirect" must be set + // One of the arguments from this list "route_destination route_direct_response route_redirect" must be set route_destination { buffer_policy { @@ -113,7 +106,7 @@ resource "volterra_route" "example" { max_request_time = "30" } - // One of the arguments from this list "retract_cluster do_not_retract_cluster" can be set + // One of the arguments from this list "do_not_retract_cluster retract_cluster" can be set retract_cluster = true cors_policy { @@ -136,7 +129,7 @@ resource "volterra_route" "example" { maximum_age = "-1" } csrf_policy { - // One of the arguments from this list "custom_domain_list disabled all_load_balancer_domains" must be set + // One of the arguments from this list "all_load_balancer_domains custom_domain_list disabled" must be set all_load_balancer_domains = true } @@ -159,16 +152,16 @@ resource "volterra_route" "example" { "key1" = "value1" } hash_policy { - // One of the arguments from this list "header_name cookie source_ip" must be set + // One of the arguments from this list "cookie header_name source_ip" must be set - header_name = "host" + source_ip = true terminal = true } - // One of the arguments from this list "host_rewrite auto_host_rewrite" must be set + // One of the arguments from this list "auto_host_rewrite host_rewrite" must be set - host_rewrite = "one.volterra.com" + auto_host_rewrite = true mirror_policy { cluster { name = "test1" @@ -209,15 +202,11 @@ resource "volterra_route" "example" { } timeout = "2000" web_socket_config { - idle_timeout = "2000" - - max_connect_attempts = "5" - use_websocket = true } } service_policy { - // One of the arguments from this list "disable context_extensions" can be set + // One of the arguments from this list "context_extensions disable" can be set disable = true } @@ -238,1265 +227,636 @@ resource "volterra_route" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `routes` - (Required) List of routes to match for incoming request. See [Routes ](#routes) below for details. +### Routes +List of routes to match for incoming request. +###### One of the arguments from this list "bot_defense_javascript_injection, inherited_bot_defense_javascript_injection" can be set - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +`bot_defense_javascript_injection` - (Optional) Configuration for Bot Defense Javascript Injection. See [Bot Defense Javascript Injection Choice Bot Defense Javascript Injection ](#bot-defense-javascript-injection-choice-bot-defense-javascript-injection) below for details. +`inherited_bot_defense_javascript_injection` - (Optional) Hence no custom configuration is applied on the route (`Bool`). +`bot_defense_javascript_injection_inline_mode` - (Optional) Specifies whether bot defense js injection inline mode will be enabled. See [Routes Bot Defense Javascript Injection Inline Mode ](#routes-bot-defense-javascript-injection-inline-mode) below for details.(Deprecated) +`disable_custom_script` - (Optional) disable execution of Javascript at route level, if it is configured at virtual-host level (`Bool`).(Deprecated) +`disable_location_add` - (Optional) virtual-host level. This configuration is ignored on CE sites. (`Bool`). +`match` - (Optional) route match condition. See [Routes Match ](#routes-match) below for details. - +`request_headers_to_add` - (Optional) enclosing VirtualHost object level. See [Routes Request Headers To Add ](#routes-request-headers-to-add) below for details. +`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +`response_headers_to_add` - (Optional) enclosing VirtualHost object level. See [Routes Response Headers To Add ](#routes-response-headers-to-add) below for details. +`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +###### One of the arguments from this list "route_destination, route_direct_response, route_redirect" must be set +`route_destination` - (Optional) Send request to one of the destination from list of destinations. See [Route Action Route Destination ](#route-action-route-destination) below for details. - +`route_direct_response` - (Optional) Send direct response. See [Route Action Route Direct Response ](#route-action-route-direct-response) below for details. +`route_redirect` - (Optional) Send redirect response. See [Route Action Route Redirect ](#route-action-route-redirect) below for details. - +`service_policy` - (Optional) service policy configuration at route level which overrides configuration at virtual-host level. See [Routes Service Policy ](#routes-service-policy) below for details. +`skip_lb_override` - (Optional) these routes. (`Bool`).(Deprecated) +`waf_type` - (Optional) waf_type specified at route level overrides waf configuration at VirtualHost level. See [Routes Waf Type ](#routes-waf-type) below for details. +### Allowed Domains All Load Balancer Domains +Add All load balancer domains to source origin (allow) list.. +### Allowed Domains Custom Domain List +Add one or more domains to source origin (allow) list.. +`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - +### Allowed Domains Disabled +Allow all source origin domains.. +### Bot Defense Javascript Injection Javascript Tags +Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. +`javascript_url` - (Required) Please enter the full URL (include domain and path), or relative path. (`String`). +`tag_attributes` - (Optional) Add the tag attributes you want to include in your Javascript tag.. See [Javascript Tags Tag Attributes ](#javascript-tags-tag-attributes) below for details. +### Bot Defense Javascript Injection Choice Bot Defense Javascript Injection - +Configuration for Bot Defense Javascript Injection. +`javascript_location` - (Optional) Select the location where you would like to insert the Javascript tag(s). (`String`). +`javascript_tags` - (Required) Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. See [Bot Defense Javascript Injection Javascript Tags ](#bot-defense-javascript-injection-javascript-tags) below for details. +### Bot Defense Javascript Injection Choice Inherited Bot Defense Javascript Injection +Hence no custom configuration is applied on the route. +### Cluster Retract Choice Do Not Retract Cluster - +configuration.. +### Cluster Retract Choice Retract Cluster +for route. +### Httponly Add Httponly +Add httponly attribute. +### Httponly Ignore Httponly +Ignore httponly attribute. +### Javascript Tags Tag Attributes +Add the tag attributes you want to include in your Javascript tag.. - +`javascript_tag` - (Optional) Select from one of the predefined tag attibutes. (`String`). +`tag_value` - (Optional) Add the tag attribute value. (`String`). +### Match Headers +List of (key, value) headers. +`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). +`name` - (Required) Name of the header (`String`). +###### One of the arguments from this list "exact, presence, regex" can be set +`exact` - (Optional) Header value to match exactly (`String`). +`presence` - (Optional) If true, check for presence of header (`Bool`). - +`regex` - (Optional) Regex match of the header value in re2 format (`String`). +### Match Incoming Port +The port on which the request is received. +###### One of the arguments from this list "no_port_match, port, port_ranges" can be set +`no_port_match` - (Optional) Disable matching of ports (`Bool`). +`port` - (Optional) Exact Port to match (`Int`). +`port_ranges` - (Optional) Port range to match (`String`). +### Match Path +URI path of route. +###### One of the arguments from this list "path, prefix, regex" must be set +`path` - (Optional) Exact path value to match (`String`). +`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). +`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - +### Match Query Params +List of (key, value) query parameters. - +`key` - (Required) In the above example, assignee_username is the key (`String`). +###### One of the arguments from this list "exact, regex" can be set +`exact` - (Optional) Exact match value for the query parameter key (`String`). +`regex` - (Optional) Regex match value for the query parameter key (`String`). +### Mirror Policy Percent +Percentage of requests to be mirrored. +`denominator` - (Required) Samples per denominator. numerator part per 100 or 10000 ro 1000000 (`String`). - +`numerator` - (Required) sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 (`Int`). +### Policy Specifier Cookie +Hash based on cookie. +###### One of the arguments from this list "add_httponly, ignore_httponly" can be set - +`add_httponly` - (Optional) Add httponly attribute (`Bool`). +`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). +`name` - (Required) produced (`String`). +`path` - (Optional) will be set for the cookie (`String`). - +###### One of the arguments from this list "ignore_samesite, samesite_lax, samesite_none, samesite_strict" can be set +`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). +`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). +`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). +`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). +###### One of the arguments from this list "add_secure, ignore_secure" can be set +`add_secure` - (Optional) Add secure attribute (`Bool`). +`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). +`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). +### Port Match No Port Match +Disable matching of ports. - +### Query Params Remove All Params +x-displayName: "Remove All Parameters". +### Query Params Retain All Params +x-displayName: "Retain All Parameters". - +### Query Params Strip Query Params +Specifies the list of query params to be removed. Not supported. +`query_params` - (Optional) Query params keys to strip while manipulating the HTTP request (`String`). +### Ref - +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Ref Type App Firewall - +A direct reference to an Application Firewall configuration object. +`app_firewall` - (Required) References to an Application Firewall configuration object. See [ref](#ref) below for details. +### Ref Type Disable Waf +Any Application Firewall configuration will not be enforced. - +### Ref Type Inherit Waf +Any Application Firewall configuration that was configured on a higher level will be enforced. +### Retry Policy Back Off +10 times the base interval. +`base_interval` - (Optional) Specifies the base interval between retries in milliseconds (`Int`). +`max_interval` - (Optional) to the base_interval if set. The default is 10 times the base_interval. (`Int`). +### Route Action Route Destination - +Send request to one of the destination from list of destinations. +`buffer_policy` - (Optional) Route level buffer configuration overrides any configuration at VirtualHost level.. See [Route Destination Buffer Policy ](#route-destination-buffer-policy) below for details. +###### One of the arguments from this list "do_not_retract_cluster, retract_cluster" can be set +`do_not_retract_cluster` - (Optional) configuration. (`Bool`). - +`retract_cluster` - (Optional) for route (`Bool`). +`cors_policy` - (Optional) resources from a server at a different origin. See [Route Destination Cors Policy ](#route-destination-cors-policy) below for details. +`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Route Destination Csrf Policy ](#route-destination-csrf-policy) below for details. +`destinations` - (Required) sent to the cluster specified in the destination. See [Route Destination Destinations ](#route-destination-destinations) below for details. - +`endpoint_subsets` - (Optional) upstream cluster which match this metadata will be selected for load balancing (`String`). +`hash_policy` - (Optional) route the request. See [Route Destination Hash Policy ](#route-destination-hash-policy) below for details. +###### One of the arguments from this list "auto_host_rewrite, host_rewrite" must be set +`auto_host_rewrite` - (Optional) of the upstream host chosen by the cluster (`Bool`). - +`host_rewrite` - (Optional) Indicates that during forwarding, the host header will be swapped with this value (`String`). +`mirror_policy` - (Optional) useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. See [Route Destination Mirror Policy ](#route-destination-mirror-policy) below for details. +`priority` - (Optional) Also, circuit-breaker configuration at destination cluster is chosen based on the route priority. (`String`). +`retry_policy` - (Optional) Indicates that the route has a retry policy.. See [Route Destination Retry Policy ](#route-destination-retry-policy) below for details. +###### One of the arguments from this list "prefix_rewrite, regex_rewrite" can be set +`prefix_rewrite` - (Optional) while requests to /register/public will be stripped to /public (`String`). +`regex_rewrite` - (Optional) would transform "/service/foo/v1/api" into "/v1/api/instance/foo".. See [Route Destination Rewrite Regex Rewrite ](#route-destination-rewrite-regex-rewrite) below for details. +`spdy_config` - (Optional) SPDY configuration for each route. See [Route Destination Spdy Config ](#route-destination-spdy-config) below for details. - +`timeout` - (Optional) for infinite timeout (`Int`). +`web_socket_config` - (Optional) Websocket configuration for each route. See [Route Destination Web Socket Config ](#route-destination-web-socket-config) below for details. +### Route Action Route Direct Response +Send direct response. - +`response_body` - (Optional) response body to send (`String`). +`response_code` - (Optional) response code to send (`Int`). +### Route Action Route Redirect +Send redirect response. - +`host_redirect` - (Optional) swap host part of incoming URL in redirect URL (`String`). +`port_redirect` - (Optional) Specify the port value to redirect to a URL with non default port(443) (`Int`).(Deprecated) +`proto_redirect` - (Optional) When incoming-proto option is specified, swapping of protocol is not done. (`String`). +###### One of the arguments from this list "all_params, remove_all_params, replace_params, retain_all_params, strip_query_params" can be set - +`all_params` - (Optional) be removed. Default value is false, which means query portion of the URL will NOT be removed (`Bool`).(Deprecated) +`remove_all_params` - (Optional) x-displayName: "Remove All Parameters" (`Bool`). +`replace_params` - (Optional) x-displayName: "Replace All Parameters" (`String`). +`retain_all_params` - (Optional) x-displayName: "Retain All Parameters" (`Bool`). +`strip_query_params` - (Optional) Specifies the list of query params to be removed. Not supported. See [Query Params Strip Query Params ](#query-params-strip-query-params) below for details.(Deprecated) +###### One of the arguments from this list "path_redirect, prefix_rewrite" can be set - +`path_redirect` - (Optional) swap path part of incoming URL in redirect URL (`String`). +`prefix_rewrite` - (Optional) This option allows redirect URLs be dynamically created based on the request (`String`). +`response_code` - (Optional) The HTTP status code to use in the redirect response. (`Int`). +### Route Destination Buffer Policy - +Route level buffer configuration overrides any configuration at VirtualHost level.. +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). +`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) +### Route Destination Cors Policy +resources from a server at a different origin. +`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). +`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). +`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). +`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). +`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). +`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). +`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - +`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). +### Route Destination Csrf Policy +Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - +###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set +`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). +`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. +`disabled` - (Optional) Allow all source origin domains. (`Bool`). +### Route Destination Destinations - +sent to the cluster specified in the destination. +`cluster` - (Required) does not exist ServiceUnavailable response will be sent. See [ref](#ref) below for details. - +`endpoint_subsets` - (Optional) upstream cluster which match this metadata will be selected for load balancing (`String`). +`priority` - (Optional) made active as per the increasing priority. (`Int`). +`weight` - (Optional) sent to the cluster specified in the destination (`Int`). +### Route Destination Hash Policy +route the request. +###### One of the arguments from this list "cookie, header_name, source_ip" must be set +`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. +`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). +`source_ip` - (Optional) Hash based on source IP address (`Bool`). +`terminal` - (Optional) Specify if its a terminal policy (`Bool`). +### Route Destination Mirror Policy +useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. - +`cluster` - (Required) referred here must be present.. See [ref](#ref) below for details. +`percent` - (Optional) Percentage of requests to be mirrored. See [Mirror Policy Percent ](#mirror-policy-percent) below for details. +### Route Destination Retry Policy +Indicates that the route has a retry policy.. +`back_off` - (Optional) 10 times the base interval. See [Retry Policy Back Off ](#retry-policy-back-off) below for details. +`num_retries` - (Optional) is used between each retry (`Int`). - +`per_try_timeout` - (Optional) Specifies a non-zero timeout per retry attempt. In milliseconds (`Int`). +`retriable_status_codes` - (Optional) HTTP status codes that should trigger a retry in addition to those specified by retry_on. (`Int`). +`retry_condition` - (Required) (disconnect/reset/read timeout.) (`String`). +`retry_on` - (Optional) matching one defined in retriable_status_codes field (`String`).(Deprecated) - +### Route Destination Spdy Config +SPDY configuration for each route. +`use_spdy` - (Optional) a SPDY connection (`Bool`). +### Route Destination Web Socket Config +Websocket configuration for each route. +`use_websocket` - (Optional) a WebSocket connection (`Bool`). +### Route Destination Rewrite Regex Rewrite - +would transform "/service/foo/v1/api" into "/v1/api/instance/foo".. +`pattern` - (Optional) The regular expression used to find portions of a string that should be replaced. (`String`). +`substitution` - (Optional) substitution operation to produce a new string. (`String`). +### Routes Bot Defense Javascript Injection Inline Mode +Specifies whether bot defense js injection inline mode will be enabled. +`element_selector` - (Required) Element selector to insert into. (`String`). - +`insert_content` - (Optional) HTML content to insert. (`String`). +`position` - (Optional) Position of HTML content to be inserted within HTML tag. (`String`). +### Routes Match +route match condition. +`headers` - (Optional) List of (key, value) headers. See [Match Headers ](#match-headers) below for details. +`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). +`incoming_port` - (Optional) The port on which the request is received. See [Match Incoming Port ](#match-incoming-port) below for details. +`path` - (Optional) URI path of route. See [Match Path ](#match-path) below for details. - +`query_params` - (Optional) List of (key, value) query parameters. See [Match Query Params ](#match-query-params) below for details. +### Routes Request Headers To Add +enclosing VirtualHost object level. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). - +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). +### Routes Response Headers To Add - +enclosing VirtualHost object level. +`append` - (Optional) Default value is do not append (`Bool`). +`name` - (Required) Name of the HTTP header. (`String`). +###### One of the arguments from this list "secret_value, value" must be set +`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. +`value` - (Optional) Value of the HTTP header. (`String`). +### Routes Service Policy +service policy configuration at route level which overrides configuration at virtual-host level. +###### One of the arguments from this list "context_extensions, disable" can be set +`context_extensions` - (Optional) sending additional information to the external authorization server.. See [Service Policy Choice Context Extensions ](#service-policy-choice-context-extensions) below for details.(Deprecated) +`disable` - (Optional) disable service policy at route level, if it is configured at virtual-host level (`Bool`). +### Routes Waf Type - +waf_type specified at route level overrides waf configuration at VirtualHost level. +###### One of the arguments from this list "app_firewall, disable_waf, inherit_waf" can be set +`app_firewall` - (Optional) A direct reference to an Application Firewall configuration object. See [Ref Type App Firewall ](#ref-type-app-firewall) below for details. +`disable_waf` - (Optional) Any Application Firewall configuration will not be enforced (`Bool`). - +`inherit_waf` - (Optional) Any Application Firewall configuration that was configured on a higher level will be enforced (`Bool`). +### Samesite Ignore Samesite +Ignore Samesite attribute. +### Samesite Samesite Lax +Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. +### Samesite Samesite None +Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. - +### Samesite Samesite Strict +Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. +### Secret Info Oneof Blindfold Secret Info +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info +Clear Secret is used for the secrets that are not encrypted. - +`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info +Vault Secret is used for the secrets managed by Hashicorp Vault. - +`key` - (Optional) If not provided entire secret will be returned. (`String`). +`location` - (Required) Path to secret in Vault. (`String`). +`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). +`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). +`version` - (Optional) If not provided latest version will be returned. (`Int`). -### Routes +### Secret Info Oneof Wingman Secret Info - List of routes to match for incoming request. +Secret is given as bootstrap secret in F5XC Security Sidecar. +`name` - (Required) Name of the secret. (`String`). +### Secret Value Blindfold Secret Info Internal +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. -###### One of the arguments from this list "inherited_bot_defense_javascript_injection, bot_defense_javascript_injection" can be set +`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). -`bot_defense_javascript_injection` - (Optional) Configuration for Bot Defense Javascript Injection. See [Bot Defense Javascript Injection Choice Bot Defense Javascript Injection ](#bot-defense-javascript-injection-choice-bot-defense-javascript-injection) below for details. +`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). +`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). -`inherited_bot_defense_javascript_injection` - (Optional) Hence no custom configuration is applied on the route (`Bool`). +### Secure Add Secure +Add secure attribute. -`bot_defense_javascript_injection_inline_mode` - (Optional) Specifies whether bot defense js injection inline mode will be enabled. See [Routes Bot Defense Javascript Injection Inline Mode ](#routes-bot-defense-javascript-injection-inline-mode) below for details.(Deprecated) +### Secure Ignore Secure -`disable_custom_script` - (Optional) disable execution of Javascript at route level, if it is configured at virtual-host level (`Bool`).(Deprecated) +Ignore secure attribute. -`disable_location_add` - (Optional) virtual-host level. This configuration is ignored on CE sites. (`Bool`). +### Service Policy Choice Context Extensions -`match` - (Optional) route match condition. See [Routes Match ](#routes-match) below for details. +sending additional information to the external authorization server.. -`request_headers_to_add` - (Optional) enclosing VirtualHost object level. See [Routes Request Headers To Add ](#routes-request-headers-to-add) below for details. +`context_extensions` - (Optional) provide extra context for the external authorization server on specific virtual hosts or routes. (`String`). -`request_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP request being sent towards upstream. (`String`). +### Value Choice Secret Value -`response_headers_to_add` - (Optional) enclosing VirtualHost object level. See [Routes Response Headers To Add ](#routes-response-headers-to-add) below for details. +Secret Value of the HTTP header.. -`response_headers_to_remove` - (Optional) List of keys of Headers to be removed from the HTTP response being sent towards downstream. (`String`). +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Value Blindfold Secret Info Internal ](#secret-value-blindfold-secret-info-internal) below for details.(Deprecated) +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set -###### One of the arguments from this list "route_destination, route_redirect, route_direct_response" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. -`route_destination` - (Optional) Send request to one of the destination from list of destinations. See [Route Action Route Destination ](#route-action-route-destination) below for details. - - -`route_direct_response` - (Optional) Send direct response. See [Route Action Route Direct Response ](#route-action-route-direct-response) below for details. - - -`route_redirect` - (Optional) Send redirect response. See [Route Action Route Redirect ](#route-action-route-redirect) below for details. - - -`service_policy` - (Optional) service policy configuration at route level which overrides configuration at virtual-host level. See [Routes Service Policy ](#routes-service-policy) below for details. - -`skip_lb_override` - (Optional) these routes. (`Bool`).(Deprecated) - -`waf_type` - (Optional) waf_type specified at route level overrides waf configuration at VirtualHost level. See [Routes Waf Type ](#routes-waf-type) below for details. - - - -### Allowed Domains All Load Balancer Domains - - Add All load balancer domains to source origin (allow) list.. - - - -### Allowed Domains Custom Domain List - - Add one or more domains to source origin (allow) list.. - -`domains` - (Required) Wildcard names are supported in the suffix or prefix form. (`String`). - - - -### Allowed Domains Disabled - - Allow all source origin domains.. - - - -### Bot Defense Javascript Injection Javascript Tags - - Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. - -`javascript_url` - (Required) Please enter the full URL (include domain and path), or relative path. (`String`). - -`tag_attributes` - (Optional) Add the tag attributes you want to include in your Javascript tag.. See [Javascript Tags Tag Attributes ](#javascript-tags-tag-attributes) below for details. - - - -### Bot Defense Javascript Injection Choice Bot Defense Javascript Injection - - Configuration for Bot Defense Javascript Injection. - -`javascript_location` - (Optional) Select the location where you would like to insert the Javascript tag(s). (`String`). - -`javascript_tags` - (Required) Select Add item to configure your javascript tag. If adding both Bot Adv and Fraud, the Bot Javascript should be added first.. See [Bot Defense Javascript Injection Javascript Tags ](#bot-defense-javascript-injection-javascript-tags) below for details. - - - -### Bot Defense Javascript Injection Choice Inherited Bot Defense Javascript Injection - - Hence no custom configuration is applied on the route. - - - -### Cluster Retract Choice Do Not Retract Cluster - - configuration.. - - - -### Cluster Retract Choice Retract Cluster - - for route. - - - -### Httponly Add Httponly - - Add httponly attribute. - - - -### Httponly Ignore Httponly - - Ignore httponly attribute. - - - -### Javascript Tags Tag Attributes - - Add the tag attributes you want to include in your Javascript tag.. - -`javascript_tag` - (Optional) Select from one of the predefined tag attibutes. (`String`). - -`tag_value` - (Optional) Add the tag attribute value. (`String`). - - - -### Match Headers - - List of (key, value) headers. - -`invert_match` - (Optional) Invert the result of the match to detect missing header or non-matching value (`Bool`). - -`name` - (Required) Name of the header (`String`). - - - - -###### One of the arguments from this list "exact, regex, presence" can be set - -`exact` - (Optional) Header value to match exactly (`String`). - - -`presence` - (Optional) If true, check for presence of header (`Bool`). - - -`regex` - (Optional) Regex match of the header value in re2 format (`String`). - - - - -### Match Incoming Port - - The port on which the request is received. - - - - -###### One of the arguments from this list "port, port_ranges, no_port_match" can be set - -`no_port_match` - (Optional) Disable matching of ports (`Bool`). - - -`port` - (Optional) Exact Port to match (`Int`). - - -`port_ranges` - (Optional) Port range to match (`String`). - - - - -### Match Path - - URI path of route. - - - -###### One of the arguments from this list "prefix, path, regex" must be set - -`path` - (Optional) Exact path value to match (`String`). - - -`prefix` - (Optional) Path prefix to match (e.g. the value / will match on all paths) (`String`). - - -`regex` - (Optional) Regular expression of path match (e.g. the value .* will match on all paths) (`String`). - - - - -### Match Query Params - - List of (key, value) query parameters. - -`key` - (Required) In the above example, assignee_username is the key (`String`). - - - - -###### One of the arguments from this list "regex, exact" can be set - -`exact` - (Optional) Exact match value for the query parameter key (`String`). - - -`regex` - (Optional) Regex match value for the query parameter key (`String`). - - - - -### Mirror Policy Percent - - Percentage of requests to be mirrored. - -`denominator` - (Required) Samples per denominator. numerator part per 100 or 10000 ro 1000000 (`String`). - -`numerator` - (Required) sampled parts per denominator. If denominator was 10000, then value of 5 will be 5 in 10000 (`Int`). - - - -### Policy Specifier Cookie - - Hash based on cookie. - - - - -###### One of the arguments from this list "ignore_httponly, add_httponly" can be set - -`add_httponly` - (Optional) Add httponly attribute (`Bool`). - - -`ignore_httponly` - (Optional) Ignore httponly attribute (`Bool`). - - -`name` - (Required) produced (`String`). - -`path` - (Optional) will be set for the cookie (`String`). - - - - -###### One of the arguments from this list "ignore_samesite, samesite_strict, samesite_lax, samesite_none" can be set - -`ignore_samesite` - (Optional) Ignore Samesite attribute (`Bool`). - - -`samesite_lax` - (Optional) Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests (`Bool`). - - -`samesite_none` - (Optional) Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests (`Bool`). - - -`samesite_strict` - (Optional) Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests (`Bool`). - - - - - -###### One of the arguments from this list "ignore_secure, add_secure" can be set - -`add_secure` - (Optional) Add secure attribute (`Bool`). - - -`ignore_secure` - (Optional) Ignore secure attribute (`Bool`). - - -`ttl` - (Optional) be a session cookie. TTL value is in milliseconds (`Int`). - - - -### Port Match No Port Match - - Disable matching of ports. - - - -### Query Params Remove All Params - - x-displayName: "Remove All Parameters". - - - -### Query Params Retain All Params - - x-displayName: "Retain All Parameters". - - - -### Query Params Strip Query Params - - Specifies the list of query params to be removed. Not supported. - -`query_params` - (Optional) Query params keys to strip while manipulating the HTTP request (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Ref Type App Firewall - - A direct reference to an Application Firewall configuration object. - -`app_firewall` - (Required) References to an Application Firewall configuration object. See [ref](#ref) below for details. - - - -### Ref Type Disable Waf - - Any Application Firewall configuration will not be enforced. - - - -### Ref Type Inherit Waf - - Any Application Firewall configuration that was configured on a higher level will be enforced. - - - -### Retry Policy Back Off - - 10 times the base interval. - -`base_interval` - (Optional) Specifies the base interval between retries in milliseconds (`Int`). - -`max_interval` - (Optional) to the base_interval if set. The default is 10 times the base_interval. (`Int`). - - - -### Route Action Route Destination - - Send request to one of the destination from list of destinations. - -`buffer_policy` - (Optional) Route level buffer configuration overrides any configuration at VirtualHost level.. See [Route Destination Buffer Policy ](#route-destination-buffer-policy) below for details. - - - - -###### One of the arguments from this list "retract_cluster, do_not_retract_cluster" can be set - -`do_not_retract_cluster` - (Optional) configuration. (`Bool`). - - -`retract_cluster` - (Optional) for route (`Bool`). - - -`cors_policy` - (Optional) resources from a server at a different origin. See [Route Destination Cors Policy ](#route-destination-cors-policy) below for details. - -`csrf_policy` - (Optional) Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. See [Route Destination Csrf Policy ](#route-destination-csrf-policy) below for details. - -`destinations` - (Required) sent to the cluster specified in the destination. See [Route Destination Destinations ](#route-destination-destinations) below for details. - -`endpoint_subsets` - (Optional) upstream cluster which match this metadata will be selected for load balancing (`String`). - -`hash_policy` - (Optional) route the request. See [Route Destination Hash Policy ](#route-destination-hash-policy) below for details. - - - -###### One of the arguments from this list "host_rewrite, auto_host_rewrite" must be set - -`auto_host_rewrite` - (Optional) of the upstream host chosen by the cluster (`Bool`). - - -`host_rewrite` - (Optional) Indicates that during forwarding, the host header will be swapped with this value (`String`). - - -`mirror_policy` - (Optional) useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. See [Route Destination Mirror Policy ](#route-destination-mirror-policy) below for details. - -`priority` - (Optional) Also, circuit-breaker configuration at destination cluster is chosen based on the route priority. (`String`). - -`retry_policy` - (Optional) Indicates that the route has a retry policy.. See [Route Destination Retry Policy ](#route-destination-retry-policy) below for details. - - - - -###### One of the arguments from this list "prefix_rewrite, regex_rewrite" can be set - -`prefix_rewrite` - (Optional) while requests to /register/public will be stripped to /public (`String`). - - -`regex_rewrite` - (Optional) would transform "/service/foo/v1/api" into "/v1/api/instance/foo".. See [Route Destination Rewrite Regex Rewrite ](#route-destination-rewrite-regex-rewrite) below for details. - - -`spdy_config` - (Optional) SPDY configuration for each route. See [Route Destination Spdy Config ](#route-destination-spdy-config) below for details. - -`timeout` - (Optional) for infinite timeout (`Int`). - -`web_socket_config` - (Optional) Websocket configuration for each route. See [Route Destination Web Socket Config ](#route-destination-web-socket-config) below for details. - - - -### Route Action Route Direct Response - - Send direct response. - -`response_body` - (Optional) response body to send (`String`). - -`response_code` - (Optional) response code to send (`Int`). - - - -### Route Action Route Redirect - - Send redirect response. - -`host_redirect` - (Optional) swap host part of incoming URL in redirect URL (`String`). - -`port_redirect` - (Optional) Specify the port value to redirect to a URL with non default port(443) (`Int`).(Deprecated) - -`proto_redirect` - (Optional) When incoming-proto option is specified, swapping of protocol is not done. (`String`). - - - - -###### One of the arguments from this list "strip_query_params, all_params, retain_all_params, remove_all_params, replace_params" can be set - -`all_params` - (Optional) be removed. Default value is false, which means query portion of the URL will NOT be removed (`Bool`).(Deprecated) - - -`remove_all_params` - (Optional) x-displayName: "Remove All Parameters" (`Bool`). - - -`replace_params` - (Optional) x-displayName: "Replace All Parameters" (`String`). - - -`retain_all_params` - (Optional) x-displayName: "Retain All Parameters" (`Bool`). - - -`strip_query_params` - (Optional) Specifies the list of query params to be removed. Not supported. See [Query Params Strip Query Params ](#query-params-strip-query-params) below for details.(Deprecated) - - - - - -###### One of the arguments from this list "path_redirect, prefix_rewrite" can be set - -`path_redirect` - (Optional) swap path part of incoming URL in redirect URL (`String`). - - -`prefix_rewrite` - (Optional) This option allows redirect URLs be dynamically created based on the request (`String`). - - -`response_code` - (Optional) The HTTP status code to use in the redirect response. (`Int`). - - - -### Route Destination Buffer Policy - - Route level buffer configuration overrides any configuration at VirtualHost level.. - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`max_request_bytes` - (Optional) manager will stop buffering and return a RequestEntityTooLarge (413) response. (`Int`). - -`max_request_time` - (Optional) request before returning a RequestTimeout (408) response (`Int`).(Deprecated) - - - -### Route Destination Cors Policy - - resources from a server at a different origin. - -`allow_credentials` - (Optional) Specifies whether the resource allows credentials (`Bool`). - -`allow_headers` - (Optional) Specifies the content for the access-control-allow-headers header (`String`). - -`allow_methods` - (Optional) Specifies the content for the access-control-allow-methods header (`String`). - -`allow_origin` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`allow_origin_regex` - (Optional) An origin is allowed if either allow_origin or allow_origin_regex match (`String`). - -`disabled` - (Optional) The value of this field is ignored for virtual-host (`Bool`). - -`expose_headers` - (Optional) Specifies the content for the access-control-expose-headers header (`String`). - -`max_age` - (Optional) Specifies the content for the access-control-max-age header (`String`).(Deprecated) - -`maximum_age` - (Optional) Maximum permitted value is 86400 seconds (24 hours) (`Int`). - - - -### Route Destination Csrf Policy - - Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.).. - - - -###### One of the arguments from this list "all_load_balancer_domains, custom_domain_list, disabled" must be set - -`all_load_balancer_domains` - (Optional) Add All load balancer domains to source origin (allow) list. (`Bool`). - - -`custom_domain_list` - (Optional) Add one or more domains to source origin (allow) list.. See [Allowed Domains Custom Domain List ](#allowed-domains-custom-domain-list) below for details. - - -`disabled` - (Optional) Allow all source origin domains. (`Bool`). - - - - -### Route Destination Destinations - - sent to the cluster specified in the destination. - -`cluster` - (Required) does not exist ServiceUnavailable response will be sent. See [ref](#ref) below for details. - -`endpoint_subsets` - (Optional) upstream cluster which match this metadata will be selected for load balancing (`String`). - -`priority` - (Optional) made active as per the increasing priority. (`Int`). - -`weight` - (Optional) sent to the cluster specified in the destination (`Int`). - - - -### Route Destination Hash Policy - - route the request. - - - -###### One of the arguments from this list "cookie, source_ip, header_name" must be set - -`cookie` - (Optional) Hash based on cookie. See [Policy Specifier Cookie ](#policy-specifier-cookie) below for details. - - -`header_name` - (Optional) The name or key of the request header that will be used to obtain the hash key (`String`). - - -`source_ip` - (Optional) Hash based on source IP address (`Bool`). - - -`terminal` - (Optional) Specify if its a terminal policy (`Bool`). - - - -### Route Destination Mirror Policy - - useful for logging. For example, *cluster1* becomes *cluster1-shadow*.. - -`cluster` - (Required) referred here must be present.. See [ref](#ref) below for details. - -`percent` - (Optional) Percentage of requests to be mirrored. See [Mirror Policy Percent ](#mirror-policy-percent) below for details. - - - -### Route Destination Retry Policy - - Indicates that the route has a retry policy.. - -`back_off` - (Optional) 10 times the base interval. See [Retry Policy Back Off ](#retry-policy-back-off) below for details. - -`num_retries` - (Optional) is used between each retry (`Int`). - -`per_try_timeout` - (Optional) Specifies a non-zero timeout per retry attempt. In milliseconds (`Int`). - -`retriable_status_codes` - (Optional) HTTP status codes that should trigger a retry in addition to those specified by retry_on. (`Int`). - -`retry_condition` - (Required) (disconnect/reset/read timeout.) (`String`). - -`retry_on` - (Optional) matching one defined in retriable_status_codes field (`String`).(Deprecated) - - - -### Route Destination Spdy Config - - SPDY configuration for each route. - -`use_spdy` - (Optional) a SPDY connection (`Bool`). - - - -### Route Destination Web Socket Config - - Websocket configuration for each route. - -`idle_timeout` - (Optional) Idle Timeout for Websocket in milli seconds. After timeout, connection will be closed (`Int`).(Deprecated) - -`max_connect_attempts` - (Optional) giving up. Default is 1 (`Int`).(Deprecated) - -`use_websocket` - (Optional) a WebSocket connection (`Bool`). - - - -### Route Destination Rewrite Regex Rewrite - - would transform "/service/foo/v1/api" into "/v1/api/instance/foo".. - -`pattern` - (Optional) The regular expression used to find portions of a string that should be replaced. (`String`). - -`substitution` - (Optional) substitution operation to produce a new string. (`String`). - - - -### Routes Bot Defense Javascript Injection Inline Mode - - Specifies whether bot defense js injection inline mode will be enabled. - -`element_selector` - (Required) Element selector to insert into. (`String`). - -`insert_content` - (Optional) HTML content to insert. (`String`). - -`position` - (Optional) Position of HTML content to be inserted within HTML tag. (`String`). - - - -### Routes Match - - route match condition. - -`headers` - (Optional) List of (key, value) headers. See [Match Headers ](#match-headers) below for details. - -`http_method` - (Optional) The name of the HTTP Method (GET, PUT, POST, etc) (`String`). - -`incoming_port` - (Optional) The port on which the request is received. See [Match Incoming Port ](#match-incoming-port) below for details. - -`path` - (Optional) URI path of route. See [Match Path ](#match-path) below for details. - -`query_params` - (Optional) List of (key, value) query parameters. See [Match Query Params ](#match-query-params) below for details. - - - -### Routes Request Headers To Add - - enclosing VirtualHost object level. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Routes Response Headers To Add - - enclosing VirtualHost object level. - -`append` - (Optional) Default value is do not append (`Bool`). - -`name` - (Required) Name of the HTTP header. (`String`). - - - -###### One of the arguments from this list "value, secret_value" must be set - -`secret_value` - (Optional) Secret Value of the HTTP header.. See [Value Choice Secret Value ](#value-choice-secret-value) below for details. - - -`value` - (Optional) Value of the HTTP header. (`String`). - - - - -### Routes Service Policy - - service policy configuration at route level which overrides configuration at virtual-host level. - - - - -###### One of the arguments from this list "disable, context_extensions" can be set - -`context_extensions` - (Optional) sending additional information to the external authorization server.. See [Service Policy Choice Context Extensions ](#service-policy-choice-context-extensions) below for details.(Deprecated) - - -`disable` - (Optional) disable service policy at route level, if it is configured at virtual-host level (`Bool`). - - - - -### Routes Waf Type - - waf_type specified at route level overrides waf configuration at VirtualHost level. - - - - -###### One of the arguments from this list "app_firewall, disable_waf, inherit_waf" can be set - -`app_firewall` - (Optional) A direct reference to an Application Firewall configuration object. See [Ref Type App Firewall ](#ref-type-app-firewall) below for details. - - -`disable_waf` - (Optional) Any Application Firewall configuration will not be enforced (`Bool`). - - -`inherit_waf` - (Optional) Any Application Firewall configuration that was configured on a higher level will be enforced (`Bool`). - - - - -### Samesite Ignore Samesite - - Ignore Samesite attribute. - - - -### Samesite Samesite Lax - - Add Samesite attribute with Lax. Means that the cookie is not sent on cross-site requests. - - - -### Samesite Samesite None - - Add Samesite attribute with None. Means that the browser sends the cookie with both cross-site and same-site requests. - - - -### Samesite Samesite Strict - - Add Samesite attribute with Strict. Means that the browser sends the cookie only for same-site requests. - - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. - -`provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - -`url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). - - - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. - -`key` - (Optional) If not provided entire secret will be returned. (`String`). - -`location` - (Required) Path to secret in Vault. (`String`). - -`provider` - (Required) Name of the Secret Management Access object that contains information about the backend Vault. (`String`). - -`secret_encoding` - (Optional) This field defines the encoding type of the secret BEFORE the secret is put into Hashicorp Vault. (`String`). - -`version` - (Optional) If not provided latest version will be returned. (`Int`). - - - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. - -`name` - (Required) Name of the secret. (`String`). - - - -### Secret Value Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. - -`decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). - -`location` - (Required) Or it could be a path if the store provider is an http/https location (`String`). - -`store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - - -### Secure Add Secure - - Add secure attribute. - - - -### Secure Ignore Secure - - Ignore secure attribute. - - - -### Service Policy Choice Context Extensions - - sending additional information to the external authorization server.. - -`context_extensions` - (Optional) provide extra context for the external authorization server on specific virtual hosts or routes. (`String`). - - - -### Value Choice Secret Value - - Secret Value of the HTTP header.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Secret Value Blindfold Secret Info Internal ](#secret-value-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) `wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +Attribute Reference +------------------- - - -## Attribute Reference - -* `id` - This is the id of the configured route. - +- `id` - This is the id of the configured route. diff --git a/docs/resources/volterra_secret_policy.md b/docs/resources/volterra_secret_policy.md index 0ac552612..e7b5b0ebb 100644 --- a/docs/resources/volterra_secret_policy.md +++ b/docs/resources/volterra_secret_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: secret_policy" -description: "The secret_policy allows CRUD of Secret Policy resource on Volterra SaaS" +description: "The secret_policy allows CRUD of Secret Policy resource on Volterra SaaS" + --- -# Resource volterra_secret_policy -The Secret Policy allows CRUD of Secret Policy resource on Volterra SaaS +Resource volterra_secret_policy +=============================== + +The Secret Policy allows CRUD of Secret Policy resource on Volterra SaaS -~> **Note:** Please refer to [Secret Policy API docs](https://docs.cloud.f5.com/docs-v2/api/secret-policy) to learn more +~> **Note:** Please refer to [Secret Policy API docs](https://docs.cloud.f5.com/docs-v2/api/secret-policy) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_secret_policy" "example" { @@ -30,95 +23,42 @@ resource "volterra_secret_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`algo` - (Optional) - DENY_OVERRIDES Rules with a DENY action are evaluated prior to rules with an ALLOW action (`String`).(Deprecated) - +`algo` - (Optional) - DENY_OVERRIDES Rules with a DENY action are evaluated prior to rules with an ALLOW action (`String`).(Deprecated) `allow_f5xc` - (Optional) if allow_f5xc is set to true, it allows relevant F5XC infrastructure services to decrypt the secret encrypted using this policy. (`Bool`). - - `decrypt_cache_timeout` - (Optional) Value for this parameter is a string ending in the suffix "s" (indicating seconds), suffix "m" (indicating minutes) or suffix "h" (indicating hours) (`String`). - - +###### One of the arguments from this list "legacy_rule_list, rule_list" can be set `legacy_rule_list` - (Optional) x-displayName: "Legacy Rule List". See [Rule Choice Legacy Rule List ](#rule-choice-legacy-rule-list) below for details.(Deprecated) - - - - `rule_list` - (Optional) x-displayName: "Custom Rule List". See [Rule Choice Rule List ](#rule-choice-rule-list) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - `rules` - (Optional) The order of evaluation of the rules depends on the rule combining algorithm.. See [ref](#ref) below for details.(Deprecated) +### Client Choice Client Name Matcher -### Client Choice Client Name Matcher - - The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. +The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. `exact_values` - (Optional) A list of exact values to match the input against. (`String`). @@ -126,18 +66,13 @@ resource "volterra_secret_policy" "example" { `transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). +### Client Choice Client Selector - -### Client Choice Client Selector - - The predicate evaluates to true if the expressions in the label selector are true for the client labels.. +The predicate evaluates to true if the expressions in the label selector are true for the client labels.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -147,37 +82,29 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Rule Choice Legacy Rule List - -### Rule Choice Legacy Rule List - - x-displayName: "Legacy Rule List". +x-displayName: "Legacy Rule List". `rules` - (Optional) The order of evaluation of the rules depends on the rule combining algorithm.. See [ref](#ref) below for details. +### Rule Choice Rule List - -### Rule Choice Rule List - - x-displayName: "Custom Rule List". +x-displayName: "Custom Rule List". `rules` - (Optional) Rules are evaluated from top to bottom in the list.. See [Rule List Rules ](#rule-list-rules) below for details. +### Rule List Rules - -### Rule List Rules - - Rules are evaluated from top to bottom in the list.. +Rules are evaluated from top to bottom in the list.. `metadata` - (Required) Common attributes for the rule including name and description.. See [Rules Metadata ](#rules-metadata) below for details. `spec` - (Required) Specification for the rule including match predicates and actions.. See [Rules Spec ](#rules-spec) below for details. +### Rules Metadata - -### Rules Metadata - - Common attributes for the rule including name and description.. +Common attributes for the rule including name and description.. `description` - (Optional) Human readable description. (`String`). @@ -185,40 +112,29 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). +### Rules Spec - -### Rules Spec - - Specification for the rule including match predicates and actions.. +Specification for the rule including match predicates and actions.. `action` - (Required) Action to be enforced if all the predicates evaluates to true. (`String`). - - -###### One of the arguments from this list "client_name, client_selector, client_name_matcher" must be set +###### One of the arguments from this list "client_name, client_name_matcher, client_selector" must be set `client_name` - (Optional) This predicate evaluates to true if client name matches the configured name (`String`). - `client_name_matcher` - (Optional) The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details. - `client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - `label_matcher` - (Optional) The values of any other labels do not matter.. See [Spec Label Matcher ](#spec-label-matcher) below for details.(Deprecated) +### Spec Label Matcher - -### Spec Label Matcher - - The values of any other labels do not matter.. +The values of any other labels do not matter.. `keys` - (Optional) The list of label key names that have to match (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured secret_policy. - +- `id` - This is the id of the configured secret_policy. diff --git a/docs/resources/volterra_secret_policy_rule.md b/docs/resources/volterra_secret_policy_rule.md index 406ea81f7..06c100560 100644 --- a/docs/resources/volterra_secret_policy_rule.md +++ b/docs/resources/volterra_secret_policy_rule.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: secret_policy_rule" -description: "The secret_policy_rule allows CRUD of Secret Policy Rule resource on Volterra SaaS" +description: "The secret_policy_rule allows CRUD of Secret Policy Rule resource on Volterra SaaS" + --- -# Resource volterra_secret_policy_rule -The Secret Policy Rule allows CRUD of Secret Policy Rule resource on Volterra SaaS +Resource volterra_secret_policy_rule +==================================== + +The Secret Policy Rule allows CRUD of Secret Policy Rule resource on Volterra SaaS -~> **Note:** Please refer to [Secret Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/secret-policy-rule) to learn more +~> **Note:** Please refer to [Secret Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/secret-policy-rule) to learn more -## Example Usage +Example Usage +------------- ```hcl resource "volterra_secret_policy_rule" "example" { @@ -28,91 +21,65 @@ resource "volterra_secret_policy_rule" "example" { namespace = "staging" action = ["action"] - // One of the arguments from this list "client_name_matcher client_name client_selector" must be set + // One of the arguments from this list "client_name client_name_matcher client_selector" must be set client_name = "ver.re01.int.ves.io" } ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`action` - (Required) Action to be enforced if all the predicates evaluates to true. (`String`). - +`action` - (Required) Action to be enforced if all the predicates evaluates to true. (`String`). +###### One of the arguments from this list "client_name, client_name_matcher, client_selector" must be set `client_name` - (Optional) This predicate evaluates to true if client name matches the configured name (`String`). - `client_name_matcher` - (Optional) The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details. - - - - - `client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - - - - - `label_matcher` - (Optional) The values of any other labels do not matter.. See [Label Matcher ](#label-matcher) below for details.(Deprecated) +### Label Matcher - - -### Label Matcher - - The values of any other labels do not matter.. +The values of any other labels do not matter.. `keys` - (Optional) The list of label key names that have to match (`String`). +### Client Choice Client Name Matcher - -### Client Choice Client Name Matcher - - The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. +The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. `exact_values` - (Optional) A list of exact values to match the input against. (`String`). `regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). +### Client Choice Client Selector - -### Client Choice Client Selector - - The predicate evaluates to true if the expressions in the label selector are true for the client labels.. +The predicate evaluates to true if the expressions in the label selector are true for the client labels.. `expressions` - (Required) expressions contains the kubernetes style label expression for selections. (`String`). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured secret_policy_rule. - +- `id` - This is the id of the configured secret_policy_rule. diff --git a/docs/resources/volterra_securemesh_site.md b/docs/resources/volterra_securemesh_site.md index 0431df902..05fd22ed2 100644 --- a/docs/resources/volterra_securemesh_site.md +++ b/docs/resources/volterra_securemesh_site.md @@ -1,33 +1,26 @@ - - - - - - - - - - - - --- + page_title: "Volterra: securemesh_site" -description: "The securemesh_site allows CRUD of Securemesh Site resource on Volterra SaaS" +description: "The securemesh_site allows CRUD of Securemesh Site resource on Volterra SaaS" + --- -# Resource volterra_securemesh_site -The Securemesh Site allows CRUD of Securemesh Site resource on Volterra SaaS +Resource volterra_securemesh_site +================================= -~> **Note:** Please refer to [Securemesh Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-securemesh-site) to learn more +The Securemesh Site allows CRUD of Securemesh Site resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Securemesh Site API docs](https://docs.cloud.f5.com/docs-v2/api/views-securemesh-site) to learn more + +Example Usage +------------- ```hcl resource "volterra_securemesh_site" "example" { name = "acmecorp-web" namespace = "staging" - // One of the arguments from this list "default_blocked_services blocked_services" must be set + // One of the arguments from this list "blocked_services default_blocked_services" must be set default_blocked_services = true @@ -37,14 +30,18 @@ resource "volterra_securemesh_site" "example" { // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set - logs_streaming_disabled = true + log_receiver { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } master_node_configuration { name = "master-0" public_ip = "192.168.0.156" } - // One of the arguments from this list "default_network_config custom_network_config" must be set + // One of the arguments from this list "custom_network_config default_network_config" must be set default_network_config = true volterra_certified_hw = ["isv-8000-series-voltmesh"] @@ -52,2156 +49,862 @@ resource "volterra_securemesh_site" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference `address` - (Optional) Site's geographical address that can be used determine its latitude and longitude. (`String`). - - +###### One of the arguments from this list "blocked_services, default_blocked_services" must be set `blocked_services` - (Optional) Use custom blocked services configuration. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +`default_blocked_services` - (Optional) Use default behavior which allows SSH (port 22), HTTPS (port 65500) and ICMP node access in blocked services (`Bool`). - +###### One of the arguments from this list "bond_device_list, no_bond_devices" must be set +`bond_device_list` - (Optional) Configure Bond Devices for this Secure Mesh site. See [Bond Choice Bond Device List ](#bond-choice-bond-device-list) below for details. +`no_bond_devices` - (Optional) No Bond Devices configured for this Secure Mesh site (`Bool`). +`coordinates` - (Optional) Coordinates of the site, longitude and latitude. See [Coordinates ](#coordinates) below for details. - +`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). - +`master_node_configuration` - (Required) Configuration of master nodes. See [Master Node Configuration ](#master-node-configuration) below for details. +###### One of the arguments from this list "custom_network_config, default_network_config" must be set +`custom_network_config` - (Optional) Use custom networking configuration. See [Network Cfg Choice Custom Network Config ](#network-cfg-choice-custom-network-config) below for details. +`default_network_config` - (Optional) Use default networking configuration based on certified hardware. (`Bool`). - +`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`os` - (Optional) Operating System Details. See [Os ](#os) below for details. +`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. +`volterra_certified_hw` - (Required) Name for generic server certified hardware to form this Secure Mesh site. (`String`). +`worker_nodes` - (Optional) Names of worker nodes (`List of String`). -`default_blocked_services` - (Optional) Use default behavior which allows SSH (port 22), HTTPS (port 65500) and ICMP node access in blocked services (`Bool`). +### Coordinates +Coordinates of the site, longitude and latitude. +`latitude` - (Optional) Latitude of the site location (`Float`). +`longitude` - (Optional) longitude of site location (`Float`). +### Kubernetes Upgrade Drain -`bond_device_list` - (Optional) Configure Bond Devices for this Secure Mesh site. See [Bond Choice Bond Device List ](#bond-choice-bond-device-list) below for details. - +Enable Kubernetes Drain during OS or SW upgrade. +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set - +`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). +`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. +### Master Node Configuration +Configuration of master nodes. +`name` - (Required) Names of master node (`String`). - +`public_ip` - (Optional) via Site Mesh Group (`String`). +### Offline Survivability Mode +Enable/Disable offline survivability mode. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set - +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). +### Os +Operating System Details. +###### One of the arguments from this list "default_os_version, operating_system_version" must be set +`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). +`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). +### Performance Enhancement Mode +Performance Enhancement Mode to optimize for L3 or L7 networking. -`no_bond_devices` - (Optional) No Bond Devices configured for this Secure Mesh site (`Bool`). +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Sw -`coordinates` - (Optional) Coordinates of the site, longitude and latitude. See [Coordinates ](#coordinates) below for details. +F5XC Software Details. +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set +`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). +`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Address Choice Dhcp Client -`kubernetes_upgrade_drain` - (Optional) Enable Kubernetes Drain during OS or SW upgrade. See [Kubernetes Upgrade Drain ](#kubernetes-upgrade-drain) below for details. +Interface gets it's IP address from external DHCP server. +### Address Choice Dhcp Server +DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. +`dhcp_networks` - (Required) List of networks from which DHCP Server can allocate IPv4 Addresses. See [Dhcp Server Dhcp Networks ](#dhcp-server-dhcp-networks) below for details. - +`dhcp_option82_tag` - (Optional) Optional tag that can be given to this configuration (`String`).(Deprecated) +`fixed_ip_map` - (Optional) Assign fixed IPv4 addresses based on the MAC Address of the DHCP Client. (`String`). +###### One of the arguments from this list "automatic_from_end, automatic_from_start, interface_ip_map" must be set +`automatic_from_end` - (Optional) Assign automatically from end of the first network in the DHCP Network list (`Bool`). - +`automatic_from_start` - (Optional) Assign automatically from start of the first network in the DHCP Network list (`Bool`). +`interface_ip_map` - (Optional) Statically configure a IPv4 address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. +### Address Choice Stateful +works along with Router Advertisement' Managed flag. +`dhcp_networks` - (Required) List of networks from which DHCP server can allocate ip addresses. See [Stateful Dhcp Networks ](#stateful-dhcp-networks) below for details. +`fixed_ip_map` - (Optional) Assign fixed IPv6 addresses based on the MAC Address of the DHCP Client. (`String`). +###### One of the arguments from this list "automatic_from_end, automatic_from_start, interface_ip_map" must be set +`automatic_from_end` - (Optional) Assign automatically from End of the first network in the list (`Bool`). +`automatic_from_start` - (Optional) Assign automatically from start of the first network in the list (`Bool`). - +`interface_ip_map` - (Optional) Configured address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. +### Address Choice Static Ip +Interface IP is configured statically. +###### One of the arguments from this list "cluster_static_ip, fleet_static_ip, node_static_ip" must be set - +`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. +`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) +`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. +### Autoconfig Choice Host +auto configuration routers. This is similar to a DHCP Client.. +### Autoconfig Choice Router +System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. +###### One of the arguments from this list "network_prefix, stateful" must be set -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`network_prefix` - (Optional) Allowed only /64 prefix length as per RFC 4862 (`String`). +`stateful` - (Optional) works along with Router Advertisement' Managed flag. See [Address Choice Stateful ](#address-choice-stateful) below for details. -`logs_streaming_disabled` - (Optional) Logs Streaming is disabled (`Bool`). +`dns_config` - (Optional) Dns information that needs to added in the RouterAdvetisement. See [Router Dns Config ](#router-dns-config) below for details. +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set -`master_node_configuration` - (Required) Configuration of master nodes. See [Master Node Configuration ](#master-node-configuration) below for details. +`dns` - (Optional) Matches DNS port 53 (`Bool`). +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). +### Blocked Services Choice Blocked Services +Use custom blocked services configuration. -`custom_network_config` - (Optional) Use custom networking configuration. See [Network Cfg Choice Custom Network Config ](#network-cfg-choice-custom-network-config) below for details. - +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns +Matches DNS port 53. +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". - +### Bond Choice Bond Device List +Configure Bond Devices for this Secure Mesh site. +`bond_devices` - (Required) List of bond devices. See [Bond Device List Bond Devices ](#bond-device-list-bond-devices) below for details. +### Bond Device List Bond Devices +List of bond devices. - +`devices` - (Required) Ethernet devices that will make up this bond (`String`). +###### One of the arguments from this list "active_backup, lacp" must be set +`active_backup` - (Optional) Configure active/backup based bond device (`Bool`). +`lacp` - (Optional) Configure LACP (802.3ad) based bond device. See [Lacp Choice Lacp ](#lacp-choice-lacp) below for details. - +`link_polling_interval` - (Required) Link polling interval in milliseconds (`Int`). +`link_up_delay` - (Required) Milliseconds wait before link is declared up (`Int`). +`name` - (Required) Name for the Bond. Ex 'bond0' (`String`). +### Cluster Static Ip Interface Ip Map +Map of Node to Static ip configuration value, Key:Node, Value:IP Address. +`default_gw` - (Optional) IP address of the default gateway. (`String`). - +`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) +`ip_address` - (Required) IP address of the interface and prefix length (`String`). - +### Connection Choice Sli To Global Dr +Site local inside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Connection Choice Slo To Global Dr - +Site local outside is connected directly to a given global network. +`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. +### Custom Certificate Private Key +TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. +`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - +`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) +###### One of the arguments from this list "blindfold_secret_info, clear_secret_info, vault_secret_info, wingman_secret_info" must be set +`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. +`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. +`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) +`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) +### Dc Cluster Group Choice No Dc Cluster Group - +This site is not a member of dc cluster group. +### Dc Cluster Group Connectivity Interface Choice Dc Cluster Group Connectivity Interface Disabled +Do not use this interface to connect to DC cluster group peers. . +### Dc Cluster Group Connectivity Interface Choice Dc Cluster Group Connectivity Interface Enabled - +Use this interface to connect to DC cluster group peers.. +### Dhcp Networks Pools +List of non overlapping ip address ranges.. +`end_ip` - (Optional) In case of address allocator, offset is derived based on network prefix. (`String`). +`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) +`start_ip` - (Optional) 2001::1 with prefix length of 64, start offset is 5 (`String`). - +### Dhcp Networks Pools +List of non overlapping ip address ranges.. +`end_ip` - (Optional) 10.1.1.200 with prefix length of 24, end offset is 0.0.0.200 (`String`). +`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) - +`start_ip` - (Optional) 10.1.1.5 with prefix length of 24, start offset is 0.0.0.5 (`String`). +### Dhcp Server Dhcp Networks +List of networks from which DHCP Server can allocate IPv4 Addresses. +###### One of the arguments from this list "dns_address, same_as_dgw" must be set - +`dns_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the DNS server. (`String`). +`same_as_dgw` - (Optional) DNS server address is same as default gateway address (`Bool`). +###### One of the arguments from this list "dgw_address, first_address, last_address" must be set +`dgw_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the default gateway. (`String`). - +`first_address` - (Optional) First usable address from the network prefix is chosen as default gateway (`Bool`). +`last_address` - (Optional) Last usable address from the network prefix is chosen as default gateway (`Bool`). - +###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set +`network_prefix` - (Optional) Set the network prefix for the site. ex: 10.1.1.0/24 (`String`). - +`network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) +`pool_settings` - (Required) Controls how DHCP pools are handled (`String`). +`pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. +### Dns Choice Configured List +Configured address outside network range - external dns server. +`dns_list` - (Required) List of IPV6 Addresses acting as Dns servers (`String`). +### Dns Choice Local Dns +Choose the address from the network prefix range as dns server. +###### One of the arguments from this list "configured_address, first_address, last_address" must be set - +`configured_address` - (Optional) Configured address from the network prefix is chosen as dns server (`String`). +`first_address` - (Optional) First usable address from the network prefix is chosen as dns server (`Bool`). +`last_address` - (Optional) Last usable address from the network prefix is chosen as dns server (`Bool`). +### Dns Choice Same As Dgw - +DNS server address is same as default gateway address. +### Enable Disable Choice Disable Interception +Disable Interception. +### Enable Disable Choice Enable Interception +Enable Interception. +### Forward Proxy Choice Active Forward Proxy Policies +Enable Forward Proxy for this site and manage policies. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - +### Forward Proxy Choice Disable Forward Proxy +Forward Proxy is disabled for this connector. +### Forward Proxy Choice Enable Forward Proxy +Forward Proxy is enabled for this connector. +`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). +`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - +###### One of the arguments from this list "no_interception, tls_intercept" can be set +`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) +`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) +`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). +`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - +### Forward Proxy Choice Forward Proxy Allow All +Enable Forward Proxy for this site and allow all requests.. +### Forward Proxy Choice No Forward Proxy +Disable Forward Proxy for this site. - +### Gateway Choice First Address +First usable address from the network prefix is chosen as default gateway. +### Gateway Choice Last Address +Last usable address from the network prefix is chosen as default gateway. - +### Global Network Choice Global Network List +List of global network connections. - +`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. +### Global Network Choice No Global Network +No global network to connect. +### Global Network List Global Network Connections +Global network connections. +###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set +`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. +`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - +###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set +`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) +`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) +### Interception Policy Choice Enable For All Domains +Enable interception for all domains. +### Interception Policy Choice Policy +Policy to enable/disable specific domains, with implicit enable all domains. - +`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. +### Interception Rules Domain Match +Domain value or regular expression to match. +###### One of the arguments from this list "exact_value, regex_value, suffix_value" must be set +`exact_value` - (Optional) Exact domain name. (`String`). +`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - +`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). +### Interface Choice Dedicated Interface +Networking configuration for dedicated interface is configured locally on site e.g. (outside/inside)Ethernet. +`device` - (Required) Name of the device for which interface is configured. Use wwan0 for 4G/LTE. (`String`). +###### One of the arguments from this list "monitor, monitor_disabled" can be set +`monitor` - (Optional) Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. +`monitor_disabled` - (Optional) Link quality monitoring disabled on the interface. (`Bool`). +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). +###### One of the arguments from this list "cluster, node" must be set - +`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). +`node` - (Optional) Configuration will apply to a device on the given node of the site. (`String`). +###### One of the arguments from this list "is_primary, not_primary" must be set +`is_primary` - (Optional) This interface is primary (`Bool`). +`not_primary` - (Optional) This interface is not primary (`Bool`). +`priority` - (Optional) Greater the value, higher the priority (`Int`). +### Interface Choice Dedicated Management Interface - +Fallback management interfaces can be made into dedicated management interface. +`device` - (Required) Name of the device for which interface is configured (`String`). +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). +###### One of the arguments from this list "cluster, node" must be set +`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). +`node` - (Optional) Configuration will apply to a device on the given node of the site. (`String`). +### Interface Choice Default Interface Config - +Interface configuration is done based on certified hardware for this site. +### Interface Choice Ethernet Interface +Ethernet interface configuration.. +###### One of the arguments from this list "dhcp_client, dhcp_server, static_ip" must be set +`dhcp_client` - (Optional) Interface gets it's IP address from external DHCP server (`Bool`). +`dhcp_server` - (Optional) DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. +`static_ip` - (Optional) Interface IP is configured statically. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. +`device` - (Required) Interface configuration for the ethernet device (`String`). +###### One of the arguments from this list "ipv6_auto_config, no_ipv6_address, static_ipv6_address" can be set +`ipv6_auto_config` - (Optional) Configuration corresponding to IPV6 auto configuration. See [Ipv6 Address Choice Ipv6 Auto Config ](#ipv6-address-choice-ipv6-auto-config) below for details. +`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). +`static_ipv6_address` - (Optional) Interface IP is configured statically. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. - +###### One of the arguments from this list "monitor, monitor_disabled" can be set +`monitor` - (Optional) Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. +`monitor_disabled` - (Optional) Link quality monitoring disabled on the interface. (`Bool`). +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). +###### One of the arguments from this list "inside_network, ip_fabric_network, segment_network, site_local_inside_network, site_local_network, srv6_network, storage_network" must be set +`inside_network` - (Optional) Interface belongs to user configured inside network. See [ref](#ref) below for details.(Deprecated) - +`ip_fabric_network` - (Optional) Interface belongs to IP Fabric network (`Bool`).(Deprecated) +`segment_network` - (Optional) x-displayName: "Segment". See [ref](#ref) below for details. +`site_local_inside_network` - (Optional) Interface belongs to site local network inside (`Bool`). +`site_local_network` - (Optional) Interface belongs to site local network (outside) (`Bool`). - +`srv6_network` - (Optional) Interface belongs to per site srv6 network. See [ref](#ref) below for details.(Deprecated) +`storage_network` - (Optional) Interface belongs to site local network inside (`Bool`). - +###### One of the arguments from this list "cluster, node" must be set +`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). +`node` - (Optional) Configuration will apply to a device on the given node. (`String`). +###### One of the arguments from this list "is_primary, not_primary" must be set - +`is_primary` - (Optional) This interface is primary (`Bool`). +`not_primary` - (Optional) This interface is not primary (`Bool`). +`priority` - (Optional) Greater the value, higher the priority (`Int`). +###### One of the arguments from this list "untagged, vlan_id" must be set - +`untagged` - (Optional) Configure a untagged ethernet interface (`Bool`). +`vlan_id` - (Optional) Configure a VLAN tagged ethernet interface (`Int`). +### Interface Choice Interface List +Add all interfaces belonging to this site. +`interfaces` - (Required) Configure network interfaces for this Secure Mesh site. See [Interface List Interfaces ](#interface-list-interfaces) below for details. +### Interface Choice Loopback Interface +Loopback device.. - +###### One of the arguments from this list "dhcp_client, dhcp_server, static_ip" must be set +`dhcp_client` - (Optional) Interface gets it IP address from external DHCP server (`Bool`). +`dhcp_server` - (Optional) DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. +`static_ip` - (Optional) Interface IP is configured statically. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. +`device` - (Required) Interface configuration for the Loopback Ethernet device (`String`). - +###### One of the arguments from this list "no_ipv6_address, static_ipv6_address" can be set +`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). +`static_ipv6_address` - (Optional) Interface IP is configured statically. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - +###### One of the arguments from this list "ip_fabric_network, site_local_inside_network, site_local_network" must be set +`ip_fabric_network` - (Optional) Interface belongs to IP Fabric network (`Bool`).(Deprecated) +`site_local_inside_network` - (Optional) Interface belongs to site local network inside (`Bool`). +`site_local_network` - (Optional) Interface belongs to site local network (outside) (`Bool`). +###### One of the arguments from this list "cluster, node" must be set +`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). +`node` - (Optional) Configuration will apply to a device on the given node. (`String`). - +### Interface List Interfaces +Configure network interfaces for this Secure Mesh site. +###### One of the arguments from this list "dc_cluster_group_connectivity_interface_disabled, dc_cluster_group_connectivity_interface_enabled" must be set +`dc_cluster_group_connectivity_interface_disabled` - (Optional) Do not use this interface to connect to DC cluster group peers. (`Bool`). +`dc_cluster_group_connectivity_interface_enabled` - (Optional) Use this interface to connect to DC cluster group peers. (`Bool`). +`description` - (Optional) Description for this Interface (`String`). +###### One of the arguments from this list "dedicated_interface, dedicated_management_interface, ethernet_interface, loopback_interface" must be set - +`dedicated_interface` - (Optional) Networking configuration for dedicated interface is configured locally on site e.g. (outside/inside)Ethernet. See [Interface Choice Dedicated Interface ](#interface-choice-dedicated-interface) below for details. +`dedicated_management_interface` - (Optional) Fallback management interfaces can be made into dedicated management interface. See [Interface Choice Dedicated Management Interface ](#interface-choice-dedicated-management-interface) below for details. +`ethernet_interface` - (Optional) Ethernet interface configuration.. See [Interface Choice Ethernet Interface ](#interface-choice-ethernet-interface) below for details. +`loopback_interface` - (Optional) Loopback device.. See [Interface Choice Loopback Interface ](#interface-choice-loopback-interface) below for details.(Deprecated) - +`labels` - (Optional) Add Labels for this Interface, these labels can be used in firewall policy (`String`). +### Interfaces Addressing Choice Automatic From End +Assign automatically from end of the first network in the DHCP Network list. +### Interfaces Addressing Choice Automatic From Start +Assign automatically from start of the first network in the DHCP Network list. +### Interfaces Addressing Choice Interface Ip Map +Statically configure a IPv4 address for every node. - +`interface_ip_map` - (Optional) Specify static IPv4 addresses per site:node. (`String`). +### Interfaces Addressing Choice Interface Ip Map +Configured address for every node. +`interface_ip_map` - (Optional) Map of Site:Node to IPV6 address. (`String`). +### Ipv6 Address Choice Ipv6 Auto Config +Configuration corresponding to IPV6 auto configuration. +###### One of the arguments from this list "host, router" must be set +`host` - (Optional) auto configuration routers. This is similar to a DHCP Client. (`Bool`). +`router` - (Optional) System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. See [Autoconfig Choice Router ](#autoconfig-choice-router) below for details. +### Ipv6 Address Choice No Ipv6 Address +Interface does not have an IPv6 Address.. +### Ipv6 Address Choice Static Ipv6 Address - +Interface IP is configured statically. +###### One of the arguments from this list "cluster_static_ip, fleet_static_ip, node_static_ip" must be set +`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. +`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) - +`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) +### Lacp Choice Active Backup +Configure active/backup based bond device. +### Lacp Choice Lacp +Configure LACP (802.3ad) based bond device. +`rate` - (Optional) Interval in seconds to transmit LACP packets (`Int`). +### Local Dns Choice First Address - +First usable address from the network prefix is chosen as dns server. +### Local Dns Choice Last Address +Last usable address from the network prefix is chosen as dns server. +### Monitoring Choice Monitor - +Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. +### Monitoring Choice Monitor Disabled +Link quality monitoring disabled on the interface.. +### Network Cfg Choice Custom Network Config +Use custom networking configuration. +`bgp_peer_address` - (Optional) to fetch BGP peer address from site Object. This can be used to change peer address per site in fleet. (`String`).(Deprecated) +`bgp_peer_address_v6` - (Optional) to fetch BGP peer IPv6 address from site Object. This can be used to change peer IPv6 address per site in fleet. (`String`).(Deprecated) +`bgp_router_id` - (Optional) fetch BGP router ID from site object. (`String`).(Deprecated) +###### One of the arguments from this list "active_forward_proxy_policies, forward_proxy_allow_all, no_forward_proxy" must be set - +`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. +`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). +`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). +###### One of the arguments from this list "global_network_list, no_global_network" must be set +`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. +`no_global_network` - (Optional) No global network to connect (`Bool`). +###### One of the arguments from this list "default_interface_config, interface_list" must be set +`default_interface_config` - (Optional) Interface configuration is done based on certified hardware for this site (`Bool`). +`interface_list` - (Optional) Add all interfaces belonging to this site. See [Interface Choice Interface List ](#interface-choice-interface-list) below for details. - +###### One of the arguments from this list "active_enhanced_firewall_policies, active_network_policies, no_network_policy" must be set +`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. +`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. +`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - +###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set +`sm_connection_public_ip` - (Optional) which are part of the site mesh group (`Bool`). +`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). +###### One of the arguments from this list "default_sli_config, sli_config" can be set - +`default_sli_config` - (Optional) Use default configuration for site local network (`Bool`). +`sli_config` - (Optional) Configuration for site local inside network. See [Sli Choice Sli Config ](#sli-choice-sli-config) below for details. +###### One of the arguments from this list "default_config, slo_config" must be set +`default_config` - (Optional) Use default configuration for site local network (`Bool`). +`slo_config` - (Optional) Configuration for site local network. See [Slo Choice Slo Config ](#slo-choice-slo-config) below for details. +`tunnel_dead_timeout` - (Optional) When not set (== 0), a default value of 10000 msec will be used. (`Int`). +`vip_vrrp_mode` - (Optional) When Outside VIP / Inside VIP are configured, it is recommended to turn on vrrp and also configure BGP. (`String`). - +### Network Choice Ip Fabric Network +Interface belongs to IP Fabric network. +### Network Choice Site Local Inside Network +Interface belongs to site local network inside. - +### Network Choice Site Local Network +Interface belongs to site local network (outside). - +### Network Choice Storage Network +Interface belongs to site local network inside. +### Network Policy Choice Active Enhanced Firewall Policies +with an additional option for service insertion.. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Policy Choice Active Network Policies +Firewall Policies active for this site.. - +`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. +### Network Policy Choice No Network Policy +Firewall Policy is disabled for this site.. +### Network Prefix Choice Cluster Static Ip +Static IP configuration for a specific node. +`interface_ip_map` - (Optional) Map of Node to Static ip configuration value, Key:Node, Value:IP Address. See [Cluster Static Ip Interface Ip Map ](#cluster-static-ip-interface-ip-map) below for details. +### Network Prefix Choice Fleet Static Ip - +Static IP configuration for the fleet. +`default_gw` - (Optional) IP address offset of the default gateway, prefix len is used to calculate offset (`String`). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`default_network_config` - (Optional) Use default networking configuration based on certified hardware. (`Bool`). - - - - -`offline_survivability_mode` - (Optional) Enable/Disable offline survivability mode. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. - - - - - - - - - - - - - - - -`os` - (Optional) Operating System Details. See [Os ](#os) below for details. - - - - - - - - - - - -`performance_enhancement_mode` - (Optional) Performance Enhancement Mode to optimize for L3 or L7 networking. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - -`sw` - (Optional) F5XC Software Details. See [Sw ](#sw) below for details. - - - - - - - - - - - -`volterra_certified_hw` - (Required) Name for generic server certified hardware to form this Secure Mesh site. (`String`). - - - -`worker_nodes` - (Optional) Names of worker nodes (`List of String`). - - - -### Coordinates - - Coordinates of the site, longitude and latitude. - -`latitude` - (Optional) Latitude of the site location (`Float`). - -`longitude` - (Optional) longitude of site location (`Float`). - - - -### Kubernetes Upgrade Drain - - Enable Kubernetes Drain during OS or SW upgrade. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set - -`disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - - -`enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. - - - - -### Master Node Configuration - - Configuration of master nodes. - -`name` - (Required) Names of master node (`String`). - -`public_ip` - (Optional) via Site Mesh Group (`String`). - - - -### Offline Survivability Mode - - Enable/Disable offline survivability mode. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Os - - Operating System Details. - - - -###### One of the arguments from this list "default_os_version, operating_system_version" must be set - -`default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - - -`operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). - - - - -### Performance Enhancement Mode - - Performance Enhancement Mode to optimize for L3 or L7 networking. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Sw - - F5XC Software Details. - - - -###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set - -`default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - - -`volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). - - - - -### Address Choice Dhcp Client - - Interface gets it's IP address from external DHCP server. - - - -### Address Choice Dhcp Server - - DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. - -`dhcp_networks` - (Required) List of networks from which DHCP Server can allocate IPv4 Addresses. See [Dhcp Server Dhcp Networks ](#dhcp-server-dhcp-networks) below for details. - -`dhcp_option82_tag` - (Optional) Optional tag that can be given to this configuration (`String`).(Deprecated) - -`fixed_ip_map` - (Optional) Assign fixed IPv4 addresses based on the MAC Address of the DHCP Client. (`String`). - - - -###### One of the arguments from this list "automatic_from_start, automatic_from_end, interface_ip_map" must be set - -`automatic_from_end` - (Optional) Assign automatically from end of the first network in the DHCP Network list (`Bool`). - - -`automatic_from_start` - (Optional) Assign automatically from start of the first network in the DHCP Network list (`Bool`). - - -`interface_ip_map` - (Optional) Statically configure a IPv4 address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. - - - - -### Address Choice Stateful - - works along with Router Advertisement' Managed flag. - -`dhcp_networks` - (Required) List of networks from which DHCP server can allocate ip addresses. See [Stateful Dhcp Networks ](#stateful-dhcp-networks) below for details. - -`fixed_ip_map` - (Optional) Assign fixed IPv6 addresses based on the MAC Address of the DHCP Client. (`String`). - - - -###### One of the arguments from this list "automatic_from_start, automatic_from_end, interface_ip_map" must be set - -`automatic_from_end` - (Optional) Assign automatically from End of the first network in the list (`Bool`). - - -`automatic_from_start` - (Optional) Assign automatically from start of the first network in the list (`Bool`). - - -`interface_ip_map` - (Optional) Configured address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. - - - - -### Address Choice Static Ip - - Interface IP is configured statically. - - - -###### One of the arguments from this list "node_static_ip, cluster_static_ip, fleet_static_ip" must be set - -`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. - - -`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) - - -`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. - - - - -### Autoconfig Choice Host - - auto configuration routers. This is similar to a DHCP Client.. - - - -### Autoconfig Choice Router - - System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. - - - -###### One of the arguments from this list "network_prefix, stateful" must be set - -`network_prefix` - (Optional) Allowed only /64 prefix length as per RFC 4862 (`String`). - - -`stateful` - (Optional) works along with Router Advertisement' Managed flag. See [Address Choice Stateful ](#address-choice-stateful) below for details. - - -`dns_config` - (Optional) Dns information that needs to added in the RouterAdvetisement. See [Router Dns Config ](#router-dns-config) below for details. - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "web_user_interface, dns, ssh" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - Use custom blocked services configuration. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Bond Choice Bond Device List - - Configure Bond Devices for this Secure Mesh site. - -`bond_devices` - (Required) List of bond devices. See [Bond Device List Bond Devices ](#bond-device-list-bond-devices) below for details. - - - -### Bond Device List Bond Devices - - List of bond devices. - -`devices` - (Required) Ethernet devices that will make up this bond (`String`). - - - -###### One of the arguments from this list "lacp, active_backup" must be set - -`active_backup` - (Optional) Configure active/backup based bond device (`Bool`). - - -`lacp` - (Optional) Configure LACP (802.3ad) based bond device. See [Lacp Choice Lacp ](#lacp-choice-lacp) below for details. - - -`link_polling_interval` - (Required) Link polling interval in milliseconds (`Int`). - -`link_up_delay` - (Required) Milliseconds wait before link is declared up (`Int`). - -`name` - (Required) Name for the Bond. Ex 'bond0' (`String`). - - - -### Cluster Static Ip Interface Ip Map - - Map of Node to Static ip configuration value, Key:Node, Value:IP Address. - -`default_gw` - (Optional) IP address of the default gateway. (`String`). - -`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) - -`ip_address` - (Required) IP address of the interface and prefix length (`String`). - - - -### Connection Choice Sli To Global Dr - - Site local inside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Connection Choice Slo To Global Dr - - Site local outside is connected directly to a given global network. - -`global_vn` - (Required) Select Virtual Network of Global Type. See [ref](#ref) below for details. - - - -### Custom Certificate Private Key - - TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. - -`blindfold_secret_info_internal` - (Optional) Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. See [Private Key Blindfold Secret Info Internal ](#private-key-blindfold-secret-info-internal) below for details.(Deprecated) - -`secret_encoding_type` - (Optional) e.g. if a secret is base64 encoded and then put into vault. (`String`).(Deprecated) - - - -###### One of the arguments from this list "blindfold_secret_info, vault_secret_info, clear_secret_info, wingman_secret_info" must be set - -`blindfold_secret_info` - (Optional) Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. See [Secret Info Oneof Blindfold Secret Info ](#secret-info-oneof-blindfold-secret-info) below for details. - - -`clear_secret_info` - (Optional) Clear Secret is used for the secrets that are not encrypted. See [Secret Info Oneof Clear Secret Info ](#secret-info-oneof-clear-secret-info) below for details. - - -`vault_secret_info` - (Optional) Vault Secret is used for the secrets managed by Hashicorp Vault. See [Secret Info Oneof Vault Secret Info ](#secret-info-oneof-vault-secret-info) below for details.(Deprecated) - - -`wingman_secret_info` - (Optional) Secret is given as bootstrap secret in F5XC Security Sidecar. See [Secret Info Oneof Wingman Secret Info ](#secret-info-oneof-wingman-secret-info) below for details.(Deprecated) - - - - -### Dc Cluster Group Choice No Dc Cluster Group - - This site is not a member of dc cluster group. - - - -### Dc Cluster Group Connectivity Interface Choice Dc Cluster Group Connectivity Interface Disabled - - Do not use this interface to connect to DC cluster group peers. . - - - -### Dc Cluster Group Connectivity Interface Choice Dc Cluster Group Connectivity Interface Enabled - - Use this interface to connect to DC cluster group peers.. - - - -### Dhcp Networks Pools - - List of non overlapping ip address ranges.. - -`end_ip` - (Optional) In case of address allocator, offset is derived based on network prefix. (`String`). - -`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) - -`start_ip` - (Optional) 2001::1 with prefix length of 64, start offset is 5 (`String`). - - - -### Dhcp Networks Pools - - List of non overlapping ip address ranges.. - -`end_ip` - (Optional) 10.1.1.200 with prefix length of 24, end offset is 0.0.0.200 (`String`). - -`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) - -`start_ip` - (Optional) 10.1.1.5 with prefix length of 24, start offset is 0.0.0.5 (`String`). - - - -### Dhcp Server Dhcp Networks - - List of networks from which DHCP Server can allocate IPv4 Addresses. - - - -###### One of the arguments from this list "same_as_dgw, dns_address" must be set - -`dns_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the DNS server. (`String`). - - -`same_as_dgw` - (Optional) DNS server address is same as default gateway address (`Bool`). - - - - -###### One of the arguments from this list "dgw_address, first_address, last_address" must be set - -`dgw_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the default gateway. (`String`). - - -`first_address` - (Optional) First usable address from the network prefix is chosen as default gateway (`Bool`). - - -`last_address` - (Optional) Last usable address from the network prefix is chosen as default gateway (`Bool`). - - - - -###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set - -`network_prefix` - (Optional) Set the network prefix for the site. ex: 10.1.1.0/24 (`String`). - - -`network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) - - -`pool_settings` - (Required) Controls how DHCP pools are handled (`String`). - -`pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. - - - -### Dns Choice Configured List - - Configured address outside network range - external dns server. - -`dns_list` - (Required) List of IPV6 Addresses acting as Dns servers (`String`). - - - -### Dns Choice Local Dns - - Choose the address from the network prefix range as dns server. - - - -###### One of the arguments from this list "first_address, last_address, configured_address" must be set - -`configured_address` - (Optional) Configured address from the network prefix is chosen as dns server (`String`). - - -`first_address` - (Optional) First usable address from the network prefix is chosen as dns server (`Bool`). - - -`last_address` - (Optional) Last usable address from the network prefix is chosen as dns server (`Bool`). - - - - -### Dns Choice Same As Dgw - - DNS server address is same as default gateway address. - - - -### Enable Disable Choice Disable Interception - - Disable Interception. - - - -### Enable Disable Choice Enable Interception - - Enable Interception. - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site and manage policies. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Forward Proxy Choice Disable Forward Proxy - - Forward Proxy is disabled for this connector. - - - -### Forward Proxy Choice Enable Forward Proxy - - Forward Proxy is enabled for this connector. - -`connection_timeout` - (Optional) This is specified in milliseconds. The default value is 2000 (2 seconds) (`Int`). - -`max_connect_attempts` - (Optional) Specifies the allowed number of retries on connect failure to upstream server. Defaults to 1. (`Int`). - - - - -###### One of the arguments from this list "no_interception, tls_intercept" can be set - -`no_interception` - (Optional) No TLS interception is enabled for this network connector (`Bool`).(Deprecated) - - -`tls_intercept` - (Optional) Specify TLS interception configuration for the network connector. See [Tls Interception Choice Tls Intercept ](#tls-interception-choice-tls-intercept) below for details.(Deprecated) - - -`white_listed_ports` - (Optional) Example "tmate" server port (`Int`). - -`white_listed_prefixes` - (Optional) Example "tmate" server ip (`String`). - - - -### Forward Proxy Choice Forward Proxy Allow All - - Enable Forward Proxy for this site and allow all requests.. - - - -### Forward Proxy Choice No Forward Proxy - - Disable Forward Proxy for this site. - - - -### Gateway Choice First Address - - First usable address from the network prefix is chosen as default gateway. - - - -### Gateway Choice Last Address - - Last usable address from the network prefix is chosen as default gateway. - - - -### Global Network Choice Global Network List - - List of global network connections. - -`global_network_connections` - (Required) Global network connections. See [Global Network List Global Network Connections ](#global-network-list-global-network-connections) below for details. - - - -### Global Network Choice No Global Network - - No global network to connect. - - - -### Global Network List Global Network Connections - - Global network connections. - - - -###### One of the arguments from this list "sli_to_global_dr, slo_to_global_dr" must be set - -`sli_to_global_dr` - (Optional) Site local inside is connected directly to a given global network. See [Connection Choice Sli To Global Dr ](#connection-choice-sli-to-global-dr) below for details. - - -`slo_to_global_dr` - (Optional) Site local outside is connected directly to a given global network. See [Connection Choice Slo To Global Dr ](#connection-choice-slo-to-global-dr) below for details. - - - - - -###### One of the arguments from this list "disable_forward_proxy, enable_forward_proxy" can be set - -`disable_forward_proxy` - (Optional) Forward Proxy is disabled for this connector (`Bool`).(Deprecated) - - -`enable_forward_proxy` - (Optional) Forward Proxy is enabled for this connector. See [Forward Proxy Choice Enable Forward Proxy ](#forward-proxy-choice-enable-forward-proxy) below for details.(Deprecated) - - - - -### Interception Policy Choice Enable For All Domains - - Enable interception for all domains. - - - -### Interception Policy Choice Policy - - Policy to enable/disable specific domains, with implicit enable all domains. - -`interception_rules` - (Required) List of ordered rules to enable or disable for TLS interception. See [Policy Interception Rules ](#policy-interception-rules) below for details. - - - -### Interception Rules Domain Match - - Domain value or regular expression to match. - - - -###### One of the arguments from this list "exact_value, suffix_value, regex_value" must be set - -`exact_value` - (Optional) Exact domain name. (`String`). - - -`regex_value` - (Optional) Regular Expression value for the domain name (`String`). - - -`suffix_value` - (Optional) Suffix of domain name e.g "xyz.com" will match "*.xyz.com" and "xyz.com" (`String`). - - - - -### Interface Choice Dedicated Interface - - Networking configuration for dedicated interface is configured locally on site e.g. (outside/inside)Ethernet. - -`device` - (Required) Name of the device for which interface is configured. Use wwan0 for 4G/LTE. (`String`). - - - - -###### One of the arguments from this list "monitor_disabled, monitor" can be set - -`monitor` - (Optional) Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. - - -`monitor_disabled` - (Optional) Link quality monitoring disabled on the interface. (`Bool`). - - -`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - - - -###### One of the arguments from this list "cluster, node" must be set - -`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). - - -`node` - (Optional) Configuration will apply to a device on the given node of the site. (`String`). - - - - -###### One of the arguments from this list "not_primary, is_primary" must be set - -`is_primary` - (Optional) This interface is primary (`Bool`). - - -`not_primary` - (Optional) This interface is not primary (`Bool`). - - -`priority` - (Optional) Greater the value, higher the priority (`Int`). - - - -### Interface Choice Dedicated Management Interface - - Fallback management interfaces can be made into dedicated management interface. - -`device` - (Required) Name of the device for which interface is configured (`String`). - -`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - - - -###### One of the arguments from this list "cluster, node" must be set - -`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). - - -`node` - (Optional) Configuration will apply to a device on the given node of the site. (`String`). - - - - -### Interface Choice Default Interface Config - - Interface configuration is done based on certified hardware for this site. - - - -### Interface Choice Ethernet Interface - - Ethernet interface configuration.. - - - -###### One of the arguments from this list "dhcp_client, dhcp_server, static_ip" must be set - -`dhcp_client` - (Optional) Interface gets it's IP address from external DHCP server (`Bool`). - - -`dhcp_server` - (Optional) DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. - - -`static_ip` - (Optional) Interface IP is configured statically. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. - - -`device` - (Required) Interface configuration for the ethernet device (`String`). - - - - -###### One of the arguments from this list "no_ipv6_address, static_ipv6_address, ipv6_auto_config" can be set - -`ipv6_auto_config` - (Optional) Configuration corresponding to IPV6 auto configuration. See [Ipv6 Address Choice Ipv6 Auto Config ](#ipv6-address-choice-ipv6-auto-config) below for details. - - -`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). - - -`static_ipv6_address` - (Optional) Interface IP is configured statically. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. - - - - - -###### One of the arguments from this list "monitor_disabled, monitor" can be set - -`monitor` - (Optional) Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. - - -`monitor_disabled` - (Optional) Link quality monitoring disabled on the interface. (`Bool`). - - -`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - - - -###### One of the arguments from this list "site_local_inside_network, inside_network, storage_network, srv6_network, ip_fabric_network, segment_network, site_local_network" must be set - -`inside_network` - (Optional) Interface belongs to user configured inside network. See [ref](#ref) below for details.(Deprecated) - - -`ip_fabric_network` - (Optional) Interface belongs to IP Fabric network (`Bool`).(Deprecated) - - -`segment_network` - (Optional) x-displayName: "Segment". See [ref](#ref) below for details. - - -`site_local_inside_network` - (Optional) Interface belongs to site local network inside (`Bool`). - - -`site_local_network` - (Optional) Interface belongs to site local network (outside) (`Bool`). - - -`srv6_network` - (Optional) Interface belongs to per site srv6 network. See [ref](#ref) below for details.(Deprecated) - - -`storage_network` - (Optional) Interface belongs to site local network inside (`Bool`). - - - - -###### One of the arguments from this list "node, cluster" must be set - -`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). - - -`node` - (Optional) Configuration will apply to a device on the given node. (`String`). - - - - -###### One of the arguments from this list "not_primary, is_primary" must be set - -`is_primary` - (Optional) This interface is primary (`Bool`). - - -`not_primary` - (Optional) This interface is not primary (`Bool`). - - -`priority` - (Optional) Greater the value, higher the priority (`Int`). - - - -###### One of the arguments from this list "untagged, vlan_id" must be set - -`untagged` - (Optional) Configure a untagged ethernet interface (`Bool`). - - -`vlan_id` - (Optional) Configure a VLAN tagged ethernet interface (`Int`). - - - - -### Interface Choice Interface List - - Add all interfaces belonging to this site. - -`interfaces` - (Required) Configure network interfaces for this Secure Mesh site. See [Interface List Interfaces ](#interface-list-interfaces) below for details. - - - -### Interface Choice Loopback Interface - - Loopback device.. - - - -###### One of the arguments from this list "dhcp_server, static_ip, dhcp_client" must be set - -`dhcp_client` - (Optional) Interface gets it IP address from external DHCP server (`Bool`). - - -`dhcp_server` - (Optional) DHCP Server is configured for this interface. IP for this Interface will be derived from the DHCP Server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. - - -`static_ip` - (Optional) Interface IP is configured statically. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. - - -`device` - (Required) Interface configuration for the Loopback Ethernet device (`String`). - - - - -###### One of the arguments from this list "no_ipv6_address, static_ipv6_address" can be set - -`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). - - -`static_ipv6_address` - (Optional) Interface IP is configured statically. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. - - -`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - - - -###### One of the arguments from this list "ip_fabric_network, site_local_network, site_local_inside_network" must be set - -`ip_fabric_network` - (Optional) Interface belongs to IP Fabric network (`Bool`).(Deprecated) - - -`site_local_inside_network` - (Optional) Interface belongs to site local network inside (`Bool`). - - -`site_local_network` - (Optional) Interface belongs to site local network (outside) (`Bool`). - - - - -###### One of the arguments from this list "cluster, node" must be set - -`cluster` - (Optional) Configuration will apply to given device on all nodes of the site. (`Bool`). - - -`node` - (Optional) Configuration will apply to a device on the given node. (`String`). - - - - -### Interface List Interfaces - - Configure network interfaces for this Secure Mesh site. - - - -###### One of the arguments from this list "dc_cluster_group_connectivity_interface_disabled, dc_cluster_group_connectivity_interface_enabled" must be set - -`dc_cluster_group_connectivity_interface_disabled` - (Optional) Do not use this interface to connect to DC cluster group peers. (`Bool`). - - -`dc_cluster_group_connectivity_interface_enabled` - (Optional) Use this interface to connect to DC cluster group peers. (`Bool`). - - -`description` - (Optional) Description for this Interface (`String`). - - - -###### One of the arguments from this list "ethernet_interface, dedicated_interface, dedicated_management_interface, loopback_interface" must be set - -`dedicated_interface` - (Optional) Networking configuration for dedicated interface is configured locally on site e.g. (outside/inside)Ethernet. See [Interface Choice Dedicated Interface ](#interface-choice-dedicated-interface) below for details. - - -`dedicated_management_interface` - (Optional) Fallback management interfaces can be made into dedicated management interface. See [Interface Choice Dedicated Management Interface ](#interface-choice-dedicated-management-interface) below for details. - - -`ethernet_interface` - (Optional) Ethernet interface configuration.. See [Interface Choice Ethernet Interface ](#interface-choice-ethernet-interface) below for details. - - -`loopback_interface` - (Optional) Loopback device.. See [Interface Choice Loopback Interface ](#interface-choice-loopback-interface) below for details.(Deprecated) - - -`labels` - (Optional) Add Labels for this Interface, these labels can be used in firewall policy (`String`). - - - -### Interfaces Addressing Choice Automatic From End - - Assign automatically from end of the first network in the DHCP Network list. - - - -### Interfaces Addressing Choice Automatic From Start - - Assign automatically from start of the first network in the DHCP Network list. - - - -### Interfaces Addressing Choice Interface Ip Map - - Statically configure a IPv4 address for every node. - -`interface_ip_map` - (Optional) Specify static IPv4 addresses per site:node. (`String`). - - - -### Interfaces Addressing Choice Interface Ip Map - - Configured address for every node. - -`interface_ip_map` - (Optional) Map of Site:Node to IPV6 address. (`String`). - - - -### Ipv6 Address Choice Ipv6 Auto Config - - Configuration corresponding to IPV6 auto configuration. - - - -###### One of the arguments from this list "host, router" must be set - -`host` - (Optional) auto configuration routers. This is similar to a DHCP Client. (`Bool`). - - -`router` - (Optional) System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. See [Autoconfig Choice Router ](#autoconfig-choice-router) below for details. - - - - -### Ipv6 Address Choice No Ipv6 Address - - Interface does not have an IPv6 Address.. - - - -### Ipv6 Address Choice Static Ipv6 Address - - Interface IP is configured statically. - - - -###### One of the arguments from this list "node_static_ip, cluster_static_ip, fleet_static_ip" must be set - -`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. - - -`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) - - -`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. - - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - - - -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - - -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - - -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - - -###### One of the arguments from this list "enable_vega_upgrade_mode, disable_vega_upgrade_mode" must be set - -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - - -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - - - - -### Lacp Choice Active Backup - - Configure active/backup based bond device. - - - -### Lacp Choice Lacp - - Configure LACP (802.3ad) based bond device. - -`rate` - (Optional) Interval in seconds to transmit LACP packets (`Int`). - - - -### Local Dns Choice First Address - - First usable address from the network prefix is chosen as dns server. - - - -### Local Dns Choice Last Address - - Last usable address from the network prefix is chosen as dns server. - - - -### Monitoring Choice Monitor - - Link Quality Monitoring parameters. Choosing the option will enable link quality monitoring.. - - - -### Monitoring Choice Monitor Disabled - - Link quality monitoring disabled on the interface.. - - - -### Network Cfg Choice Custom Network Config - - Use custom networking configuration. - -`bgp_peer_address` - (Optional) to fetch BGP peer address from site Object. This can be used to change peer address per site in fleet. (`String`).(Deprecated) - -`bgp_peer_address_v6` - (Optional) to fetch BGP peer IPv6 address from site Object. This can be used to change peer IPv6 address per site in fleet. (`String`).(Deprecated) - -`bgp_router_id` - (Optional) fetch BGP router ID from site object. (`String`).(Deprecated) - - - -###### One of the arguments from this list "no_forward_proxy, active_forward_proxy_policies, forward_proxy_allow_all" must be set - -`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site and manage policies. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - - -`forward_proxy_allow_all` - (Optional) Enable Forward Proxy for this site and allow all requests. (`Bool`). - - -`no_forward_proxy` - (Optional) Disable Forward Proxy for this site (`Bool`). - - - - -###### One of the arguments from this list "no_global_network, global_network_list" must be set - -`global_network_list` - (Optional) List of global network connections. See [Global Network Choice Global Network List ](#global-network-choice-global-network-list) below for details. - - -`no_global_network` - (Optional) No global network to connect (`Bool`). - - - - -###### One of the arguments from this list "interface_list, default_interface_config" must be set - -`default_interface_config` - (Optional) Interface configuration is done based on certified hardware for this site (`Bool`). - - -`interface_list` - (Optional) Add all interfaces belonging to this site. See [Interface Choice Interface List ](#interface-choice-interface-list) below for details. - - - - -###### One of the arguments from this list "no_network_policy, active_network_policies, active_enhanced_firewall_policies" must be set - -`active_enhanced_firewall_policies` - (Optional) with an additional option for service insertion.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - - -`active_network_policies` - (Optional) Firewall Policies active for this site.. See [Network Policy Choice Active Network Policies ](#network-policy-choice-active-network-policies) below for details. - - -`no_network_policy` - (Optional) Firewall Policy is disabled for this site. (`Bool`). - - - - -###### One of the arguments from this list "sm_connection_pvt_ip, sm_connection_public_ip" must be set - -`sm_connection_public_ip` - (Optional) which are part of the site mesh group (`Bool`). - - -`sm_connection_pvt_ip` - (Optional) creating ipsec between two sites which are part of the site mesh group (`Bool`). - - - - - -###### One of the arguments from this list "default_sli_config, sli_config" can be set - -`default_sli_config` - (Optional) Use default configuration for site local network (`Bool`). - - -`sli_config` - (Optional) Configuration for site local inside network. See [Sli Choice Sli Config ](#sli-choice-sli-config) below for details. - - - - -###### One of the arguments from this list "default_config, slo_config" must be set - -`default_config` - (Optional) Use default configuration for site local network (`Bool`). - - -`slo_config` - (Optional) Configuration for site local network. See [Slo Choice Slo Config ](#slo-choice-slo-config) below for details. - - -`tunnel_dead_timeout` - (Optional) When not set (== 0), a default value of 10000 msec will be used. (`Int`). - -`vip_vrrp_mode` - (Optional) When Outside VIP / Inside VIP are configured, it is recommended to turn on vrrp and also configure BGP. (`String`). - - - -### Network Choice Ip Fabric Network - - Interface belongs to IP Fabric network. - - - -### Network Choice Site Local Inside Network - - Interface belongs to site local network inside. - - - -### Network Choice Site Local Network - - Interface belongs to site local network (outside). - - - -### Network Choice Storage Network - - Interface belongs to site local network inside. - - - -### Network Policy Choice Active Enhanced Firewall Policies - - with an additional option for service insertion.. - -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - - - -### Network Policy Choice Active Network Policies - - Firewall Policies active for this site.. - -`network_policies` - (Required) Ordered List of Firewall Policies active for this network firewall. See [ref](#ref) below for details. - - - -### Network Policy Choice No Network Policy - - Firewall Policy is disabled for this site.. - - - -### Network Prefix Choice Cluster Static Ip - - Static IP configuration for a specific node. - -`interface_ip_map` - (Optional) Map of Node to Static ip configuration value, Key:Node, Value:IP Address. See [Cluster Static Ip Interface Ip Map ](#cluster-static-ip-interface-ip-map) below for details. - - - -### Network Prefix Choice Fleet Static Ip - - Static IP configuration for the fleet. - -`default_gw` - (Optional) IP address offset of the default gateway, prefix len is used to calculate offset (`String`). - -`dns_server` - (Optional) IP address offset of the DNS server, prefix len is used to calculate offset (`String`). +`dns_server` - (Optional) IP address offset of the DNS server, prefix len is used to calculate offset (`String`). `network_prefix_allocator` - (Optional) Static IP configuration for the fleet. See [ref](#ref) below for details. +### Network Prefix Choice Node Static Ip - -### Network Prefix Choice Node Static Ip - - Static IP configuration for the Node. +Static IP configuration for the Node. `default_gw` - (Optional) IP address of the default gateway. (`String`). @@ -2209,125 +912,85 @@ resource "volterra_securemesh_site" "example" { `ip_address` - (Required) IP address of the interface and prefix length (`String`). +### Next Hop Choice Default Gateway +Traffic matching the ip prefixes is sent to the default gateway. -### Next Hop Choice Default Gateway - - Traffic matching the ip prefixes is sent to the default gateway. +### Node Choice Cluster +Configuration will apply to given device on all nodes of the site.. +### Ocsp Stapling Choice Custom Hash Algorithms -### Node Choice Cluster - - Configuration will apply to given device on all nodes of the site.. - - - -### Ocsp Stapling Choice Custom Hash Algorithms - - Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. +Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. `hash_algorithms` - (Required) Ordered list of hash algorithms to be used. (`List of Strings`). +### Ocsp Stapling Choice Disable Ocsp Stapling +This is the default behavior if no choice is selected.. -### Ocsp Stapling Choice Disable Ocsp Stapling - - This is the default behavior if no choice is selected.. - - - -### Ocsp Stapling Choice Use System Defaults - - F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - - - -### Offline Survivability Mode Choice Enable Offline Survivability Mode - - x-displayName: "Enabled". - - +### Ocsp Stapling Choice Use System Defaults -### Offline Survivability Mode Choice No Offline Survivability Mode +F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. - x-displayName: "Disabled". +### Offline Survivability Mode Choice Enable Offline Survivability Mode +x-displayName: "Enabled". +### Offline Survivability Mode Choice No Offline Survivability Mode -### Operating System Version Choice Default Os Version +x-displayName: "Disabled". - Will assign latest available OS version. +### Operating System Version Choice Default Os Version +Will assign latest available OS version. +### Perf Mode Choice Jumbo -### Perf Mode Choice Jumbo +x-displayName: "Enabled". - x-displayName: "Enabled". +### Perf Mode Choice No Jumbo +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced -### Perf Mode Choice No Jumbo - - x-displayName: "Disabled". - - - -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - +Site optimized for L3 traffic processing. ###### One of the arguments from this list "jumbo, no_jumbo" must be set `jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - `no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +### Perf Mode Choice Perf Mode L7 Enhanced +Site optimized for L7 traffic processing. +### Policy Interception Rules -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Policy Interception Rules - - List of ordered rules to enable or disable for TLS interception. +List of ordered rules to enable or disable for TLS interception. `domain_match` - (Required) Domain value or regular expression to match. See [Interception Rules Domain Match ](#interception-rules-domain-match) below for details. - - ###### One of the arguments from this list "disable_interception, enable_interception" must be set `disable_interception` - (Optional) Disable Interception (`Bool`). - `enable_interception` - (Optional) Enable Interception (`Bool`). +### Primary Choice Is Primary +This interface is primary. +### Primary Choice Not Primary -### Primary Choice Is Primary +This interface is not primary. - This interface is primary. +### Private Key Blindfold Secret Info Internal - - -### Primary Choice Not Primary - - This interface is not primary. - - - -### Private Key Blindfold Secret Info Internal - - Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. +Blindfold Secret Internal is used for the putting re-encrypted blindfold secret. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2335,10 +998,7 @@ resource "volterra_securemesh_site" "example" { `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -2348,27 +1008,19 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +### Router Dns Config +Dns information that needs to added in the RouterAdvetisement. -### Router Dns Config - - Dns information that needs to added in the RouterAdvetisement. - - - -###### One of the arguments from this list "local_dns, configured_list" must be set +###### One of the arguments from this list "configured_list, local_dns" must be set `configured_list` - (Optional) Configured address outside network range - external dns server. See [Dns Choice Configured List ](#dns-choice-configured-list) below for details. - `local_dns` - (Optional) Choose the address from the network prefix range as dns server. See [Dns Choice Local Dns ](#dns-choice-local-dns) below for details. +### Secret Info Oneof Blindfold Secret Info - - -### Secret Info Oneof Blindfold Secret Info - - Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. +Blindfold Secret is used for the secrets managed by F5XC Secret Management Service. `decryption_provider` - (Optional) Name of the Secret Management Access object that contains information about the backend Secret Management service. (`String`). @@ -2376,21 +1028,17 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `store_provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). +### Secret Info Oneof Clear Secret Info - -### Secret Info Oneof Clear Secret Info - - Clear Secret is used for the secrets that are not encrypted. +Clear Secret is used for the secrets that are not encrypted. `provider` - (Optional) This field needs to be provided only if the url scheme is not string:/// (`String`). `url` - (Required) When asked for this secret, caller will get Secret bytes after Base64 decoding. (`String`). +### Secret Info Oneof Vault Secret Info - -### Secret Info Oneof Vault Secret Info - - Vault Secret is used for the secrets managed by Hashicorp Vault. +Vault Secret is used for the secrets managed by Hashicorp Vault. `key` - (Optional) If not provided entire secret will be returned. (`String`). @@ -2402,80 +1050,56 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `version` - (Optional) If not provided latest version will be returned. (`Int`). +### Secret Info Oneof Wingman Secret Info - -### Secret Info Oneof Wingman Secret Info - - Secret is given as bootstrap secret in F5XC Security Sidecar. +Secret is given as bootstrap secret in F5XC Security Sidecar. `name` - (Required) Name of the secret. (`String`). +### Signing Cert Choice Custom Certificate - -### Signing Cert Choice Custom Certificate - - Certificates for generating intermediate certificate for TLS interception.. +Certificates for generating intermediate certificate for TLS interception.. `certificate_url` - (Required) Certificate or certificate chain in PEM format including the PEM headers. (`String`). `description` - (Optional) Description for the certificate (`String`). - - - -###### One of the arguments from this list "use_system_defaults, disable_ocsp_stapling, custom_hash_algorithms" can be set +###### One of the arguments from this list "custom_hash_algorithms, disable_ocsp_stapling, use_system_defaults" can be set `custom_hash_algorithms` - (Optional) Use hash algorithms in the custom order. F5XC will try to fetch ocsp response from the CA in the given order. Additionally, LoadBalancer will not become active until ocspResponse cannot be fetched if the certificate has MustStaple extension set.. See [Ocsp Stapling Choice Custom Hash Algorithms ](#ocsp-stapling-choice-custom-hash-algorithms) below for details. - `disable_ocsp_stapling` - (Optional) This is the default behavior if no choice is selected.. See [Ocsp Stapling Choice Disable Ocsp Stapling ](#ocsp-stapling-choice-disable-ocsp-stapling) below for details. - `use_system_defaults` - (Optional) F5XC will try to fetch OCSPResponse with sha256 and sha1 as HashAlgorithm, in that order.. See [Ocsp Stapling Choice Use System Defaults ](#ocsp-stapling-choice-use-system-defaults) below for details. - `private_key` - (Required) TLS Private Key data in unencrypted PEM format including the PEM headers. The data may be optionally secured using BlindFold. TLS key has to match the accompanying certificate.. See [Custom Certificate Private Key ](#custom-certificate-private-key) below for details. +### Signing Cert Choice Volterra Certificate +F5XC certificates for generating intermediate certificate for TLS interception.. -### Signing Cert Choice Volterra Certificate +### Site Mesh Group Choice Sm Connection Public Ip - F5XC certificates for generating intermediate certificate for TLS interception.. +which are part of the site mesh group. +### Site Mesh Group Choice Sm Connection Pvt Ip +creating ipsec between two sites which are part of the site mesh group. -### Site Mesh Group Choice Sm Connection Public Ip +### Sli Choice Default Sli Config - which are part of the site mesh group. - - - -### Site Mesh Group Choice Sm Connection Pvt Ip - - creating ipsec between two sites which are part of the site mesh group. - - - -### Sli Choice Default Sli Config - - Use default configuration for site local network. - - - -### Sli Choice Sli Config - - Configuration for site local inside network. +Use default configuration for site local network. +### Sli Choice Sli Config +Configuration for site local inside network. ###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set `dc_cluster_group` - (Optional) This site is member of dc cluster group via network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - `dc_cluster_group_interface` - (Optional) This Secure Mesh is member of dc cluster group and connected to network over this interface. By default it takes default gateway interface.. See [ref](#ref) below for details.(Deprecated) `labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). @@ -2484,52 +1108,36 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). - - ###### One of the arguments from this list "no_static_routes, static_routes" must be set `no_static_routes` - (Optional) Static Routes disabled for site local network. (`Bool`). - `static_routes` - (Optional) Manage static routes for site local network.. See [Static Route Choice Static Routes ](#static-route-choice-static-routes) below for details. - - - ###### One of the arguments from this list "no_v6_static_routes, static_v6_routes" must be set `no_v6_static_routes` - (Optional) Static IPv6 Routes disabled for site local network. (`Bool`). - `static_v6_routes` - (Optional) Manage IPv6 static routes for site local network.. See [Static V6 Route Choice Static V6 Routes ](#static-v6-route-choice-static-v6-routes) below for details. +`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). -`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). - -`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). - - +`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). -### Slo Choice Default Config +### Slo Choice Default Config - Use default configuration for site local network. +Use default configuration for site local network. +### Slo Choice Slo Config +Configuration for site local network. -### Slo Choice Slo Config - - Configuration for site local network. - - - -###### One of the arguments from this list "no_dc_cluster_group, dc_cluster_group" must be set +###### One of the arguments from this list "dc_cluster_group, no_dc_cluster_group" must be set `dc_cluster_group` - (Optional) This site is member of dc cluster group via network. See [ref](#ref) below for details. - `no_dc_cluster_group` - (Optional) This site is not a member of dc cluster group (`Bool`). - `dc_cluster_group_interface` - (Optional) This Secure Mesh is member of dc cluster group and connected to network over this interface. By default it takes default gateway interface.. See [ref](#ref) below for details.(Deprecated) `labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). @@ -2538,199 +1146,135 @@ tenant - (Optional) then tenant will hold the referred object's(e.g. route's) te `nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). - - ###### One of the arguments from this list "no_static_routes, static_routes" must be set `no_static_routes` - (Optional) Static Routes disabled for site local network. (`Bool`). - `static_routes` - (Optional) Manage static routes for site local network.. See [Static Route Choice Static Routes ](#static-route-choice-static-routes) below for details. - - - ###### One of the arguments from this list "no_v6_static_routes, static_v6_routes" must be set `no_v6_static_routes` - (Optional) Static IPv6 Routes disabled for site local network. (`Bool`). - `static_v6_routes` - (Optional) Manage IPv6 static routes for site local network.. See [Static V6 Route Choice Static V6 Routes ](#static-v6-route-choice-static-v6-routes) below for details. +`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). -`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). - -`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). - - - -### Stateful Dhcp Networks - - List of networks from which DHCP server can allocate ip addresses. +`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). +### Stateful Dhcp Networks +List of networks from which DHCP server can allocate ip addresses. ###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set `network_prefix` - (Optional) Network Prefix to be used for IPV6 address auto configuration (`String`). - `network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) - `pool_settings` - (Required) Controls how DHCPV6 pools are handled (`String`). `pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. +### Static Route Choice No Static Routes +Static Routes disabled for site local network.. -### Static Route Choice No Static Routes - - Static Routes disabled for site local network.. - - +### Static Route Choice Static Routes -### Static Route Choice Static Routes - - Manage static routes for site local network.. +Manage static routes for site local network.. `static_routes` - (Required) List of static routes. See [Static Routes Static Routes ](#static-routes-static-routes) below for details. +### Static Routes Static Routes - -### Static Routes Static Routes - - List of static routes. +List of static routes. `attrs` - (Optional) List of attributes that control forwarding, dynamic routing and control plane (host) reachability (`List of Strings`). `ip_prefixes` - (Required) List of route prefixes that have common next hop and attributes (`String`). - - -###### One of the arguments from this list "interface, default_gateway, ip_address" must be set +###### One of the arguments from this list "default_gateway, interface, ip_address" must be set `default_gateway` - (Optional) Traffic matching the ip prefixes is sent to the default gateway (`Bool`). - `interface` - (Optional) Traffic matching the ip prefixes is sent to this interface. See [ref](#ref) below for details. - `ip_address` - (Optional) Traffic matching the ip prefixes is sent to this IP Address (`String`). +### Static V6 Route Choice No V6 Static Routes +Static IPv6 Routes disabled for site local network.. +### Static V6 Route Choice Static V6 Routes -### Static V6 Route Choice No V6 Static Routes - - Static IPv6 Routes disabled for site local network.. - - - -### Static V6 Route Choice Static V6 Routes - - Manage IPv6 static routes for site local network.. +Manage IPv6 static routes for site local network.. `static_routes` - (Required) List of IPv6 static routes. See [Static V6 Routes Static Routes ](#static-v6-routes-static-routes) below for details. +### Static V6 Routes Static Routes - -### Static V6 Routes Static Routes - - List of IPv6 static routes. +List of IPv6 static routes. `attrs` - (Optional) List of attributes that control forwarding, dynamic routing and control plane (host) reachability (`List of Strings`). `ip_prefixes` - (Required) List of IPv6 route prefixes that have common next hop and attributes (`String`). - - -###### One of the arguments from this list "ip_address, interface, default_gateway" must be set +###### One of the arguments from this list "default_gateway, interface, ip_address" must be set `default_gateway` - (Optional) Traffic matching the ip prefixes is sent to the default gateway (`Bool`). - `interface` - (Optional) Traffic matching the ip prefixes is sent to this interface. See [ref](#ref) below for details. - `ip_address` - (Optional) Traffic matching the ip prefixes is sent to this IP Address (`String`). +### Tls Interception Choice No Interception +No TLS interception is enabled for this network connector. +### Tls Interception Choice Tls Intercept -### Tls Interception Choice No Interception - - No TLS interception is enabled for this network connector. - - - -### Tls Interception Choice Tls Intercept - - Specify TLS interception configuration for the network connector. - - +Specify TLS interception configuration for the network connector. ###### One of the arguments from this list "enable_for_all_domains, policy" must be set `enable_for_all_domains` - (Optional) Enable interception for all domains (`Bool`). - `policy` - (Optional) Policy to enable/disable specific domains, with implicit enable all domains. See [Interception Policy Choice Policy ](#interception-policy-choice-policy) below for details. - - - ###### One of the arguments from this list "custom_certificate, volterra_certificate" must be set `custom_certificate` - (Optional) Certificates for generating intermediate certificate for TLS interception.. See [Signing Cert Choice Custom Certificate ](#signing-cert-choice-custom-certificate) below for details. - `volterra_certificate` - (Optional) F5XC certificates for generating intermediate certificate for TLS interception. (`Bool`). - - - ###### One of the arguments from this list "trusted_ca_url, volterra_trusted_ca" must be set `trusted_ca_url` - (Optional) Custom Root CA Certificate for validating upstream server certificate (`String`). - `volterra_trusted_ca` - (Optional) F5XC Root CA Certificate for validating upstream server certificate (`Bool`). +### Trusted Ca Choice Volterra Trusted Ca +F5XC Root CA Certificate for validating upstream server certificate. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode -### Trusted Ca Choice Volterra Trusted Ca - - F5XC Root CA Certificate for validating upstream server certificate. - - - -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode - - Disable Vega Upgrade Mode. - - - -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Vlan Choice Untagged - - Configure a untagged ethernet interface. - +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode -### Volterra Sw Version Choice Default Sw Version +When enabled, vega will inform RE to stop traffic to the specific node.. - Will assign latest available F5XC Software Version. +### Vlan Choice Untagged +Configure a untagged ethernet interface. +### Volterra Sw Version Choice Default Sw Version -## Attribute Reference +Will assign latest available F5XC Software Version. -* `id` - This is the id of the configured securemesh_site. +Attribute Reference +------------------- +- `id` - This is the id of the configured securemesh_site. diff --git a/docs/resources/volterra_securemesh_site_v2.md b/docs/resources/volterra_securemesh_site_v2.md index 00f0a8b78..f878dc3d3 100644 --- a/docs/resources/volterra_securemesh_site_v2.md +++ b/docs/resources/volterra_securemesh_site_v2.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: securemesh_site_v2" -description: "The securemesh_site_v2 allows CRUD of Securemesh Site V2 resource on Volterra SaaS" +description: "The securemesh_site_v2 allows CRUD of Securemesh Site V2 resource on Volterra SaaS" + --- -# Resource volterra_securemesh_site_v2 -The Securemesh Site V2 allows CRUD of Securemesh Site V2 resource on Volterra SaaS +Resource volterra_securemesh_site_v2 +==================================== -~> **Note:** Please refer to [Securemesh Site V2 API docs](https://docs.cloud.f5.com/docs-v2/api/views-securemesh-site-v2) to learn more +The Securemesh Site V2 allows CRUD of Securemesh Site V2 resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Securemesh Site V2 API docs](https://docs.cloud.f5.com/docs-v2/api/views-securemesh-site-v2) to learn more + +Example Usage +------------- ```hcl resource "volterra_securemesh_site_v2" "example" { @@ -31,13 +24,13 @@ resource "volterra_securemesh_site_v2" "example" { block_all_services = true - // One of the arguments from this list "logs_streaming_disabled log_receiver" must be set + // One of the arguments from this list "log_receiver logs_streaming_disabled" must be set logs_streaming_disabled = true - // One of the arguments from this list "vmware kvm aws azure gcp rseries baremetal oci" must be set + // One of the arguments from this list "aws azure baremetal gcp kvm oci rseries vmware" must be set - baremetal { + azure { // One of the arguments from this list "not_managed" can be set not_managed { @@ -45,50 +38,24 @@ resource "volterra_securemesh_site_v2" "example" { hostname = "Control" interface_list { - // One of the arguments from this list "dhcp_client static_ip dhcp_server no_ipv4_address" must be set - - dhcp_server { - dhcp_networks { - // One of the arguments from this list "same_as_dgw dns_address" must be set + // One of the arguments from this list "dhcp_client dhcp_server no_ipv4_address static_ip" must be set - same_as_dgw = true + static_ip { + default_gw = "192.168.20.1" - // One of the arguments from this list "first_address last_address dgw_address" must be set + dns_server = "192.168.20.1" - first_address = true - - // One of the arguments from this list "network_prefix network_prefix_allocator" must be set - - network_prefix = "10.1.1.0/24" - pool_settings = "pool_settings" - pools { - end_ip = "10.1.1.200" - - exclude = true - - start_ip = "10.1.1.5" - } - } - - dhcp_option82_tag = "network_red" - - fixed_ip_map = { - "key1" = "value1" - } - - // One of the arguments from this list "automatic_from_start automatic_from_end interface_ip_map" must be set - - automatic_from_start = true + ip_address = "192.168.20.1/24" } description = "value" - // One of the arguments from this list "ethernet_interface vlan_interface bond_interface" must be set + // One of the arguments from this list "bond_interface ethernet_interface vlan_interface" must be set bond_interface { devices = ["eth0"] - // One of the arguments from this list "lacp active_backup" must be set + // One of the arguments from this list "active_backup lacp" must be set lacp { rate = "30" @@ -107,13 +74,13 @@ resource "volterra_securemesh_site_v2" "example" { "key1" = "value1" } - // One of the arguments from this list "monitor_disabled monitor" can be set + // One of the arguments from this list "monitor monitor_disabled" can be set monitor_disabled = true mtu = "1450" name = "value" network_option { - // One of the arguments from this list "site_local_inside_network segment_network site_local_network" can be set + // One of the arguments from this list "segment_network site_local_inside_network site_local_network" can be set site_local_network = true } @@ -134,2034 +101,962 @@ resource "volterra_securemesh_site_v2" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference +###### One of the arguments from this list "block_all_services, blocked_services" must be set `block_all_services` - (Optional) Enable WebUI, SSH and DNS on all nodes in this site. (`Bool`). - `blocked_services` - (Optional) It is recommended to disable node local services after the nodes register or after configuration/deugging is complete.. See [Blocked Services Choice Blocked Services ](#blocked-services-choice-blocked-services) below for details. - +###### One of the arguments from this list "active_forward_proxy_policies, no_forward_proxy" can be set - +`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site. Traffic will be processed in the order that Forward Proxy Policies are added.. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. +`no_forward_proxy` - (Optional) Disable Forward Proxy for this site. (`Bool`). +`load_balancing` - (Optional) This section contains settings on the site that relate to Load Balancing functionality.. See [Load Balancing ](#load-balancing) below for details. +`local_vrf` - (Optional) The Site Local Inside (SLI) local VRF is used to connect LAN side workloads to this site. SLI local VRF is optional.. See [Local Vrf ](#local-vrf) below for details. - +###### One of the arguments from this list "log_receiver, logs_streaming_disabled" must be set +`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +`logs_streaming_disabled` - (Optional) x-displayName: "Disable Logs Streaming" (`Bool`). +###### One of the arguments from this list "active_enhanced_firewall_policies, no_network_policy" can be set - +`active_enhanced_firewall_policies` - (Optional) Enable Network Firewall for this site. Traffic will be processed in the order that Network Firewall Policies are added.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. +`no_network_policy` - (Optional) Disable Network Firewall for this site. (`Bool`). +###### One of the arguments from this list "disable_ha, enable_ha" can be set +`disable_ha` - (Optional) x-displayName: "Disable" (`Bool`). - +`enable_ha` - (Optional) x-displayName: "Enable" (`Bool`). +`offline_survivability_mode` - (Optional) When the mode is toggled, services will restart and traffic disruption will be seen.. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`performance_enhancement_mode` - (Optional) Optimize the site for L3 or L7 traffic processing. By default, the site is optimized for L7 traffic processing.. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +###### One of the arguments from this list "aws, azure, baremetal, gcp, kvm, oci, rseries, vmware" must be set +`aws` - (Optional) x-displayName: "AWS". See [Provider Choice Aws ](#provider-choice-aws) below for details. +`azure` - (Optional) x-displayName: "Azure". See [Provider Choice Azure ](#provider-choice-azure) below for details. +`baremetal` - (Optional) x-displayName: "Baremetal". See [Provider Choice Baremetal ](#provider-choice-baremetal) below for details. +`gcp` - (Optional) x-displayName: "GCP". See [Provider Choice Gcp ](#provider-choice-gcp) below for details. +`kvm` - (Optional) x-displayName: "KVM". See [Provider Choice Kvm ](#provider-choice-kvm) below for details. -`active_forward_proxy_policies` - (Optional) Enable Forward Proxy for this site. Traffic will be processed in the order that Forward Proxy Policies are added.. See [Forward Proxy Choice Active Forward Proxy Policies ](#forward-proxy-choice-active-forward-proxy-policies) below for details. - +`oci` - (Optional) x-displayName: "OCI". See [Provider Choice Oci ](#provider-choice-oci) below for details. +`rseries` - (Optional) x-displayName: "F5 rSeries". See [Provider Choice Rseries ](#provider-choice-rseries) below for details. +`vmware` - (Optional) x-displayName: "VMWare". See [Provider Choice Vmware ](#provider-choice-vmware) below for details. +`re_select` - (Optional) Selection criteria to connect the site with F5 Distributed Cloud Regional Edge(s).. See [Re Select ](#re-select) below for details. -`no_forward_proxy` - (Optional) Disable Forward Proxy for this site. (`Bool`). +###### One of the arguments from this list "dc_cluster_group_sli, no_s2s_connectivity_sli" can be set +`dc_cluster_group_sli` - (Optional) Use a DC Cluster Group to connect to other sites.. See [ref](#ref) below for details. +`no_s2s_connectivity_sli` - (Optional) x-displayName: "Disabled" (`Bool`). +###### One of the arguments from this list "dc_cluster_group_slo, no_s2s_connectivity_slo, site_mesh_group_on_slo" can be set -`load_balancing` - (Optional) This section contains settings on the site that relate to Load Balancing functionality.. See [Load Balancing ](#load-balancing) below for details. +`dc_cluster_group_slo` - (Optional) Use a DC Cluster Group to connect to other sites.. See [ref](#ref) below for details. +`no_s2s_connectivity_slo` - (Optional) x-displayName: "Disabled" (`Bool`). +`site_mesh_group_on_slo` - (Optional) Use a Site Mesh Group to connect to other sites.. See [S2s Connectivity Slo Choice Site Mesh Group On Slo ](#s2s-connectivity-slo-choice-site-mesh-group-on-slo) below for details. +`software_settings` - (Optional) Select OS and Software version for the site. All nodes in the site will run the same OS and Software version. These settings cannot be changed after the site is created.. See [Software Settings ](#software-settings) below for details. -`local_vrf` - (Optional) The Site Local Inside (SLI) local VRF is used to connect LAN side workloads to this site. SLI local VRF is optional.. See [Local Vrf ](#local-vrf) below for details. +`tunnel_dead_timeout` - (Optional) When not set (== 0), a default value of 10000 msec will be used. (`Int`). +`tunnel_type` - (Optional) Select the type of tunnel to be used for traffic between the site and REs. By default, IPsec will be preferred with SSL as backup. (`String`). +`upgrade_settings` - (Optional) Specify how a site will be upgraded.. See [Upgrade Settings ](#upgrade-settings) below for details. +### Load Balancing - +This section contains settings on the site that relate to Load Balancing functionality.. +`vip_vrrp_mode` - (Optional) When VIP is configured on both Site Local Outside (SLO) and Site Local Inside (SLI) Local VRF on the site, it is recommended to turn on VRRP and also configure BGP. (`String`). +### Local Vrf +The Site Local Inside (SLI) local VRF is used to connect LAN side workloads to this site. SLI local VRF is optional.. - +###### One of the arguments from this list "default_sli_config, sli_config" can be set +`default_sli_config` - (Optional) x-displayName: "Default Configuration" (`Bool`). +`sli_config` - (Optional) Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Inside (SLI) local VRF.. See [Sli Choice Sli Config ](#sli-choice-sli-config) below for details. +###### One of the arguments from this list "default_config, slo_config" must be set +`default_config` - (Optional) x-displayName: "Default Configuration" (`Bool`). +`slo_config` - (Optional) Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Outside (SLO) local VRF.. See [Slo Choice Slo Config ](#slo-choice-slo-config) below for details. +### Offline Survivability Mode - +When the mode is toggled, services will restart and traffic disruption will be seen.. +###### One of the arguments from this list "enable_offline_survivability_mode, no_offline_survivability_mode" must be set +`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - +### Performance Enhancement Mode +Optimize the site for L3 or L7 traffic processing. By default, the site is optimized for L7 traffic processing.. - +###### One of the arguments from this list "perf_mode_l3_enhanced, perf_mode_l7_enhanced" must be set +`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. +`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). +### Re Select +Selection criteria to connect the site with F5 Distributed Cloud Regional Edge(s).. +###### One of the arguments from this list "geo_proximity, specific_geography, specific_re" can be set - +`geo_proximity` - (Optional) Select REs in closest proximity to the site based on the public IP address of the control nodes of the site. (`Bool`). +`specific_geography` - (Optional) Select a list of specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs. If >2 REs are chosen, then 2 REs from these will be selected. (`String`).(Deprecated) +`specific_re` - (Optional) Select specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs.. See [Re Selection Choice Specific Re ](#re-selection-choice-specific-re) below for details. +### Software Settings +Select OS and Software version for the site. All nodes in the site will run the same OS and Software version. These settings cannot be changed after the site is created.. +`os` - (Optional) Select the Operating System version for the site. By default, latest available Operating System version will be used.. See [Software Settings Os ](#software-settings-os) below for details. +`sw` - (Optional) Refer to release notes to find required released SW versions.. See [Software Settings Sw ](#software-settings-sw) below for details. +### Upgrade Settings +Specify how a site will be upgraded.. +`kubernetes_upgrade_drain` - (Optional) Specify how worker nodes within a site will be upgraded.. See [Upgrade Settings Kubernetes Upgrade Drain ](#upgrade-settings-kubernetes-upgrade-drain) below for details. - +### Address Choice Dhcp Client +Interface gets it's IP address from an external DHCP server.. +### Address Choice Dhcp Server +DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. - +`dhcp_networks` - (Required) List of networks from which DHCP Server can allocate IPv4 Addresses. See [Dhcp Server Dhcp Networks ](#dhcp-server-dhcp-networks) below for details. +`dhcp_option82_tag` - (Optional) Optional tag that can be given to this configuration (`String`).(Deprecated) - +`fixed_ip_map` - (Optional) Assign fixed IPv4 addresses based on the MAC Address of the DHCP Client. (`String`). +###### One of the arguments from this list "automatic_from_end, automatic_from_start, interface_ip_map" must be set +`automatic_from_end` - (Optional) Assign automatically from end of the first network in the DHCP Network list (`Bool`). +`automatic_from_start` - (Optional) Assign automatically from start of the first network in the DHCP Network list (`Bool`). +`interface_ip_map` - (Optional) Statically configure a IPv4 address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. +### Address Choice No Ipv4 Address +Interface does not have an IPv4 Address.. +### Address Choice Stateful +works along with Router Advertisement' Managed flag. +`dhcp_networks` - (Required) List of networks from which DHCP server can allocate ip addresses. See [Stateful Dhcp Networks ](#stateful-dhcp-networks) below for details. +`fixed_ip_map` - (Optional) Assign fixed IPv6 addresses based on the MAC Address of the DHCP Client. (`String`). +###### One of the arguments from this list "automatic_from_end, automatic_from_start, interface_ip_map" must be set +`automatic_from_end` - (Optional) Assign automatically from End of the first network in the list (`Bool`). +`automatic_from_start` - (Optional) Assign automatically from start of the first network in the list (`Bool`). +`interface_ip_map` - (Optional) Configured address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. +### Address Choice Static Ip +Interface IP address is configured statically.. +`default_gw` - (Optional) IP address of the default gateway. (`String`). +`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) - +`ip_address` - (Required) IP address of the interface and prefix length (`String`). +### Autoconfig Choice Host +auto configuration routers. This is similar to a DHCP Client.. +### Autoconfig Choice Router - +System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. +###### One of the arguments from this list "network_prefix, stateful" must be set +`network_prefix` - (Optional) Allowed only /64 prefix length as per RFC 4862 (`String`). +`stateful` - (Optional) works along with Router Advertisement' Managed flag. See [Address Choice Stateful ](#address-choice-stateful) below for details. +`dns_config` - (Optional) Dns information that needs to added in the RouterAdvetisement. See [Router Dns Config ](#router-dns-config) below for details. +### Blocked Services Blocked Sevice +x-displayName: "Disable Node Local Services". +###### One of the arguments from this list "dns, ssh, web_user_interface" can be set +`dns` - (Optional) Matches DNS port 53 (`Bool`). +`ssh` - (Optional) x-displayName: "SSH" (`Bool`). +`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). +`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). +### Blocked Services Choice Blocked Services +It is recommended to disable node local services after the nodes register or after configuration/deugging is complete.. +`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. +### Blocked Services Value Type Choice Dns +Matches DNS port 53. +### Blocked Services Value Type Choice Ssh +x-displayName: "SSH". +### Blocked Services Value Type Choice Web User Interface +x-displayName: "Web UI". +### Cluster Static Ip Interface Ip Map +Map of Node to Static ip configuration value, Key:Node, Value:IP Address. +`default_gw` - (Optional) IP address of the default gateway. (`String`). +`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) +`ip_address` - (Required) IP address of the interface and prefix length (`String`). +### Dhcp Networks Pools -`log_receiver` - (Optional) Select log receiver for logs streaming. See [ref](#ref) below for details. +List of non overlapping ip address ranges.. +`end_ip` - (Optional) In case of address allocator, offset is derived based on network prefix. (`String`). -`logs_streaming_disabled` - (Optional) x-displayName: "Disable Logs Streaming" (`Bool`). +`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) +`start_ip` - (Optional) 2001::1 with prefix length of 64, start offset is 5 (`String`). +### Dhcp Networks Pools +List of non overlapping ip address ranges.. +`end_ip` - (Optional) 10.1.1.200 with prefix length of 24, end offset is 0.0.0.200 (`String`). -`active_enhanced_firewall_policies` - (Optional) Enable Network Firewall for this site. Traffic will be processed in the order that Network Firewall Policies are added.. See [Network Policy Choice Active Enhanced Firewall Policies ](#network-policy-choice-active-enhanced-firewall-policies) below for details. - +`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) +`start_ip` - (Optional) 10.1.1.5 with prefix length of 24, start offset is 0.0.0.5 (`String`). +### Dhcp Server Dhcp Networks +List of networks from which DHCP Server can allocate IPv4 Addresses. -`no_network_policy` - (Optional) Disable Network Firewall for this site. (`Bool`). +###### One of the arguments from this list "dns_address, same_as_dgw" must be set +`dns_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the DNS server. (`String`). +`same_as_dgw` - (Optional) DNS server address is same as default gateway address (`Bool`). +###### One of the arguments from this list "dgw_address, first_address, last_address" must be set +`dgw_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the default gateway. (`String`). -`disable_ha` - (Optional) x-displayName: "Disable" (`Bool`). +`first_address` - (Optional) First usable address from the network prefix is chosen as default gateway (`Bool`). +`last_address` - (Optional) Last usable address from the network prefix is chosen as default gateway (`Bool`). -`enable_ha` - (Optional) x-displayName: "Enable" (`Bool`). +###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set +`network_prefix` - (Optional) Set the network prefix for the site. ex: 10.1.1.0/24 (`String`). +`network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) +`pool_settings` - (Required) Controls how DHCP pools are handled (`String`). -`offline_survivability_mode` - (Optional) When the mode is toggled, services will restart and traffic disruption will be seen.. See [Offline Survivability Mode ](#offline-survivability-mode) below for details. +`pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. +### Dns Choice Configured List +Configured address outside network range - external dns server. +`dns_list` - (Required) List of IPV6 Addresses acting as Dns servers (`String`). - +### Dns Choice Local Dns +Choose the address from the network prefix range as dns server. +###### One of the arguments from this list "configured_address, first_address, last_address" must be set +`configured_address` - (Optional) Configured address from the network prefix is chosen as dns server (`String`). - +`first_address` - (Optional) First usable address from the network prefix is chosen as dns server (`Bool`). +`last_address` - (Optional) Last usable address from the network prefix is chosen as dns server (`Bool`). +### Dns Choice Same As Dgw +DNS server address is same as default gateway address. +### Forward Proxy Choice Active Forward Proxy Policies -`performance_enhancement_mode` - (Optional) Optimize the site for L3 or L7 traffic processing. By default, the site is optimized for L7 traffic processing.. See [Performance Enhancement Mode ](#performance-enhancement-mode) below for details. +Enable Forward Proxy for this site. Traffic will be processed in the order that Forward Proxy Policies are added.. +`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. +### Gateway Choice First Address +First usable address from the network prefix is chosen as default gateway. - +### Gateway Choice Last Address +Last usable address from the network prefix is chosen as default gateway. +### Interface Choice Bond Interface +x-displayName: "Bond Interface". - +`devices` - (Required) Ethernet devices that will make up this bond (`String`). +###### One of the arguments from this list "active_backup, lacp" must be set +`active_backup` - (Optional) Configure active/backup based bond device (`Bool`). +`lacp` - (Optional) Configure LACP (802.3ad) based bond device. See [Lacp Choice Lacp ](#lacp-choice-lacp) below for details. - +`link_polling_interval` - (Required) Link polling interval in milliseconds (`Int`). +`link_up_delay` - (Required) Milliseconds wait before link is declared up (`Int`). +`name` - (Required) Name for the Bond. Ex 'bond0' (`String`). +### Interface Choice Ethernet Interface +x-displayName: "Ethernet Interface". +`device` - (Required) Once configured, this interface will be part of this sites dataplane and can participate in the networking services configured on this site. (`String`). - +`mac` - (Optional) x-example: "01:10:20:0a:bb:1c" (`String`). +### Interface Choice Vlan Interface +x-displayName: "VLAN Interface". +`device` - (Required) Select a parent interface from the dropdown. (`String`). +`vlan_id` - (Optional) Configure the VLAN tag for this interface. (`Int`). +### Interface List Network Option -`aws` - (Optional) x-displayName: "AWS". See [Provider Choice Aws ](#provider-choice-aws) below for details. - +Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. +###### One of the arguments from this list "segment_network, site_local_inside_network, site_local_network" can be set +`segment_network` - (Optional) x-displayName: "Segment (Global VRF)". See [ref](#ref) below for details. +`site_local_inside_network` - (Optional) x-displayName: "Site Local Inside (Local VRF)" (`Bool`). - +`site_local_network` - (Optional) x-displayName: "Site Local Outside (Local VRF)" (`Bool`). +### Interfaces Addressing Choice Automatic From End - +Assign automatically from end of the first network in the DHCP Network list. +### Interfaces Addressing Choice Automatic From Start +Assign automatically from start of the first network in the DHCP Network list. - +### Interfaces Addressing Choice Interface Ip Map +Statically configure a IPv4 address for every node. +`interface_ip_map` - (Optional) Specify static IPv4 addresses per site:node. (`String`). +### Interfaces Addressing Choice Interface Ip Map - +Configured address for every node. +`interface_ip_map` - (Optional) Map of Site:Node to IPV6 address. (`String`). +### Ipv6 Address Choice Ipv6 Auto Config +Interface IPv6 address will be configured via Auto Configuration.. - +###### One of the arguments from this list "host, router" must be set +`host` - (Optional) auto configuration routers. This is similar to a DHCP Client. (`Bool`). - +`router` - (Optional) System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. See [Autoconfig Choice Router ](#autoconfig-choice-router) below for details. +### Ipv6 Address Choice No Ipv6 Address +Interface does not have an IPv6 Address.. +### Ipv6 Address Choice Static Ipv6 Address +Interface IPv6 address is configured statically.. - +###### One of the arguments from this list "cluster_static_ip, fleet_static_ip, node_static_ip" must be set +`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. +`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) +`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. +### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain +x-displayName: "Disable Node by Node Upgrade". +### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - +x-displayName: "Enable Node by Node Upgrade". +###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set +`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). +`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - +`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). +###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set +`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) +`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) +### Lacp Choice Active Backup +Configure active/backup based bond device. +### Lacp Choice Lacp +Configure LACP (802.3ad) based bond device. +`rate` - (Optional) Interval in seconds to transmit LACP packets (`Int`). - +### Local Dns Choice First Address +First usable address from the network prefix is chosen as dns server. +### Local Dns Choice Last Address +Last usable address from the network prefix is chosen as dns server. +### Monitoring Choice Monitor +x-displayName: "Enabled". +### Monitoring Choice Monitor Disabled +x-displayName: "Disabled". +### Network Choice Site Local Inside Network - +x-displayName: "Site Local Inside (Local VRF)". +### Network Choice Site Local Network +x-displayName: "Site Local Outside (Local VRF)". +### Network Policy Choice Active Enhanced Firewall Policies - +Enable Network Firewall for this site. Traffic will be processed in the order that Network Firewall Policies are added.. +`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. +### Network Prefix Choice Cluster Static Ip +Static IP configuration for a specific node. - +`interface_ip_map` - (Optional) Map of Node to Static ip configuration value, Key:Node, Value:IP Address. See [Cluster Static Ip Interface Ip Map ](#cluster-static-ip-interface-ip-map) below for details. +### Network Prefix Choice Fleet Static Ip +Static IP configuration for the fleet. +`default_gw` - (Optional) IP address offset of the default gateway, prefix len is used to calculate offset (`String`). +`dns_server` - (Optional) IP address offset of the DNS server, prefix len is used to calculate offset (`String`). +`network_prefix_allocator` - (Optional) Static IP configuration for the fleet. See [ref](#ref) below for details. +### Network Prefix Choice Node Static Ip - +Static IP configuration for the Node. +`default_gw` - (Optional) IP address of the default gateway. (`String`). +`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) +`ip_address` - (Required) IP address of the interface and prefix length (`String`). - +### Next Hop Choice Default Gateway +Traffic matching the ip prefixes is sent to the default gateway. +### Node List Interface List +Manage interfaces belonging to this node. +###### One of the arguments from this list "dhcp_client, dhcp_server, no_ipv4_address, static_ip" must be set +`dhcp_client` - (Optional) Interface gets it's IP address from an external DHCP server. (`Bool`). +`dhcp_server` - (Optional) DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. +`no_ipv4_address` - (Optional) Interface does not have an IPv4 Address. (`Bool`). +`static_ip` - (Optional) Interface IP address is configured statically.. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. +`description` - (Optional) Description for this Interface (`String`). - +###### One of the arguments from this list "bond_interface, ethernet_interface, vlan_interface" must be set +`bond_interface` - (Optional) x-displayName: "Bond Interface". See [Interface Choice Bond Interface ](#interface-choice-bond-interface) below for details. +`ethernet_interface` - (Optional) x-displayName: "Ethernet Interface". See [Interface Choice Ethernet Interface ](#interface-choice-ethernet-interface) below for details. +`vlan_interface` - (Optional) x-displayName: "VLAN Interface". See [Interface Choice Vlan Interface ](#interface-choice-vlan-interface) below for details. +###### One of the arguments from this list "ipv6_auto_config, no_ipv6_address, static_ipv6_address" can be set - +`ipv6_auto_config` - (Optional) Interface IPv6 address will be configured via Auto Configuration.. See [Ipv6 Address Choice Ipv6 Auto Config ](#ipv6-address-choice-ipv6-auto-config) below for details. +`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). +`static_ipv6_address` - (Optional) Interface IPv6 address is configured statically.. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. +`is_management` - (Optional) To be used internally to set an interface as management interface (`Bool`).(Deprecated) - +`is_primary` - (Optional) Use for Primary Interface (`Bool`).(Deprecated) +`labels` - (Optional) Add Labels for this Interface, these labels can be used in firewall policy (`String`). +###### One of the arguments from this list "monitor, monitor_disabled" can be set +`monitor` - (Optional) x-displayName: "Enabled". See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. +`monitor_disabled` - (Optional) x-displayName: "Disabled" (`Bool`). +`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). +`name` - (Optional) Name of this Interface (`String`). +`network_option` - (Required) Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. See [Interface List Network Option ](#interface-list-network-option) below for details. +`priority` - (Optional) Greater the value, higher the priority (`Int`). +###### One of the arguments from this list "site_to_site_connectivity_interface_disabled, site_to_site_connectivity_interface_enabled" can be set - +`site_to_site_connectivity_interface_disabled` - (Optional) Do not use this interface for site to site connectivity. (`Bool`). +`site_to_site_connectivity_interface_enabled` - (Optional) Use this this interface for site to site connectivity. (`Bool`). +### Not Managed Node List +Once a node is created and registers with the site, it will be shown in this section.. +`hostname` - (Optional) Hostname for this Node (`String`). +`interface_list` - (Optional) Manage interfaces belonging to this node. See [Node List Interface List ](#node-list-interface-list) below for details. - +`public_ip` - (Optional) Public IP for this Node (`String`). +`type` - (Optional) Type for this Node, can be Control or Worker (`String`). +### Offline Survivability Mode Choice Enable Offline Survivability Mode +x-displayName: "Enabled". +### Offline Survivability Mode Choice No Offline Survivability Mode +x-displayName: "Disabled". +### Operating System Version Choice Default Os Version +Will assign latest available OS version. - +### Orchestration Choice Not Managed +or by using automation tools such as Terraform.. +`node_list` - (Optional) Once a node is created and registers with the site, it will be shown in this section.. See [Not Managed Node List ](#not-managed-node-list) below for details. +### Perf Mode Choice Jumbo - +x-displayName: "Enabled". +### Perf Mode Choice No Jumbo +x-displayName: "Disabled". +### Perf Mode Choice Perf Mode L3 Enhanced - +Site optimized for L3 traffic processing. +###### One of the arguments from this list "jumbo, no_jumbo" must be set +`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). +`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). +### Perf Mode Choice Perf Mode L7 Enhanced - +Site optimized for L7 traffic processing. +### Provider Choice Aws - +x-displayName: "AWS". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Azure +x-displayName: "Azure". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - +### Provider Choice Baremetal +x-displayName: "Baremetal". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Gcp +x-displayName: "GCP". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Kvm +x-displayName: "KVM". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Oci +x-displayName: "OCI". - +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Rseries +x-displayName: "F5 rSeries". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Provider Choice Vmware - +x-displayName: "VMWare". +###### One of the arguments from this list "not_managed" can be set +`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. +### Re Selection Choice Geo Proximity - +Select REs in closest proximity to the site based on the public IP address of the control nodes of the site.. +### Re Selection Choice Specific Re +Select specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs.. +`backup_re` - (Optional) Select backup RE for this site. (`String`).(Deprecated) +`primary_re` - (Optional) Select primary RE for this site. (`String`). - +### Ref +Reference to another volterra object is shown like below +name - (Required) then name will hold the referred object's(e.g. route's) name. (String). +namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). +tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - +### Router Dns Config +Dns information that needs to added in the RouterAdvetisement. +###### One of the arguments from this list "configured_list, local_dns" must be set +`configured_list` - (Optional) Configured address outside network range - external dns server. See [Dns Choice Configured List ](#dns-choice-configured-list) below for details. - +`local_dns` - (Optional) Choose the address from the network prefix range as dns server. See [Dns Choice Local Dns ](#dns-choice-local-dns) below for details. +### S2s Connectivity Slo Choice Site Mesh Group On Slo +Use a Site Mesh Group to connect to other sites.. +###### One of the arguments from this list "no_site_mesh_group, site_mesh_group" must be set +`no_site_mesh_group` - (Optional) This site is not a member of Site Mesh group (`Bool`).(Deprecated) +`site_mesh_group` - (Optional) This site is member of Site Mesh Group via network. See [ref](#ref) below for details.(Deprecated) +###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set +`sm_connection_public_ip` - (Optional) tunnels to other sites which are part of the site mesh group. (`Bool`). +`sm_connection_pvt_ip` - (Optional) If multiple interfaces on a control node belong to the Site Local Outside (SLO) Local VRF, the interface which has 'Use for Site to Site Connectivity' set will be used. (`Bool`). +### Site Mesh Group Choice No Site Mesh Group - +This site is not a member of Site Mesh group. +### Site Mesh Group Ip Choice Sm Connection Public Ip +tunnels to other sites which are part of the site mesh group.. +### Site Mesh Group Ip Choice Sm Connection Pvt Ip - +If multiple interfaces on a control node belong to the Site Local Outside (SLO) Local VRF, the interface which has 'Use for Site to Site Connectivity' set will be used.. +### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Disabled +Do not use this interface for site to site connectivity.. +### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Enabled - +Use this this interface for site to site connectivity.. +### Sli Choice Default Sli Config - +x-displayName: "Default Configuration". +### Sli Choice Sli Config +Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Inside (SLI) local VRF.. +`labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). +`nameserver` - (Optional) Optional DNS V4 server IP to be used for name resolution (`String`). +`nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). +###### One of the arguments from this list "no_static_routes, static_routes" must be set - +`no_static_routes` - (Optional) Static IPv4 Routes disabled for this site local network (VRF). (`Bool`). +`static_routes` - (Optional) Manage IPv4 static routes for this site local network (VRF).. See [Static Route Choice Static Routes ](#static-route-choice-static-routes) below for details. +###### One of the arguments from this list "no_v6_static_routes, static_v6_routes" must be set +`no_v6_static_routes` - (Optional) Static IPv6 Routes disabled for this site local network (VRF). (`Bool`). +`static_v6_routes` - (Optional) Manage IPv6 static routes for this site local network (VRF).. See [Static V6 Route Choice Static V6 Routes ](#static-v6-route-choice-static-v6-routes) below for details. +`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). +`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). - +### Slo Choice Default Config +x-displayName: "Default Configuration". +### Slo Choice Slo Config +Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Outside (SLO) local VRF.. +`labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). +`nameserver` - (Optional) Optional DNS V4 server IP to be used for name resolution (`String`). +`nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -`azure` - (Optional) x-displayName: "Azure". See [Provider Choice Azure ](#provider-choice-azure) below for details. - - - - - - - - - -`baremetal` - (Optional) x-displayName: "Baremetal". See [Provider Choice Baremetal ](#provider-choice-baremetal) below for details. - - - - - - - - - -`gcp` - (Optional) x-displayName: "GCP". See [Provider Choice Gcp ](#provider-choice-gcp) below for details. - - - - - - - - - -`kvm` - (Optional) x-displayName: "KVM". See [Provider Choice Kvm ](#provider-choice-kvm) below for details. - - - - - - - - - -`oci` - (Optional) x-displayName: "OCI". See [Provider Choice Oci ](#provider-choice-oci) below for details. - - - - - - - - - -`rseries` - (Optional) x-displayName: "F5 rSeries". See [Provider Choice Rseries ](#provider-choice-rseries) below for details. - - - - - - - - - -`vmware` - (Optional) x-displayName: "VMWare". See [Provider Choice Vmware ](#provider-choice-vmware) below for details. - - - - - - - - - - - -`re_select` - (Optional) Selection criteria to connect the site with F5 Distributed Cloud Regional Edge(s).. See [Re Select ](#re-select) below for details. - - - - - - - - - - - - - - - - - - - -`dc_cluster_group_sli` - (Optional) Use a DC Cluster Group to connect to other sites.. See [ref](#ref) below for details. - - -`no_s2s_connectivity_sli` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - - -`dc_cluster_group_slo` - (Optional) Use a DC Cluster Group to connect to other sites.. See [ref](#ref) below for details. - - -`no_s2s_connectivity_slo` - (Optional) x-displayName: "Disabled" (`Bool`). - - -`site_mesh_group_on_slo` - (Optional) Use a Site Mesh Group to connect to other sites.. See [S2s Connectivity Slo Choice Site Mesh Group On Slo ](#s2s-connectivity-slo-choice-site-mesh-group-on-slo) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - -`software_settings` - (Optional) Select OS and Software version for the site. All nodes in the site will run the same OS and Software version. These settings cannot be changed after the site is created.. See [Software Settings ](#software-settings) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - -`tunnel_dead_timeout` - (Optional) When not set (== 0), a default value of 10000 msec will be used. (`Int`). - - -`tunnel_type` - (Optional) Select the type of tunnel to be used for traffic between the site and REs. By default, IPsec will be preferred with SSL as backup. (`String`). - - - -`upgrade_settings` - (Optional) Specify how a site will be upgraded.. See [Upgrade Settings ](#upgrade-settings) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -### Load Balancing - - This section contains settings on the site that relate to Load Balancing functionality.. - -`vip_vrrp_mode` - (Optional) When VIP is configured on both Site Local Outside (SLO) and Site Local Inside (SLI) Local VRF on the site, it is recommended to turn on VRRP and also configure BGP. (`String`). - - - -### Local Vrf - - The Site Local Inside (SLI) local VRF is used to connect LAN side workloads to this site. SLI local VRF is optional.. - - - - -###### One of the arguments from this list "default_sli_config, sli_config" can be set - -`default_sli_config` - (Optional) x-displayName: "Default Configuration" (`Bool`). - - -`sli_config` - (Optional) Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Inside (SLI) local VRF.. See [Sli Choice Sli Config ](#sli-choice-sli-config) below for details. - - - - -###### One of the arguments from this list "default_config, slo_config" must be set - -`default_config` - (Optional) x-displayName: "Default Configuration" (`Bool`). - - -`slo_config` - (Optional) Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Outside (SLO) local VRF.. See [Slo Choice Slo Config ](#slo-choice-slo-config) below for details. - - - - -### Offline Survivability Mode - - When the mode is toggled, services will restart and traffic disruption will be seen.. - - - -###### One of the arguments from this list "no_offline_survivability_mode, enable_offline_survivability_mode" must be set - -`enable_offline_survivability_mode` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_offline_survivability_mode` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Performance Enhancement Mode - - Optimize the site for L3 or L7 traffic processing. By default, the site is optimized for L7 traffic processing.. - - - -###### One of the arguments from this list "perf_mode_l7_enhanced, perf_mode_l3_enhanced" must be set - -`perf_mode_l3_enhanced` - (Optional) Site optimized for L3 traffic processing. See [Perf Mode Choice Perf Mode L3 Enhanced ](#perf-mode-choice-perf-mode-l3-enhanced) below for details. - - -`perf_mode_l7_enhanced` - (Optional) Site optimized for L7 traffic processing (`Bool`). - - - - -### Re Select - - Selection criteria to connect the site with F5 Distributed Cloud Regional Edge(s).. - - - - -###### One of the arguments from this list "geo_proximity, specific_geography, specific_re" can be set - -`geo_proximity` - (Optional) Select REs in closest proximity to the site based on the public IP address of the control nodes of the site. (`Bool`). - - -`specific_geography` - (Optional) Select a list of specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs. If >2 REs are chosen, then 2 REs from these will be selected. (`String`).(Deprecated) - - -`specific_re` - (Optional) Select specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs.. See [Re Selection Choice Specific Re ](#re-selection-choice-specific-re) below for details. - - - - -### Software Settings - - Select OS and Software version for the site. All nodes in the site will run the same OS and Software version. These settings cannot be changed after the site is created.. - -`os` - (Optional) Select the Operating System version for the site. By default, latest available Operating System version will be used.. See [Software Settings Os ](#software-settings-os) below for details. - -`sw` - (Optional) Refer to release notes to find required released SW versions.. See [Software Settings Sw ](#software-settings-sw) below for details. - - - -### Upgrade Settings - - Specify how a site will be upgraded.. - -`kubernetes_upgrade_drain` - (Optional) Specify how worker nodes within a site will be upgraded.. See [Upgrade Settings Kubernetes Upgrade Drain ](#upgrade-settings-kubernetes-upgrade-drain) below for details. - - - -### Address Choice Dhcp Client - - Interface gets it's IP address from an external DHCP server.. - - - -### Address Choice Dhcp Server - - DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. - -`dhcp_networks` - (Required) List of networks from which DHCP Server can allocate IPv4 Addresses. See [Dhcp Server Dhcp Networks ](#dhcp-server-dhcp-networks) below for details. - -`dhcp_option82_tag` - (Optional) Optional tag that can be given to this configuration (`String`).(Deprecated) - -`fixed_ip_map` - (Optional) Assign fixed IPv4 addresses based on the MAC Address of the DHCP Client. (`String`). - - - -###### One of the arguments from this list "automatic_from_start, automatic_from_end, interface_ip_map" must be set - -`automatic_from_end` - (Optional) Assign automatically from end of the first network in the DHCP Network list (`Bool`). - - -`automatic_from_start` - (Optional) Assign automatically from start of the first network in the DHCP Network list (`Bool`). - - -`interface_ip_map` - (Optional) Statically configure a IPv4 address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. - - - - -### Address Choice No Ipv4 Address - - Interface does not have an IPv4 Address.. - - - -### Address Choice Stateful - - works along with Router Advertisement' Managed flag. - -`dhcp_networks` - (Required) List of networks from which DHCP server can allocate ip addresses. See [Stateful Dhcp Networks ](#stateful-dhcp-networks) below for details. - -`fixed_ip_map` - (Optional) Assign fixed IPv6 addresses based on the MAC Address of the DHCP Client. (`String`). - - - -###### One of the arguments from this list "automatic_from_start, automatic_from_end, interface_ip_map" must be set - -`automatic_from_end` - (Optional) Assign automatically from End of the first network in the list (`Bool`). - - -`automatic_from_start` - (Optional) Assign automatically from start of the first network in the list (`Bool`). - - -`interface_ip_map` - (Optional) Configured address for every node. See [Interfaces Addressing Choice Interface Ip Map ](#interfaces-addressing-choice-interface-ip-map) below for details. - - - - -### Address Choice Static Ip - - Interface IP address is configured statically.. - -`default_gw` - (Optional) IP address of the default gateway. (`String`). - -`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) - -`ip_address` - (Required) IP address of the interface and prefix length (`String`). - - - -### Autoconfig Choice Host - - auto configuration routers. This is similar to a DHCP Client.. - - - -### Autoconfig Choice Router - - System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. - - - -###### One of the arguments from this list "network_prefix, stateful" must be set - -`network_prefix` - (Optional) Allowed only /64 prefix length as per RFC 4862 (`String`). - - -`stateful` - (Optional) works along with Router Advertisement' Managed flag. See [Address Choice Stateful ](#address-choice-stateful) below for details. - - -`dns_config` - (Optional) Dns information that needs to added in the RouterAdvetisement. See [Router Dns Config ](#router-dns-config) below for details. - - - -### Blocked Services Blocked Sevice - - x-displayName: "Disable Node Local Services". - - - - -###### One of the arguments from this list "web_user_interface, dns, ssh" can be set - -`dns` - (Optional) Matches DNS port 53 (`Bool`). - - -`ssh` - (Optional) x-displayName: "SSH" (`Bool`). - - -`web_user_interface` - (Optional) x-displayName: "Web UI" (`Bool`). - - -`network_type` - (Optional) Site Local VRF on which this service will be disabled (`String`). - - - -### Blocked Services Choice Blocked Services - - It is recommended to disable node local services after the nodes register or after configuration/deugging is complete.. - -`blocked_sevice` - (Optional) x-displayName: "Disable Node Local Services". See [Blocked Services Blocked Sevice ](#blocked-services-blocked-sevice) below for details. - - - -### Blocked Services Value Type Choice Dns - - Matches DNS port 53. - - - -### Blocked Services Value Type Choice Ssh - - x-displayName: "SSH". - - - -### Blocked Services Value Type Choice Web User Interface - - x-displayName: "Web UI". - - - -### Cluster Static Ip Interface Ip Map - - Map of Node to Static ip configuration value, Key:Node, Value:IP Address. - -`default_gw` - (Optional) IP address of the default gateway. (`String`). - -`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) - -`ip_address` - (Required) IP address of the interface and prefix length (`String`). - - - -### Dhcp Networks Pools - - List of non overlapping ip address ranges.. - -`end_ip` - (Optional) In case of address allocator, offset is derived based on network prefix. (`String`). - -`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) - -`start_ip` - (Optional) 2001::1 with prefix length of 64, start offset is 5 (`String`). - - - -### Dhcp Networks Pools - - List of non overlapping ip address ranges.. - -`end_ip` - (Optional) 10.1.1.200 with prefix length of 24, end offset is 0.0.0.200 (`String`). - -`exclude` - (Optional) If exclude is true, IP addresses are not assigned from this range. (`Bool`).(Deprecated) - -`start_ip` - (Optional) 10.1.1.5 with prefix length of 24, start offset is 0.0.0.5 (`String`). - - - -### Dhcp Server Dhcp Networks - - List of networks from which DHCP Server can allocate IPv4 Addresses. - - - -###### One of the arguments from this list "same_as_dgw, dns_address" must be set - -`dns_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the DNS server. (`String`). - - -`same_as_dgw` - (Optional) DNS server address is same as default gateway address (`Bool`). - - - - -###### One of the arguments from this list "first_address, last_address, dgw_address" must be set - -`dgw_address` - (Optional) Enter a IPv4 address from the network prefix to be used as the default gateway. (`String`). - - -`first_address` - (Optional) First usable address from the network prefix is chosen as default gateway (`Bool`). - - -`last_address` - (Optional) Last usable address from the network prefix is chosen as default gateway (`Bool`). - - - - -###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set - -`network_prefix` - (Optional) Set the network prefix for the site. ex: 10.1.1.0/24 (`String`). - - -`network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) - - -`pool_settings` - (Required) Controls how DHCP pools are handled (`String`). - -`pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. - - - -### Dns Choice Configured List - - Configured address outside network range - external dns server. - -`dns_list` - (Required) List of IPV6 Addresses acting as Dns servers (`String`). - - - -### Dns Choice Local Dns - - Choose the address from the network prefix range as dns server. - - - -###### One of the arguments from this list "configured_address, first_address, last_address" must be set - -`configured_address` - (Optional) Configured address from the network prefix is chosen as dns server (`String`). - - -`first_address` - (Optional) First usable address from the network prefix is chosen as dns server (`Bool`). - - -`last_address` - (Optional) Last usable address from the network prefix is chosen as dns server (`Bool`). - - - - -### Dns Choice Same As Dgw - - DNS server address is same as default gateway address. - - - -### Forward Proxy Choice Active Forward Proxy Policies - - Enable Forward Proxy for this site. Traffic will be processed in the order that Forward Proxy Policies are added.. - -`forward_proxy_policies` - (Required) Ordered List of Forward Proxy Policies active. See [ref](#ref) below for details. - - - -### Gateway Choice First Address - - First usable address from the network prefix is chosen as default gateway. - - - -### Gateway Choice Last Address - - Last usable address from the network prefix is chosen as default gateway. - - - -### Interface Choice Bond Interface - - x-displayName: "Bond Interface". - -`devices` - (Required) Ethernet devices that will make up this bond (`String`). - - - -###### One of the arguments from this list "lacp, active_backup" must be set - -`active_backup` - (Optional) Configure active/backup based bond device (`Bool`). - - -`lacp` - (Optional) Configure LACP (802.3ad) based bond device. See [Lacp Choice Lacp ](#lacp-choice-lacp) below for details. - - -`link_polling_interval` - (Required) Link polling interval in milliseconds (`Int`). - -`link_up_delay` - (Required) Milliseconds wait before link is declared up (`Int`). - -`name` - (Required) Name for the Bond. Ex 'bond0' (`String`). - - - -### Interface Choice Ethernet Interface - - x-displayName: "Ethernet Interface". - -`device` - (Required) Once configured, this interface will be part of this sites dataplane and can participate in the networking services configured on this site. (`String`). - -`mac` - (Optional) x-example: "01:10:20:0a:bb:1c" (`String`). - - - -### Interface Choice Vlan Interface - - x-displayName: "VLAN Interface". - -`device` - (Required) Select a parent interface from the dropdown. (`String`). - -`vlan_id` - (Optional) Configure the VLAN tag for this interface. (`Int`). - - - -### Interface List Network Option - - Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. - - - - -###### One of the arguments from this list "site_local_inside_network, segment_network, site_local_network" can be set - -`segment_network` - (Optional) x-displayName: "Segment (Global VRF)". See [ref](#ref) below for details. - - -`site_local_inside_network` - (Optional) x-displayName: "Site Local Inside (Local VRF)" (`Bool`). - - -`site_local_network` - (Optional) x-displayName: "Site Local Outside (Local VRF)" (`Bool`). - - - - -### Interfaces Addressing Choice Automatic From End - - Assign automatically from end of the first network in the DHCP Network list. - - - -### Interfaces Addressing Choice Automatic From Start - - Assign automatically from start of the first network in the DHCP Network list. - - - -### Interfaces Addressing Choice Interface Ip Map - - Statically configure a IPv4 address for every node. - -`interface_ip_map` - (Optional) Specify static IPv4 addresses per site:node. (`String`). - - - -### Interfaces Addressing Choice Interface Ip Map - - Configured address for every node. - -`interface_ip_map` - (Optional) Map of Site:Node to IPV6 address. (`String`). - - - -### Ipv6 Address Choice Ipv6 Auto Config - - Interface IPv6 address will be configured via Auto Configuration.. - - - -###### One of the arguments from this list "host, router" must be set - -`host` - (Optional) auto configuration routers. This is similar to a DHCP Client. (`Bool`). - - -`router` - (Optional) System behaves like auto config Router and provides auto config parameters. This is similar to a DHCP Server.. See [Autoconfig Choice Router ](#autoconfig-choice-router) below for details. - - - - -### Ipv6 Address Choice No Ipv6 Address - - Interface does not have an IPv6 Address.. - - - -### Ipv6 Address Choice Static Ipv6 Address - - Interface IPv6 address is configured statically.. - - - -###### One of the arguments from this list "node_static_ip, cluster_static_ip, fleet_static_ip" must be set - -`cluster_static_ip` - (Optional) Static IP configuration for a specific node. See [Network Prefix Choice Cluster Static Ip ](#network-prefix-choice-cluster-static-ip) below for details. - - -`fleet_static_ip` - (Optional) Static IP configuration for the fleet. See [Network Prefix Choice Fleet Static Ip ](#network-prefix-choice-fleet-static-ip) below for details.(Deprecated) - - -`node_static_ip` - (Optional) Static IP configuration for the Node. See [Network Prefix Choice Node Static Ip ](#network-prefix-choice-node-static-ip) below for details. - - - - -### Kubernetes Upgrade Drain Enable Choice Disable Upgrade Drain - - x-displayName: "Disable Node by Node Upgrade". - - - -### Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain - - x-displayName: "Enable Node by Node Upgrade". - - - -###### One of the arguments from this list "drain_max_unavailable_node_count, drain_max_unavailable_node_percentage" must be set - -`drain_max_unavailable_node_count` - (Optional) x-example: "1" (`Int`). - - -`drain_max_unavailable_node_percentage` - (Optional) Max number of worker nodes to be upgraded in parallel by percentage. Note: 1% would mean batch size of 1 worker node. (`Int`).(Deprecated) - - -`drain_node_timeout` - (Required) (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is recommended to use the default value). (`Int`). - - - -###### One of the arguments from this list "disable_vega_upgrade_mode, enable_vega_upgrade_mode" must be set - -`disable_vega_upgrade_mode` - (Optional) Disable Vega Upgrade Mode (`Bool`).(Deprecated) - - -`enable_vega_upgrade_mode` - (Optional) When enabled, vega will inform RE to stop traffic to the specific node. (`Bool`).(Deprecated) - - - - -### Lacp Choice Active Backup - - Configure active/backup based bond device. - - - -### Lacp Choice Lacp - - Configure LACP (802.3ad) based bond device. - -`rate` - (Optional) Interval in seconds to transmit LACP packets (`Int`). - - - -### Local Dns Choice First Address - - First usable address from the network prefix is chosen as dns server. - - - -### Local Dns Choice Last Address - - Last usable address from the network prefix is chosen as dns server. - - - -### Monitoring Choice Monitor - - x-displayName: "Enabled". - - - -### Monitoring Choice Monitor Disabled - - x-displayName: "Disabled". - - - -### Network Choice Site Local Inside Network - - x-displayName: "Site Local Inside (Local VRF)". - - - -### Network Choice Site Local Network - - x-displayName: "Site Local Outside (Local VRF)". - - - -### Network Policy Choice Active Enhanced Firewall Policies - - Enable Network Firewall for this site. Traffic will be processed in the order that Network Firewall Policies are added.. - -`enhanced_firewall_policies` - (Required) Ordered List of Enhanced Firewall Policies active. See [ref](#ref) below for details. - - - -### Network Prefix Choice Cluster Static Ip - - Static IP configuration for a specific node. - -`interface_ip_map` - (Optional) Map of Node to Static ip configuration value, Key:Node, Value:IP Address. See [Cluster Static Ip Interface Ip Map ](#cluster-static-ip-interface-ip-map) below for details. - - - -### Network Prefix Choice Fleet Static Ip - - Static IP configuration for the fleet. - -`default_gw` - (Optional) IP address offset of the default gateway, prefix len is used to calculate offset (`String`). - -`dns_server` - (Optional) IP address offset of the DNS server, prefix len is used to calculate offset (`String`). - -`network_prefix_allocator` - (Optional) Static IP configuration for the fleet. See [ref](#ref) below for details. - - - -### Network Prefix Choice Node Static Ip - - Static IP configuration for the Node. - -`default_gw` - (Optional) IP address of the default gateway. (`String`). - -`dns_server` - (Optional) IP address of the DNS server (`String`).(Deprecated) - -`ip_address` - (Required) IP address of the interface and prefix length (`String`). - - - -### Next Hop Choice Default Gateway - - Traffic matching the ip prefixes is sent to the default gateway. - - - -### Node List Interface List - - Manage interfaces belonging to this node. - - - -###### One of the arguments from this list "dhcp_server, no_ipv4_address, dhcp_client, static_ip" must be set - -`dhcp_client` - (Optional) Interface gets it's IP address from an external DHCP server. (`Bool`). - - -`dhcp_server` - (Optional) DHCP Server is configured for this interface, Interface IP is derived from DHCP server configuration.. See [Address Choice Dhcp Server ](#address-choice-dhcp-server) below for details. - - -`no_ipv4_address` - (Optional) Interface does not have an IPv4 Address. (`Bool`). - - -`static_ip` - (Optional) Interface IP address is configured statically.. See [Address Choice Static Ip ](#address-choice-static-ip) below for details. - - -`description` - (Optional) Description for this Interface (`String`). - - - -###### One of the arguments from this list "ethernet_interface, vlan_interface, bond_interface" must be set - -`bond_interface` - (Optional) x-displayName: "Bond Interface". See [Interface Choice Bond Interface ](#interface-choice-bond-interface) below for details. - - -`ethernet_interface` - (Optional) x-displayName: "Ethernet Interface". See [Interface Choice Ethernet Interface ](#interface-choice-ethernet-interface) below for details. - - -`vlan_interface` - (Optional) x-displayName: "VLAN Interface". See [Interface Choice Vlan Interface ](#interface-choice-vlan-interface) below for details. - - - - - -###### One of the arguments from this list "no_ipv6_address, static_ipv6_address, ipv6_auto_config" can be set - -`ipv6_auto_config` - (Optional) Interface IPv6 address will be configured via Auto Configuration.. See [Ipv6 Address Choice Ipv6 Auto Config ](#ipv6-address-choice-ipv6-auto-config) below for details. - - -`no_ipv6_address` - (Optional) Interface does not have an IPv6 Address. (`Bool`). - - -`static_ipv6_address` - (Optional) Interface IPv6 address is configured statically.. See [Ipv6 Address Choice Static Ipv6 Address ](#ipv6-address-choice-static-ipv6-address) below for details. - - -`is_management` - (Optional) To be used internally to set an interface as management interface (`Bool`).(Deprecated) - -`is_primary` - (Optional) Use for Primary Interface (`Bool`).(Deprecated) - -`labels` - (Optional) Add Labels for this Interface, these labels can be used in firewall policy (`String`). - - - - -###### One of the arguments from this list "monitor_disabled, monitor" can be set - -`monitor` - (Optional) x-displayName: "Enabled". See [Monitoring Choice Monitor ](#monitoring-choice-monitor) below for details. - - -`monitor_disabled` - (Optional) x-displayName: "Disabled" (`Bool`). - - -`mtu` - (Optional) When configured, mtu must be between 512 and 16384 (`Int`). - -`name` - (Optional) Name of this Interface (`String`). - -`network_option` - (Required) Global VRFs are configured via Networking > Segments. A site can have multple Network Segments (global VRFs).. See [Interface List Network Option ](#interface-list-network-option) below for details. - -`priority` - (Optional) Greater the value, higher the priority (`Int`). - - - - -###### One of the arguments from this list "site_to_site_connectivity_interface_disabled, site_to_site_connectivity_interface_enabled" can be set - -`site_to_site_connectivity_interface_disabled` - (Optional) Do not use this interface for site to site connectivity. (`Bool`). - - -`site_to_site_connectivity_interface_enabled` - (Optional) Use this this interface for site to site connectivity. (`Bool`). - - - - -### Not Managed Node List - - Once a node is created and registers with the site, it will be shown in this section.. - -`hostname` - (Optional) Hostname for this Node (`String`). - -`interface_list` - (Optional) Manage interfaces belonging to this node. See [Node List Interface List ](#node-list-interface-list) below for details. - -`public_ip` - (Optional) Public IP for this Node (`String`). - -`type` - (Optional) Type for this Node, can be Control or Worker (`String`). - - - -### Offline Survivability Mode Choice Enable Offline Survivability Mode - - x-displayName: "Enabled". - - - -### Offline Survivability Mode Choice No Offline Survivability Mode - - x-displayName: "Disabled". - - - -### Operating System Version Choice Default Os Version - - Will assign latest available OS version. - - - -### Orchestration Choice Not Managed - - or by using automation tools such as Terraform.. - -`node_list` - (Optional) Once a node is created and registers with the site, it will be shown in this section.. See [Not Managed Node List ](#not-managed-node-list) below for details. - - - -### Perf Mode Choice Jumbo - - x-displayName: "Enabled". - - - -### Perf Mode Choice No Jumbo - - x-displayName: "Disabled". - - - -### Perf Mode Choice Perf Mode L3 Enhanced - - Site optimized for L3 traffic processing. - - - -###### One of the arguments from this list "no_jumbo, jumbo" must be set - -`jumbo` - (Optional) x-displayName: "Enabled" (`Bool`). - - -`no_jumbo` - (Optional) x-displayName: "Disabled" (`Bool`). - - - - -### Perf Mode Choice Perf Mode L7 Enhanced - - Site optimized for L7 traffic processing. - - - -### Provider Choice Aws - - x-displayName: "AWS". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Azure - - x-displayName: "Azure". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Baremetal - - x-displayName: "Baremetal". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Gcp - - x-displayName: "GCP". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Kvm - - x-displayName: "KVM". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Oci - - x-displayName: "OCI". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Rseries - - x-displayName: "F5 rSeries". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Provider Choice Vmware - - x-displayName: "VMWare". - - - - -###### One of the arguments from this list "not_managed" can be set - -`not_managed` - (Optional) or by using automation tools such as Terraform.. See [Orchestration Choice Not Managed ](#orchestration-choice-not-managed) below for details. - - - - -### Re Selection Choice Geo Proximity - - Select REs in closest proximity to the site based on the public IP address of the control nodes of the site.. - - - -### Re Selection Choice Specific Re - - Select specific REs. This is useful when a site needs to deterministically connect to a set of REs. A site will always be connected to 2 REs.. - -`backup_re` - (Optional) Select backup RE for this site. (`String`).(Deprecated) - -`primary_re` - (Optional) Select primary RE for this site. (`String`). - - - -### Ref - - -Reference to another volterra object is shown like below - -name - (Required) then name will hold the referred object's(e.g. route's) name. (String). - -namespace - (Optional) then namespace will hold the referred object's(e.g. route's) namespace. (String). - -tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). - - - -### Router Dns Config - - Dns information that needs to added in the RouterAdvetisement. - - - -###### One of the arguments from this list "local_dns, configured_list" must be set - -`configured_list` - (Optional) Configured address outside network range - external dns server. See [Dns Choice Configured List ](#dns-choice-configured-list) below for details. - - -`local_dns` - (Optional) Choose the address from the network prefix range as dns server. See [Dns Choice Local Dns ](#dns-choice-local-dns) below for details. - - - - -### S2s Connectivity Slo Choice Site Mesh Group On Slo - - Use a Site Mesh Group to connect to other sites.. - - - -###### One of the arguments from this list "no_site_mesh_group, site_mesh_group" must be set - -`no_site_mesh_group` - (Optional) This site is not a member of Site Mesh group (`Bool`).(Deprecated) - - -`site_mesh_group` - (Optional) This site is member of Site Mesh Group via network. See [ref](#ref) below for details.(Deprecated) - - - - -###### One of the arguments from this list "sm_connection_public_ip, sm_connection_pvt_ip" must be set - -`sm_connection_public_ip` - (Optional) tunnels to other sites which are part of the site mesh group. (`Bool`). - - -`sm_connection_pvt_ip` - (Optional) If multiple interfaces on a control node belong to the Site Local Outside (SLO) Local VRF, the interface which has 'Use for Site to Site Connectivity' set will be used. (`Bool`). - - - - -### Site Mesh Group Choice No Site Mesh Group - - This site is not a member of Site Mesh group. - - - -### Site Mesh Group Ip Choice Sm Connection Public Ip - - tunnels to other sites which are part of the site mesh group.. - - - -### Site Mesh Group Ip Choice Sm Connection Pvt Ip - - If multiple interfaces on a control node belong to the Site Local Outside (SLO) Local VRF, the interface which has 'Use for Site to Site Connectivity' set will be used.. - - - -### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Disabled - - Do not use this interface for site to site connectivity.. - - - -### Site To Site Connectivity Interface Choice Site To Site Connectivity Interface Enabled - - Use this this interface for site to site connectivity.. - - - -### Sli Choice Default Sli Config - - x-displayName: "Default Configuration". - - - -### Sli Choice Sli Config - - Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Inside (SLI) local VRF.. - -`labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). - -`nameserver` - (Optional) Optional DNS V4 server IP to be used for name resolution (`String`). - -`nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). - - - -###### One of the arguments from this list "no_static_routes, static_routes" must be set - -`no_static_routes` - (Optional) Static IPv4 Routes disabled for this site local network (VRF). (`Bool`). - - -`static_routes` - (Optional) Manage IPv4 static routes for this site local network (VRF).. See [Static Route Choice Static Routes ](#static-route-choice-static-routes) below for details. - - - - -###### One of the arguments from this list "no_v6_static_routes, static_v6_routes" must be set - -`no_v6_static_routes` - (Optional) Static IPv6 Routes disabled for this site local network (VRF). (`Bool`). - - -`static_v6_routes` - (Optional) Manage IPv6 static routes for this site local network (VRF).. See [Static V6 Route Choice Static V6 Routes ](#static-v6-route-choice-static-v6-routes) below for details. - - -`vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). - -`vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). - - - -### Slo Choice Default Config - - x-displayName: "Default Configuration". - - - -### Slo Choice Slo Config - - Configure properties such as static routes, DNS and common VIP for Load Balancing on the Site Local Outside (SLO) local VRF.. - -`labels` - (Optional) Add Labels for this network, these labels can be used in firewall policy (`String`). - -`nameserver` - (Optional) Optional DNS V4 server IP to be used for name resolution (`String`). - -`nameserver_v6` - (Optional) Optional DNS V6 server IP to be used for name resolution (`String`). - - - -###### One of the arguments from this list "no_static_routes, static_routes" must be set +###### One of the arguments from this list "no_static_routes, static_routes" must be set `no_static_routes` - (Optional) Static IPv4 Routes disabled for this site local network (VRF). (`Bool`). - `static_routes` - (Optional) Manage IPv4 static routes for this site local network (VRF).. See [Static Route Choice Static Routes ](#static-route-choice-static-routes) below for details. - - - ###### One of the arguments from this list "no_v6_static_routes, static_v6_routes" must be set `no_v6_static_routes` - (Optional) Static IPv6 Routes disabled for this site local network (VRF). (`Bool`). - `static_v6_routes` - (Optional) Manage IPv6 static routes for this site local network (VRF).. See [Static V6 Route Choice Static V6 Routes ](#static-v6-route-choice-static-v6-routes) below for details. - `vip` - (Optional) Optional common virtual V4 IP across all nodes to be used as automatic VIP. (`String`). `vip_v6` - (Optional) Optional common virtual V6 IP across all nodes to be used as automatic VIP. (`String`). +### Software Settings Os - -### Software Settings Os - - Select the Operating System version for the site. By default, latest available Operating System version will be used.. - - +Select the Operating System version for the site. By default, latest available Operating System version will be used.. ###### One of the arguments from this list "default_os_version, operating_system_version" must be set `default_os_version` - (Optional) Will assign latest available OS version (`Bool`). - `operating_system_version` - (Optional) Specify a OS version to be used e.g. 9.2024.6. (`String`). +### Software Settings Sw +Refer to release notes to find required released SW versions.. - -### Software Settings Sw - - Refer to release notes to find required released SW versions.. - - - -###### One of the arguments from this list "volterra_software_version, default_sw_version" must be set +###### One of the arguments from this list "default_sw_version, volterra_software_version" must be set `default_sw_version` - (Optional) Will assign latest available F5XC Software Version (`Bool`). - `volterra_software_version` - (Optional) Specify a F5XC Software Version to be used e.g. crt-20210329-1002. (`String`). +### Stateful Dhcp Networks - - -### Stateful Dhcp Networks - - List of networks from which DHCP server can allocate ip addresses. - - +List of networks from which DHCP server can allocate ip addresses. ###### One of the arguments from this list "network_prefix, network_prefix_allocator" must be set `network_prefix` - (Optional) Network Prefix to be used for IPV6 address auto configuration (`String`). - `network_prefix_allocator` - (Optional) Prefix length from address allocator scheme is used to calculate offsets. See [ref](#ref) below for details.(Deprecated) - `pool_settings` - (Required) Controls how DHCPV6 pools are handled (`String`). `pools` - (Optional) List of non overlapping ip address ranges.. See [Dhcp Networks Pools ](#dhcp-networks-pools) below for details. +### Static Route Choice No Static Routes +Static IPv4 Routes disabled for this site local network (VRF).. -### Static Route Choice No Static Routes - - Static IPv4 Routes disabled for this site local network (VRF).. +### Static Route Choice Static Routes - - -### Static Route Choice Static Routes - - Manage IPv4 static routes for this site local network (VRF).. +Manage IPv4 static routes for this site local network (VRF).. `static_routes` - (Required) x-required. See [Static Routes Static Routes ](#static-routes-static-routes) below for details. +### Static Routes Static Routes - -### Static Routes Static Routes - - x-required. +x-required. `attrs` - (Optional) List of attributes that control forwarding, dynamic routing and control plane (host) reachability (`List of Strings`). `ip_prefixes` - (Required) List of route prefixes that have common next hop and attributes (`String`). - - -###### One of the arguments from this list "ip_address, interface, default_gateway" must be set +###### One of the arguments from this list "default_gateway, interface, ip_address" must be set `default_gateway` - (Optional) Traffic matching the ip prefixes is sent to the default gateway (`Bool`). - `interface` - (Optional) Traffic matching the ip prefixes is sent to this interface. See [ref](#ref) below for details. - `ip_address` - (Optional) Traffic matching the ip prefixes is sent to this IP Address (`String`). +### Static V6 Route Choice No V6 Static Routes +Static IPv6 Routes disabled for this site local network (VRF).. +### Static V6 Route Choice Static V6 Routes -### Static V6 Route Choice No V6 Static Routes - - Static IPv6 Routes disabled for this site local network (VRF).. - - - -### Static V6 Route Choice Static V6 Routes - - Manage IPv6 static routes for this site local network (VRF).. +Manage IPv6 static routes for this site local network (VRF).. `static_routes` - (Required) List of IPv6 static routes. See [Static V6 Routes Static Routes ](#static-v6-routes-static-routes) below for details. +### Static V6 Routes Static Routes - -### Static V6 Routes Static Routes - - List of IPv6 static routes. +List of IPv6 static routes. `attrs` - (Optional) List of attributes that control forwarding, dynamic routing and control plane (host) reachability (`List of Strings`). `ip_prefixes` - (Required) List of IPv6 route prefixes that have common next hop and attributes (`String`). - - -###### One of the arguments from this list "ip_address, interface, default_gateway" must be set +###### One of the arguments from this list "default_gateway, interface, ip_address" must be set `default_gateway` - (Optional) Traffic matching the ip prefixes is sent to the default gateway (`Bool`). - `interface` - (Optional) Traffic matching the ip prefixes is sent to this interface. See [ref](#ref) below for details. - `ip_address` - (Optional) Traffic matching the ip prefixes is sent to this IP Address (`String`). +### Upgrade Settings Kubernetes Upgrade Drain +Specify how worker nodes within a site will be upgraded.. - -### Upgrade Settings Kubernetes Upgrade Drain - - Specify how worker nodes within a site will be upgraded.. - - - -###### One of the arguments from this list "enable_upgrade_drain, disable_upgrade_drain" must be set +###### One of the arguments from this list "disable_upgrade_drain, enable_upgrade_drain" must be set `disable_upgrade_drain` - (Optional) x-displayName: "Disable Node by Node Upgrade" (`Bool`). - `enable_upgrade_drain` - (Optional) x-displayName: "Enable Node by Node Upgrade". See [Kubernetes Upgrade Drain Enable Choice Enable Upgrade Drain ](#kubernetes-upgrade-drain-enable-choice-enable-upgrade-drain) below for details. +### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode +Disable Vega Upgrade Mode. +### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode -### Vega Upgrade Mode Toggle Choice Disable Vega Upgrade Mode - - Disable Vega Upgrade Mode. - - - -### Vega Upgrade Mode Toggle Choice Enable Vega Upgrade Mode - - When enabled, vega will inform RE to stop traffic to the specific node.. - - - -### Volterra Sw Version Choice Default Sw Version - - Will assign latest available F5XC Software Version. - +When enabled, vega will inform RE to stop traffic to the specific node.. +### Volterra Sw Version Choice Default Sw Version -## Attribute Reference +Will assign latest available F5XC Software Version. -* `id` - This is the id of the configured securemesh_site_v2. +Attribute Reference +------------------- +- `id` - This is the id of the configured securemesh_site_v2. diff --git a/docs/resources/volterra_sensitive_data_policy.md b/docs/resources/volterra_sensitive_data_policy.md index 34bf03f49..fc79108e3 100644 --- a/docs/resources/volterra_sensitive_data_policy.md +++ b/docs/resources/volterra_sensitive_data_policy.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: sensitive_data_policy" -description: "The sensitive_data_policy allows CRUD of Sensitive Data Policy resource on Volterra SaaS" +description: "The sensitive_data_policy allows CRUD of Sensitive Data Policy resource on Volterra SaaS" + --- -# Resource volterra_sensitive_data_policy -The Sensitive Data Policy allows CRUD of Sensitive Data Policy resource on Volterra SaaS +Resource volterra_sensitive_data_policy +======================================= -~> **Note:** Please refer to [Sensitive Data Policy API docs](https://docs.cloud.f5.com/docs-v2/api/sensitive-data-policy) to learn more +The Sensitive Data Policy allows CRUD of Sensitive Data Policy resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Sensitive Data Policy API docs](https://docs.cloud.f5.com/docs-v2/api/sensitive-data-policy) to learn more + +Example Usage +------------- ```hcl resource "volterra_sensitive_data_policy" "example" { @@ -30,52 +23,38 @@ resource "volterra_sensitive_data_policy" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`compliances` - (Optional) Select relevant compliance frameworks, such as GDPR, HIPAA, or PCI-DSS, to ensure monitoring under your sensitive data discovery. (`List of Strings`).(Deprecated) - +`compliances` - (Optional) Select relevant compliance frameworks, such as GDPR, HIPAA, or PCI-DSS, to ensure monitoring under your sensitive data discovery. (`List of Strings`). `custom_data_types` - (Optional) Select your custom data types to be monitored in the API discovery. See [Custom Data Types ](#custom-data-types) below for details. - - - `disabled_predefined_data_types` - (Optional) Select which pre-configured data types to disable, disabled data types will not be shown as sensitive in the API discovery (`List of String`). +### Custom Data Types - -### Custom Data Types - - Select your custom data types to be monitored in the API discovery. +Select your custom data types to be monitored in the API discovery. `custom_data_type_ref` - (Optional) List of custom data types to monitor. See [ref](#ref) below for details. - - -### Ref - +### Ref Reference to another volterra object is shown like below @@ -85,9 +64,7 @@ namespace - (Optional) then namespace will hold the referred object's(e.g. route tenant - (Optional) then tenant will hold the referred object's(e.g. route's) tenant. (String). +Attribute Reference +------------------- - -## Attribute Reference - -* `id` - This is the id of the configured sensitive_data_policy. - +- `id` - This is the id of the configured sensitive_data_policy. diff --git a/docs/resources/volterra_service_policy.md b/docs/resources/volterra_service_policy.md index d529c0565..066a21bc3 100644 --- a/docs/resources/volterra_service_policy.md +++ b/docs/resources/volterra_service_policy.md @@ -1,9 +1,9 @@ --- page_title: "Volterra: service_policy" - description: "The service_policy allows CRUD of Service Policy resource on Volterra SaaS" ------------------------------------------------------------------------------------------ + +--- Resource volterra_service_policy ================================ @@ -656,7 +656,6 @@ App Firewall action to be enforced if the input request matches the rule.. App Firewall will run in monitoring mode without blocking the request. - ### Waf Skip Processing Skip all App Firewall processing for this request. @@ -681,13 +680,13 @@ Specifies how Malicious User Mitigation is handled `skip_processing` - (Optional) Do not perform enforcement for this request (`Bool`). -### Client Choice Ip Threat Category List +### Client Choice Ip Threat Category List IP threat categories to choose from. `ip_threat_categories` - (Required) The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions (`List of Strings`). -### Content Rewrite Action +### Content Rewrite Action Rewrite HTML response action to insert HTML content such as Javascript script tags into the HTML document. @@ -715,7 +714,7 @@ Shape Protected Endpoint Action that include application traffic type and mitiga `web_scraping` - (Required) Web scraping protection enabled for protected endpoint (`Bool`). -### Shape Protected Endpoint Action Mitigation +### Shape Protected Endpoint Action Mitigation Mitigation action for protected endpoint. @@ -729,15 +728,15 @@ Mitigation action for protected endpoint. `redirect` - (Optional) Redirect bot request to a custom URI.. See [Action Type Redirect ](#action-type-redirect) below for details. -### Shape Protected Endpoint Action Transaction Result - +### Shape Protected Endpoint Action Transaction Result + Success/failure Criteria for transaction result. - + `failure_conditions` - (Optional) Failure Conditions. See [Transaction Result Failure Conditions ](#transaction-result-failure-conditions) below for details. - + `success_conditions` - (Optional) Success Conditions. See [Transaction Result Success Conditions ](#transaction-result-success-conditions) below for details. -### Transaction Result Failure Conditions +### Transaction Result Failure Conditions Failure Conditions. @@ -747,7 +746,7 @@ Failure Conditions. `status` - (Required) HTTP Status code (`String`). -### Transaction Result Success Conditions +### Transaction Result Success Conditions Success Conditions. @@ -757,7 +756,7 @@ Success Conditions. `status` - (Required) HTTP Status code (`String`). -### Action Type Block +### Action Type Block Block bot request and send response with custom content.. @@ -767,7 +766,7 @@ Block bot request and send response with custom content.. `status` - (Optional) HTTP Status code to respond with (`String`). -### Action Type Flag +### Action Type Flag Flag the request while not taking any invasive actions.. @@ -777,7 +776,7 @@ Flag the request while not taking any invasive actions.. `no_headers` - (Optional) No mitigation headers. (`Bool`). -### Send Headers Choice Append Headers +### Send Headers Choice Append Headers Append mitigation headers.. @@ -785,13 +784,13 @@ Append mitigation headers.. `inference_header_name` - (Required) A case-insensitive HTTP header name. (`String`). -### Action Type Redirect +### Action Type Redirect Redirect bot request to a custom URI.. `uri` - (Required) URI location for redirect may be relative or absolute. (`String`). -### Waf Advanced Configuration App Firewall Detection Control +### Waf Advanced Configuration App Firewall Detection Control Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria.. @@ -803,7 +802,7 @@ Define the list of Signature IDs, Violations, Attack Types and Bot Names that sh `exclude_violation_contexts` - (Optional) Violations to be excluded for the defined match criteria. See [App Firewall Detection Control Exclude Violation Contexts ](#app-firewall-detection-control-exclude-violation-contexts) below for details. -### App Firewall Detection Control Exclude Attack Type Contexts +### App Firewall Detection Control Exclude Attack Type Contexts Attack Types to be excluded for the defined match criteria. @@ -813,13 +812,13 @@ Attack Types to be excluded for the defined match criteria. `exclude_attack_type` - (Required) x-required (`String`). -### App Firewall Detection Control Exclude Bot Name Contexts +### App Firewall Detection Control Exclude Bot Name Contexts Bot Names to be excluded for the defined match criteria. `bot_name` - (Required) x-example: "Hydra" (`String`). -### App Firewall Detection Control Exclude Signature Contexts +### App Firewall Detection Control Exclude Signature Contexts Signature IDs to be excluded for the defined match criteria. @@ -829,7 +828,7 @@ Signature IDs to be excluded for the defined match criteria. `signature_id` - (Required) 0 implies that all signatures will be excluded for the specified context. (`Int`). -### App Firewall Detection Control Exclude Violation Contexts +### App Firewall Detection Control Exclude Violation Contexts Violations to be excluded for the defined match criteria. @@ -839,9 +838,9 @@ Violations to be excluded for the defined match criteria. `exclude_violation` - (Required) x-required (`String`). -### Jwt Claims +### Jwt Claims -List of predicates for various JWT claims that need to match. +List of predicates for various JWT claims that need to match. `invert_matcher` - (Optional) Invert the match result. (`Bool`). @@ -855,7 +854,7 @@ List of predicates for various JWT claims that need to match. `name` - (Required) JWT claim name. (`String`). -### Match Item +### Match Item Criteria for matching the values for the JWT Claim. The match is successful if any of the values in the input satisfies the criteria in the matcher. @@ -865,7 +864,7 @@ Criteria for matching the values for the JWT Claim. The match is successful if a `transformers` - (Optional) An ordered list of transformers (starting from index 0) to be applied to the path before matching. (`List of Strings`). -### Request Constraints +### Request Constraints Place limits on request based on the request attributes. The request matches if any of the attribute sizes exceed the corresponding maximum value.. @@ -955,7 +954,7 @@ Match the specified user identity. The format is prefixed by the type. `regex_values` - (Optional) A list of regular expressions to match the input against. (`String`). -### Segment Policy +### Segment Policy Skip the configuration or set option as Any to ignore corresponding segment match. diff --git a/docs/resources/volterra_service_policy_rule.md b/docs/resources/volterra_service_policy_rule.md index 45679e1bb..6bf72ad8b 100644 --- a/docs/resources/volterra_service_policy_rule.md +++ b/docs/resources/volterra_service_policy_rule.md @@ -1,26 +1,19 @@ - - - - - - - - - - - - --- + page_title: "Volterra: service_policy_rule" -description: "The service_policy_rule allows CRUD of Service Policy Rule resource on Volterra SaaS" +description: "The service_policy_rule allows CRUD of Service Policy Rule resource on Volterra SaaS" + --- -# Resource volterra_service_policy_rule -The Service Policy Rule allows CRUD of Service Policy Rule resource on Volterra SaaS +Resource volterra_service_policy_rule +===================================== -~> **Note:** Please refer to [Service Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/service-policy-rule) to learn more +The Service Policy Rule allows CRUD of Service Policy Rule resource on Volterra SaaS -## Example Usage +~> **Note:** Please refer to [Service Policy Rule API docs](https://docs.cloud.f5.com/docs-v2/api/service-policy-rule) to learn more + +Example Usage +------------- ```hcl resource "volterra_service_policy_rule" "example" { @@ -30,22 +23,28 @@ resource "volterra_service_policy_rule" "example" { // One of the arguments from this list "any_asn asn_list asn_matcher" must be set - any_asn = true + asn_matcher { + asn_sets { + name = "test1" + namespace = "staging" + tenant = "acmecorp" + } + } challenge_action = ["challenge_action"] - // One of the arguments from this list "client_name_matcher any_client client_name ip_threat_category_list client_selector" must be set + // One of the arguments from this list "any_client client_name client_name_matcher client_selector ip_threat_category_list" must be set - any_client = true + client_name_matcher { + exact_values = ["['new york', 'london', 'sydney', 'tokyo', 'cairo']"] - // One of the arguments from this list "any_ip ip_prefix_list ip_matcher" must be set + regex_values = ["['^new .*$', 'san f.*', '.* del .*']"] + } - ip_prefix_list { - invert_match = true + // One of the arguments from this list "any_ip ip_matcher ip_prefix_list" must be set - ip_prefixes = ["192.168.20.0/24"] - } + any_ip = true waf_action { - // One of the arguments from this list "jwt_claims_validation none waf_skip_processing waf_in_monitoring_mode app_firewall_detection_control data_guard_control jwt_validation" must be set + // One of the arguments from this list "app_firewall_detection_control data_guard_control jwt_claims_validation jwt_validation none waf_in_monitoring_mode waf_skip_processing" must be set none = true } @@ -53,907 +52,298 @@ resource "volterra_service_policy_rule" "example" { ``` -## Argument Reference +Argument Reference +------------------ ### Metadata Argument Reference -`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). +`annotations` - (Optional) queryable and should be preserved when modifying objects. (`String`). `description` - (Optional) Human readable description for the object (`String`). - `disable` - (Optional) A value of true will administratively disable the object (`Bool`). - `labels` - (Optional) by selector expression (`String`). - `name` - (Required) The value of name has to follow DNS-1035 format. (`String`). - `namespace` - (Optional) Must be a DNS_LABEL format. For a namespace object itself, namespace value will be "" (`String`). - - ### Spec Argument Reference -`action` - (Required) Action to be enforced if the input request matches the rule. (`String`). - +`action` - (Required) Action to be enforced if the input request matches the rule. (`String`). `api_group_matcher` - (Optional) The predicate evaluates to true if any of the actual API group names for the request is equal to any of the values in the api group matcher.. See [Api Group Matcher ](#api-group-matcher) below for details. - - - - `arg_matchers` - (Optional) Note that all specified arg matcher predicates must evaluate to true.. See [Arg Matchers ](#arg-matchers) below for details. - - - - - - - - - - - - - - - - - - - - - - - - - +###### One of the arguments from this list "any_asn, asn_list, asn_matcher" must be set `any_asn` - (Optional) Any origin ASN. (`Bool`). - `asn_list` - (Optional) The predicate evaluates to true if the origin ASN is present in the ASN list.. See [Asn Choice Asn List ](#asn-choice-asn-list) below for details. - - - - `asn_matcher` - (Optional) The predicate evaluates to true if the origin ASN is present in one of the BGP ASN Set objects.. See [Asn Choice Asn Matcher ](#asn-choice-asn-matcher) below for details. - - - - - - `body_matcher` - (Optional) The actual request body value is extracted from the request API as a string.. See [Body Matcher ](#body-matcher) below for details. - - - - - `bot_action` - (Optional) Bot action to be enforced if the input request matches the rule.. See [Bot Action ](#bot-action) below for details. - - - - - - - - - - - - - `challenge_action` - (Required) Select challenge action, enable javascript/captcha challenge or disable challenge (`String`).(Deprecated) - - +###### One of the arguments from this list "any_client, client_name, client_name_matcher, client_selector, ip_threat_category_list" must be set `any_client` - (Optional) Any Client (`Bool`). - `client_name` - (Optional) The predicate evaluates to true if any of the actual names is the same as the expected client name. (`String`). - `client_name_matcher` - (Optional) The predicate evaluates to true if any of the client's actual names match any of the exact values or regular expressions in the client name matcher.. See [Client Choice Client Name Matcher ](#client-choice-client-name-matcher) below for details. - - - - - `client_selector` - (Optional) The predicate evaluates to true if the expressions in the label selector are true for the client labels.. See [Client Choice Client Selector ](#client-choice-client-selector) below for details. - - - - `ip_threat_category_list` - (Optional) IP threat categories to choose from. See [Client Choice Ip Threat Category List ](#client-choice-ip-threat-category-list) below for details. - - - - - - `client_role` - (Optional) The predicate evaluates to true if any of the client's roles match the value(s) specified in client role.. See [Client Role ](#client-role) below for details.(Deprecated) - - - -`content_rewrite_action` - (Optional) Rewrite HTML response action to insert HTML content such as Javascript script tags into the HTML document. See [Content Rewrite Action ](#content-rewrite-action) below for details.(Deprecated) - - - - - - +`content_rewrite_action` - (Optional) Rewrite HTML response action to insert HTML content such as Javascript