npm - @robinmordasiewicz/f5xc-terraform-mcp - Versions diffs - 2.3.0 → 2.4.4 - Mend

@robinmordasiewicz/f5xc-terraform-mcp 2.3.0 → 2.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (574) hide show

package/dist/docs/resources/virtual_host.md ADDED Viewed

@@ -0,0 +1,934 @@
+---
+page_title: "f5xc_virtual_host Resource - terraform-provider-f5xc"
+subcategory: "Load Balancing"
+description: |-
+  [Namespace: required] Manages virtual host in a given namespace. in F5 Distributed Cloud.
+---
+# f5xc_virtual_host (Resource)
+[Namespace: required] Manages virtual host in a given namespace. in F5 Distributed Cloud.
+~> **Note** Please refer to [Virtual Host API docs](https://docs.cloud.f5.com/docs-v2/api/virtual-host) to learn more.
+## Example Usage
+```terraform
+# Virtual Host Resource Example
+# [Namespace: required] Manages virtual host in a given namespace. in F5 Distributed Cloud.
+# Basic Virtual Host configuration
+resource "f5xc_virtual_host" "example" {
+  name      = "example-virtual-host"
+  namespace = "staging"
+  labels = {
+    environment = "production"
+    managed_by  = "terraform"
+  }
+  annotations = {
+    "owner" = "platform-team"
+  }
+  # Resource-specific configuration
+  # Advertise Policies. Advertise Policy allows you to define...
+  advertise_policies {
+    # Configure advertise_policies settings
+  }
+  # [OneOf: authentication, no_authentication; Default: no_au...
+  authentication {
+    # Configure authentication settings
+  }
+  # Reference to Authentication Object. Reference to Authenti...
+  auth_config {
+    # Configure auth_config settings
+  }
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Argument Reference
+### Metadata Argument Reference
+<a id="name"></a>&#x2022; [`name`](#name) - Required String<br>Name of the Virtual Host. Must be unique within the namespace
+<a id="namespace"></a>&#x2022; [`namespace`](#namespace) - Required String<br>Namespace where the Virtual Host will be created
+<a id="annotations"></a>&#x2022; [`annotations`](#annotations) - Optional Map<br>Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata
+<a id="description"></a>&#x2022; [`description`](#description) - Optional String<br>Human readable description for the object
+<a id="disable"></a>&#x2022; [`disable`](#disable) - Optional Bool<br>A value of true will administratively disable the object
+<a id="labels"></a>&#x2022; [`labels`](#labels) - Optional Map<br>Labels is a user defined key value map that can be attached to resources for organization and filtering
+### Spec Argument Reference
+<a id="add-location"></a>&#x2022; [`add_location`](#add-location) - Optional Bool<br>Add Location. Appends header x-volterra-location = `<RE-site-name>` in responses. This configuration is ignored on CE sites
+<a id="advertise-policies"></a>&#x2022; [`advertise_policies`](#advertise-policies) - Optional Block<br>Advertise Policies. Advertise Policy allows you to define networks or sites where you want a VIP for this virtual host to be advertised. Each Policy rule can have different parameters, like TLS configuration, ports, optionally IP address to be used for VIP. If advertise policy is not specified then no VIP is assigned for this virtual host<br>See [Advertise Policies](#advertise-policies) below for details.
+-> **One of the following:**
+&#x2022; <a id="append-server-name"></a>[`append_server_name`](#append-server-name) - Optional String<br>Append Server Name if absent. Specifies the value to be used for Server header if it is not already present. If Server Header is already present it is not overwritten. It is just passed
+<br><br>&#x2022; <a id="default-header"></a>[`default_header`](#default-header) - Optional Block<br>Enable this option
+<br><br>&#x2022; <a id="pass-through"></a>[`pass_through`](#pass-through) - Optional Block<br>Enable this option
+-> **One of the following:**
+&#x2022; <a id="authentication"></a>[`authentication`](#authentication) - Optional Block<br>Authentication Details. Authentication related information. This allows to configure the URL to redirect after the authentication Authentication Object Reference, configuration of cookie params etc<br>See [Authentication](#authentication) below for details.
+<a id="buffer-policy"></a>&#x2022; [`buffer_policy`](#buffer-policy) - Optional Block<br>Buffer Configuration. Some upstream applications are not capable of handling streamed data. This config enables buffering the entire request before sending to upstream application. We can specify the maximum buffer size and buffer interval with this config. Buffering can be enabled and disabled at VirtualHost and Route levels Route level buffer configuration takes precedence<br>See [Buffer Policy](#buffer-policy) below for details.
+-> **One of the following:**
+&#x2022; <a id="captcha-challenge"></a>[`captcha_challenge`](#captcha-challenge) - Optional Block<br>Captcha Challenge Parameters. Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect the browser to an HTML page on every new HTTP request. This HTML page will have captcha challenge embedded in it. Client will be allowed to make the request only if the captcha challenge is successful. Loadbalancer will tag response header with a cookie to avoid Captcha challenge for subsequent requests. CAPTCHA is mainly used as a security check to ensure only human users can pass through. Generally, computers or bots are not capable of solving a captcha. You can enable either Javascript challenge or Captcha challenge on a virtual host<br>See [Captcha Challenge](#captcha-challenge) below for details.
+<br><br>&#x2022; <a id="js-challenge"></a>[`js_challenge`](#js-challenge) - Optional Block<br>Javascript Challenge Parameters. Enables loadbalancer to perform client browser compatibility test by redirecting to a page with Javascript. With this feature enabled, only clients that are capable of executing Javascript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do Javascript Challenge, it will redirect the browser to an HTML page on every new HTTP request. This HTML page will have Javascript embedded in it. Loadbalancer chooses a set of random numbers for every new client and sends these numbers along with an encrypted answer with the request such that it embed these numbers as input in the Javascript. Javascript will run on the requestor browser and perform a complex Math operation. Script will submit the answer to loadbalancer. Loadbalancer will validate the answer by comparing the calculated answer with the decrypted answer (which was encrypted when it was sent back as reply) and allow the request to the upstream server only if the answer is correct. Loadbalancer will tag response header with a cookie to avoid Javascript challenge for subsequent requests. Javascript challenge serves following purposes \* Validate that the request is coming via a browser that is capable for running Javascript \* Force the browser to run a complex operation, f(X), that requires it to spend a large number of CPU cycles. This is to slow down a potential DOS attacker by making it difficult to launch a large request flood without having to spend even larger CPU cost at their end. You can enable either Javascript challenge or Captcha challenge on a virtual host<br>See [Js Challenge](#js-challenge) below for details.
+<a id="coalescing-options"></a>&#x2022; [`coalescing_options`](#coalescing-options) - Optional Block<br>TLS Coalescing Options. TLS connection coalescing configuration (not compatible with mTLS)<br>See [Coalescing Options](#coalescing-options) below for details.
+<a id="compression-params"></a>&#x2022; [`compression_params`](#compression-params) - Optional Block<br>Compression Parameters. Enables loadbalancer to compress dispatched data from an upstream service upon client request. The content is compressed and then sent to the client with the appropriate headers if either response and request allow. Only GZIP compression is supported. By default compression will be skipped when: A request does NOT contain accept-encoding header. A request includes accept-encoding header, but it does not contain “gzip” or “*”. A request includes accept-encoding with “gzip” or “*” with the weight “q=0”. Note that the “gzip” will have a higher weight then “*”. For example, if accept-encoding is “gzip;q=0,*;q=1”, the filter will not compress. But if the header is set to “*;q=0,gzip;q=1”, the filter will compress. A request whose accept-encoding header includes “identity”. A response contains a content-encoding header. A response contains a cache-control header whose value includes “no-transform”. A response contains a transfer-encoding header whose value includes “gzip”. A response does not contain a content-type value that matches one of the selected mime-types, which default to application/javascript, application/JSON, application/xhtml+XML, image/svg+XML, text/CSS, text/HTML, text/plain, text/XML. Neither content-length nor transfer-encoding headers are present in the response. Response size is smaller than 30 bytes (only applicable when transfer-encoding is not chunked). When compression is applied: The content-length is removed from response headers. Response headers contain “transfer-encoding: chunked” and do not contain “content-encoding” header. The “vary: accept-encoding” header is inserted on every response. GZIP Compression Level: A value which is optimal balance between speed of compression and amount of compression is chosen<br>See [Compression Params](#compression-params) below for details.
+<a id="connection-idle-timeout"></a>&#x2022; [`connection_idle_timeout`](#connection-idle-timeout) - Optional Number  Defaults to `2`  Specified in milliseconds<br>Connection Idle Timeout. The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive.  The minutes
+<a id="cors-policy"></a>&#x2022; [`cors_policy`](#cors-policy) - Optional Block<br>CORS Policy. Cross-Origin Resource Sharing requests configuration specified at Virtual-host or Route level. Route level configuration takes precedence. An example of an Cross origin HTTP request GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/HTML,application/xhtml+XML,application/XML;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referrer: `HTTP://foo.example/examples/access-control/simpleXSInvocation.HTML` Origin: `HTTP://foo.example` HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Allow-Origin: \* Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/XML An example for cross origin HTTP OPTIONS request with Access-Control-Request-* header OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/HTML,application/xhtml+XML,application/XML;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Origin: `HTTP://foo.example` Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER, Content-Type HTTP/1.1 204 No Content Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: `HTTP://foo.example` Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 Vary: Accept-Encoding, Origin Keep-Alive: timeout=2, max=100 Connection: Keep-Alive<br>See [CORS Policy](#cors-policy) below for details.
+<a id="csrf-policy"></a>&#x2022; [`csrf_policy`](#csrf-policy) - Optional Block<br>CSRF Policy. To mitigate CSRF attack , the policy checks where a request is coming from to determine if the request's origin is the same as its detination.The policy relies on two pieces of information used in determining if a request originated from the same host. 1. The origin that caused the user agent to issue the request (source origin). 2. The origin that the request is going to (target origin). When the policy evaluating a request, it ensures both pieces of information are present and compare their values. If the source origin is missing or origins do not match the request is rejected. The exception to this being if the source-origin has been added to they policy as valid. Because CSRF attacks specifically target state-changing requests, the policy only acts on the HTTP requests that have state-changing method (PUT,POST, etc.)<br>See [CSRF Policy](#csrf-policy) below for details.
+<a id="custom-errors"></a>&#x2022; [`custom_errors`](#custom-errors) - Optional Block<br>Custom Error Responses. Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 -- for 3xx response code class 4 -- for 4xx response code class 5 -- for 5xx response code class Value is the uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. 'Access Denied' or it can be HTML paragraph or a body string encoded as base64 string E.g. '`<p>` Access Denied `</p>`'. Base64 encoded string for this HTML is 'PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==' Specific response code takes preference when both response code and response code class matches for a request. The configured custom errors are only applicable for loadbalancer generated errors. Errors returned from upstream server is propagated as is. F5XC provides default error pages for the errors generated by the loadbalancer. Content of these pages are not editable. User has an option to disable the use of default F5XC error pages
+-> **One of the following:**
+&#x2022; <a id="default-loadbalancer"></a>[`default_loadbalancer`](#default-loadbalancer) - Optional Block<br>Enable this option
+<a id="disable-default-error-pages"></a>&#x2022; [`disable_default_error_pages`](#disable-default-error-pages) - Optional Bool<br>Disable default error pages. An option to specify whether to disable using default F5XC error pages
+<a id="disable-dns-resolve"></a>&#x2022; [`disable_dns_resolve`](#disable-dns-resolve) - Optional Bool<br>Disable DNS resolution. Disable DNS resolution for domains specified in the virtual host When the virtual host is configured as Dynamive Resolve Proxy (DRP), disable DNS resolution for domains configured. This configuration is suitable for HTTP CONNECT proxy
+-> **One of the following:**
+&#x2022; <a id="disable-path-normalize"></a>[`disable_path_normalize`](#disable-path-normalize) - Optional Block<br>Enable this option
+<a id="domains"></a>&#x2022; [`domains`](#domains) - Optional List<br>Domains. A list of Domains (host/authority header) that will be matched to this Virtual Host. Wildcard hosts are supported in the suffix or prefix form Supported Domains and search order: 1. Exact Domain names: `www.foo.com.` 2. Domains starting with a Wildcard: \*.foo.com. Not supported Domains: - Just a Wildcard: \* - A Wildcard and TLD with no root Domain: \*.com. - A Wildcard not matching a whole DNS label. e.g. \*.foo.com and \*.bar.foo.com are valid Wildcards however \*bar.foo.com, \*-bar.foo.com, and bar*.foo.com are all invalid. Additional notes: A Wildcard will not match empty string. e.g. \*.foo.com will match bar.foo.com and baz-bar.foo.com but not .foo.com. The longest Wildcards match first. Only a single virtual host in the entire route configuration can match on \*. Also a Domain must be unique across all virtual hosts within an advertise policy. Domains are also used for SNI matching if the virtual host proxy type is TCP_PROXY_WITH_SNI/HTTPS_PROXY Domains also indicate the list of names for which DNS resolution will be automatically resolved to IP addresses by the system
+<a id="dynamic-reverse-proxy"></a>&#x2022; [`dynamic_reverse_proxy`](#dynamic-reverse-proxy) - Optional Block<br>Dynamic Reverse Proxy Type. In this mode of proxy, virtual host will resolve the destination endpoint dynamically. The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host. For HTTP traffic, i.e. with ProxyType as HTTP_PROXY or HTTPS_PROXY, virtual host will use the 'HOST' HTTP header from the request and perform DNS resolution to select destination endpoint. For TCP traffic with SNI, (If the ProxyType is TCP_PROXY_WITH_SNI), virtual host will perform DNS resolution using the SNI. The DNS resolution is performed in the virtual network specified in outside_network_type or outside_network In both modes of operation(either using Host header or SNI), the DNS resolution could return multiple addresses. First IPv4 address from such returned list is used as endpoint for the request. The DNS response is cached for 60s by default<br>See [Dynamic Reverse Proxy](#dynamic-reverse-proxy) below for details.
+<a id="enable-path-normalize"></a>&#x2022; [`enable_path_normalize`](#enable-path-normalize) - Optional Block<br>Enable this option
+<a id="http-protocol-options"></a>&#x2022; [`http_protocol_options`](#http-protocol-options) - Optional Block<br>HTTP Protocol Configuration Options. HTTP protocol configuration options for downstream connections<br>See [HTTP Protocol Options](#http-protocol-options) below for details.
+<a id="idle-timeout"></a>&#x2022; [`idle_timeout`](#idle-timeout) - Optional Number<br>Idle timeout (in milliseconds). Idle timeout is the amount of time that the loadbalancer will allow a stream to exist with no upstream or downstream activity. Idle timeout and Proxy Type: HTTP_PROXY, HTTPS_PROXY: Idle timer is started when the first byte is received on the connection. Each time an encode/decode event for headers or data is processed for the stream, the timer will be reset. If the timeout fires, the stream is terminated with a 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise a stream reset occurs. The default idle timeout is 30 seconds TCP PROXY, TCP_PROXY_WITH_SNI, SMA_PROXY: The idle timeout is defined as the period in which there are no bytes sent or received on either the upstream or downstream connection. The default idle timeout is 1 hour. UDP PROXY: The idle timeout for sessions. Idle timeout is defined as the period in which there are no datagrams sent or received on the session. The default if not specified is 1 minute
+<a id="max-request-header-size"></a>&#x2022; [`max_request_header_size`](#max-request-header-size) - Optional Number<br>Maximum Request Header Size (KiB). The maximum request header size in KiB for incoming connections. If un-configured, the default max request headers allowed is 60 KiB. Requests that exceed this limit will receive a 431 response. The max configurable limit is 96 KiB, based on current implementation constraints. Note: a. This configuration parameter is applicable only for HTTP_PROXY and HTTPS_PROXY b. When multiple HTTP_PROXY virtual hosts share the same advertise policy, the effective 'maximum request header size' for such virtual hosts is the highest value configured on any of the virtual hosts
+<a id="no-authentication"></a>&#x2022; [`no_authentication`](#no-authentication) - Optional Block<br>Enable this option
+<a id="no-challenge"></a>&#x2022; [`no_challenge`](#no-challenge) - Optional Block<br>Enable this option
+<a id="non-default-loadbalancer"></a>&#x2022; [`non_default_loadbalancer`](#non-default-loadbalancer) - Optional Block<br>Enable this option
+<a id="proxy"></a>&#x2022; [`proxy`](#proxy) - Optional String  Defaults to `HTTP_PROXY`<br>Possible values are `UDP_PROXY`, `SMA_PROXY`, `DNS_PROXY`, `ZTNA_PROXY`, `UZTNA_PROXY`<br>[Enum: UDP_PROXY|SMA_PROXY|DNS_PROXY|ZTNA_PROXY|UZTNA_PROXY] Type of Proxy. ProxyType tells the type of proxy to install for the virtual host. Only the following combination of VirtualHosts within same AdvertisePolicy is permitted (None of them should have '*' in domains when used with other VirtualHosts in same AdvertisePolicy) 1. Multiple TCP_PROXY_WITH_SNI and multiple HTTPS_PROXY 2. Multiple HTTP_PROXY 3. Multiple HTTPS_PROXY 4. Multiple TCP_PROXY_WITH_SNI HTTPS_PROXY without TLS parameters is not permitted HTTP_PROXY/HTTPS_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY with empty domains is not permitted TCP_PROXY_WITH_SNI/SMA_PROXY should not have '*' in domains - HTTP_PROXY: HTTP_PROXY Install HTTP proxy. HTTP Proxy is the default proxy installed. - TCP_PROXY: TCP_PROXY Install TCP proxy - TCP_PROXY_WITH_SNI: TCP_PROXY_WITH_SNI Install TCP proxy with SNI Routing - TLS_TCP_PROXY: TCP_PROXY Install TCP proxy - TLS_TCP_PROXY_WITH_SNI: TCP_PROXY_WITH_SNI Install TCP proxy with SNI Routing - HTTPS_PROXY: HTTPS_PROXY Install HTTPS proxy - UDP_PROXY: UDP_PROXY Install UDP proxy - SMA_PROXY: SMA_PROXY Install Secret Management Access proxy - DNS_PROXY: DNS_PROXY Install DNS proxy - ZTNA_PROXY: ZTNA_PROXY Install ZTNA proxy.This is going to be deprecated with UZTNA_PROXY. - UZTNA_PROXY: UZTNA_PROXY Install UZTNA proxy
+<a id="rate-limiter-allowed-prefixes"></a>&#x2022; [`rate_limiter_allowed_prefixes`](#rate-limiter-allowed-prefixes) - Optional Block<br>Rate Limiter Allowed Prefixes. References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting<br>See [Rate Limiter Allowed Prefixes](#rate-limiter-allowed-prefixes) below for details.
+<a id="request-cookies-to-add"></a>&#x2022; [`request_cookies_to_add`](#request-cookies-to-add) - Optional Block<br>Add Cookies in Cookie Header. Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied<br>See [Request Cookies To Add](#request-cookies-to-add) below for details.
+<a id="request-cookies-to-remove"></a>&#x2022; [`request_cookies_to_remove`](#request-cookies-to-remove) - Optional List<br>Remove Cookies from Cookie Header. List of keys of Cookies to be removed from the HTTP request being sent towards upstream
+<a id="request-headers-to-add"></a>&#x2022; [`request_headers_to_add`](#request-headers-to-add) - Optional Block<br>Add Request Headers. Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied<br>See [Request Headers To Add](#request-headers-to-add) below for details.
+<a id="request-headers-to-remove"></a>&#x2022; [`request_headers_to_remove`](#request-headers-to-remove) - Optional List<br>Remove Request Headers. List of keys of Headers to be removed from the HTTP request being sent towards upstream
+<a id="response-cookies-to-add"></a>&#x2022; [`response_cookies_to_add`](#response-cookies-to-add) - Optional Block<br>Add Set-Cookie Headers. Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied<br>See [Response Cookies To Add](#response-cookies-to-add) below for details.
+<a id="response-cookies-to-remove"></a>&#x2022; [`response_cookies_to_remove`](#response-cookies-to-remove) - Optional List<br>Remove Cookies from Set-Cookie Headers. List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed
+<a id="response-headers-to-add"></a>&#x2022; [`response_headers_to_add`](#response-headers-to-add) - Optional Block<br>Add Response Headers. Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied
+<a id="response-headers-to-remove"></a>&#x2022; [`response_headers_to_remove`](#response-headers-to-remove) - Optional List<br>Remove Response Headers. List of keys of Headers to be removed from the HTTP response being sent towards downstream
+<a id="retry-policy"></a>&#x2022; [`retry_policy`](#retry-policy) - Optional Block<br>Retry Policy. Retry policy configuration for route destination
+<a id="routes"></a>&#x2022; [`routes`](#routes) - Optional Block<br>Routes. The list of routes that will be matched, in order, for incoming requests. The first route that matches will be used. Currently route object is redundant in case of TCP proxy but required. For TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts, the route object only specifies the cluster/weighted-cluster as route destination without any match condition. In other words, match condition in route object is ignored for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts. Routes used for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts cannot have DirectResponse or Redirect as actions
+<a id="sensitive-data-policy"></a>&#x2022; [`sensitive_data_policy`](#sensitive-data-policy) - Optional Block<br>Sensitive Data Discovery. References to sensitive_data_policy objects
+<a id="server-name"></a>&#x2022; [`server_name`](#server-name) - Optional String<br>Server Name. Specifies the value to be used for Server header inserted in responses. This will overwrite existing values if any for Server Header
+<a id="slow-ddos-mitigation"></a>&#x2022; [`slow_ddos_mitigation`](#slow-ddos-mitigation) - Optional Block<br>Slow DDOS Mitigation. 'Slow and low' attacks tie up server resources, leaving none available for servicing requests from actual users
+<a id="timeouts"></a>&#x2022; [`timeouts`](#timeouts) - Optional Block
+-> **One of the following:**
+&#x2022; <a id="tls-cert-params"></a>[`tls_cert_params`](#tls-cert-params) - Optional Block<br>Certificate Parameters. Certificate Parameters for authentication, TLS ciphers, and trust store
+<br><br>&#x2022; <a id="tls-parameters"></a>[`tls_parameters`](#tls-parameters) - Optional Block<br>Downstream TLS Parameters. TLS configuration for downstream connections
+<a id="user-identification"></a>&#x2022; [`user_identification`](#user-identification) - Optional Block<br>User Identification Policy. A reference to user_identification object. The rules in the user_identification object are evaluated to determine the user identifier to be rate limited
+<a id="waf-type"></a>&#x2022; [`waf_type`](#waf-type) - Optional Block<br>WAF Instance. WAF instance will be pointing to an app_firewall object
+### Attributes Reference
+In addition to all arguments above, the following attributes are exported:
+<a id="id"></a>&#x2022; [`id`](#id) - Optional String<br>Unique identifier for the resource
+---
+#### Advertise Policies
+An [`advertise_policies`](#advertise-policies) block supports the following:
+<a id="advertise-policies-kind"></a>&#x2022; [`kind`](#advertise-policies-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="advertise-policies-name"></a>&#x2022; [`name`](#advertise-policies-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="advertise-policies-namespace"></a>&#x2022; [`namespace`](#advertise-policies-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="advertise-policies-tenant"></a>&#x2022; [`tenant`](#advertise-policies-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="advertise-policies-uid"></a>&#x2022; [`uid`](#advertise-policies-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### Authentication
+An [`authentication`](#authentication) block supports the following:
+<a id="authentication-auth-config"></a>&#x2022; [`auth_config`](#authentication-auth-config) - Optional Block<br>Reference to Authentication Object. Reference to Authentication Config Object<br>See [Auth Config](#authentication-auth-config) below.
+<a id="authentication-cookie-params"></a>&#x2022; [`cookie_params`](#authentication-cookie-params) - Optional Block<br>Cookie Parameters. Specifies different cookie related config parameters for authentication<br>See [Cookie Params](#authentication-cookie-params) below.
+<a id="authentication-redirect-dynamic"></a>&#x2022; [`redirect_dynamic`](#authentication-redirect-dynamic) - Optional Block<br>Enable this option
+<a id="authentication-redirect-url"></a>&#x2022; [`redirect_url`](#authentication-redirect-url) - Optional String<br>Configure Redirect URL. user can provide a URL for e.g `HTTPS://abc.xyz.com` where user gets redirected. This URL configured here must match with the redirect URL configured with the OIDC provider
+<a id="authentication-use-auth-object-config"></a>&#x2022; [`use_auth_object_config`](#authentication-use-auth-object-config) - Optional Block<br>Enable this option
+#### Authentication Auth Config
+An [`auth_config`](#authentication-auth-config) block (within [`authentication`](#authentication)) supports the following:
+<a id="authentication-auth-config-kind"></a>&#x2022; [`kind`](#authentication-auth-config-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="authentication-auth-config-name"></a>&#x2022; [`name`](#authentication-auth-config-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="authentication-auth-config-namespace"></a>&#x2022; [`namespace`](#authentication-auth-config-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="authentication-auth-config-tenant"></a>&#x2022; [`tenant`](#authentication-auth-config-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="authentication-auth-config-uid"></a>&#x2022; [`uid`](#authentication-auth-config-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### Authentication Cookie Params
+A [`cookie_params`](#authentication-cookie-params) block (within [`authentication`](#authentication)) supports the following:
+<a id="authentication-cookie-params-auth-hmac"></a>&#x2022; [`auth_hmac`](#authentication-cookie-params-auth-hmac) - Optional Block<br>HMAC Key Pair. HMAC primary and secondary keys to be used for hashing the Cookie. Each key also have an associated expiry timestamp, beyond which key is invalid<br>See [Auth HMAC](#authentication-cookie-params-auth-hmac) below.
+<a id="authentication-cookie-params-cookie-expiry"></a>&#x2022; [`cookie_expiry`](#authentication-cookie-params-cookie-expiry) - Optional Number<br>Cookie Expiry duration. specifies in seconds max duration of the allocated cookie. This maps to “Max-Age” attribute in the session cookie. This will act as an expiry duration on the client side after which client will not be setting the cookie as part of the request. Default cookie expiry is 3600 seconds
+<a id="authentication-cookie-params-cookie-refresh-interval"></a>&#x2022; [`cookie_refresh_interval`](#authentication-cookie-params-cookie-refresh-interval) - Optional Number<br>Cookie Refresh Interval. Specifies in seconds refresh interval for session cookie. This is used to keep the active user active and reduce RE-login. When an incoming cookie's session expiry is still valid, and time to expire falls behind this interval, RE-issue a cookie with new expiry and with the same original session expiry. Default refresh interval is 3000 seconds
+<a id="authentication-cookie-params-kms-key-hmac"></a>&#x2022; [`kms_key_hmac`](#authentication-cookie-params-kms-key-hmac) - Optional Block<br>KMS Key Reference. Reference to KMS Key Object
+<a id="authentication-cookie-params-session-expiry"></a>&#x2022; [`session_expiry`](#authentication-cookie-params-session-expiry) - Optional Number<br>Session Expiry duration. specifies in seconds max lifetime of an authenticated session after which the user will be forced to login again. Default session expiry is 86400 seconds(24 hours)
+#### Authentication Cookie Params Auth HMAC
+An [`auth_hmac`](#authentication-cookie-params-auth-hmac) block (within [`authentication.cookie_params`](#authentication-cookie-params)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-prim-key"></a>&#x2022; [`prim_key`](#authentication-cookie-params-auth-hmac-prim-key) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Prim Key](#authentication-cookie-params-auth-hmac-prim-key) below.
+<a id="authentication-cookie-params-auth-hmac-prim-key-expiry"></a>&#x2022; [`prim_key_expiry`](#authentication-cookie-params-auth-hmac-prim-key-expiry) - Optional String<br>HMAC Primary Key Expiry. Primary HMAC Key Expiry time
+<a id="authentication-cookie-params-auth-hmac-sec-key"></a>&#x2022; [`sec_key`](#authentication-cookie-params-auth-hmac-sec-key) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Sec Key](#authentication-cookie-params-auth-hmac-sec-key) below.
+<a id="authentication-cookie-params-auth-hmac-sec-key-expiry"></a>&#x2022; [`sec_key_expiry`](#authentication-cookie-params-auth-hmac-sec-key-expiry) - Optional String<br>HMAC Secondary Key Expiry. Secondary HMAC Key Expiry time
+#### Authentication Cookie Params Auth HMAC Prim Key
+A [`prim_key`](#authentication-cookie-params-auth-hmac-prim-key) block (within [`authentication.cookie_params.auth_hmac`](#authentication-cookie-params-auth-hmac)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info) below.
+<a id="authentication-cookie-params-auth-hmac-prim-key-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#authentication-cookie-params-auth-hmac-prim-key-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#authentication-cookie-params-auth-hmac-prim-key-clear-secret-info) below.
+#### Authentication Cookie Params Auth HMAC Prim Key Blindfold Secret Info
+A [`blindfold_secret_info`](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info) block (within [`authentication.cookie_params.auth_hmac.prim_key`](#authentication-cookie-params-auth-hmac-prim-key)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-location"></a>&#x2022; [`location`](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#authentication-cookie-params-auth-hmac-prim-key-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Authentication Cookie Params Auth HMAC Prim Key Clear Secret Info
+A [`clear_secret_info`](#authentication-cookie-params-auth-hmac-prim-key-clear-secret-info) block (within [`authentication.cookie_params.auth_hmac.prim_key`](#authentication-cookie-params-auth-hmac-prim-key)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-prim-key-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#authentication-cookie-params-auth-hmac-prim-key-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="authentication-cookie-params-auth-hmac-prim-key-clear-secret-info-url"></a>&#x2022; [`url`](#authentication-cookie-params-auth-hmac-prim-key-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Authentication Cookie Params Auth HMAC Sec Key
+A [`sec_key`](#authentication-cookie-params-auth-hmac-sec-key) block (within [`authentication.cookie_params.auth_hmac`](#authentication-cookie-params-auth-hmac)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info) below.
+<a id="authentication-cookie-params-auth-hmac-sec-key-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#authentication-cookie-params-auth-hmac-sec-key-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#authentication-cookie-params-auth-hmac-sec-key-clear-secret-info) below.
+#### Authentication Cookie Params Auth HMAC Sec Key Blindfold Secret Info
+A [`blindfold_secret_info`](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info) block (within [`authentication.cookie_params.auth_hmac.sec_key`](#authentication-cookie-params-auth-hmac-sec-key)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-location"></a>&#x2022; [`location`](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#authentication-cookie-params-auth-hmac-sec-key-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Authentication Cookie Params Auth HMAC Sec Key Clear Secret Info
+A [`clear_secret_info`](#authentication-cookie-params-auth-hmac-sec-key-clear-secret-info) block (within [`authentication.cookie_params.auth_hmac.sec_key`](#authentication-cookie-params-auth-hmac-sec-key)) supports the following:
+<a id="authentication-cookie-params-auth-hmac-sec-key-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#authentication-cookie-params-auth-hmac-sec-key-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="authentication-cookie-params-auth-hmac-sec-key-clear-secret-info-url"></a>&#x2022; [`url`](#authentication-cookie-params-auth-hmac-sec-key-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Buffer Policy
+A [`buffer_policy`](#buffer-policy) block supports the following:
+<a id="buffer-policy-disabled"></a>&#x2022; [`disabled`](#buffer-policy-disabled) - Optional Bool<br>Disable. Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host
+<a id="buffer-policy-max-request-bytes"></a>&#x2022; [`max_request_bytes`](#buffer-policy-max-request-bytes) - Optional Number<br>Max Request Bytes. The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response
+#### Captcha Challenge
+A [`captcha_challenge`](#captcha-challenge) block supports the following:
+<a id="captcha-challenge-cookie-expiry"></a>&#x2022; [`cookie_expiry`](#captcha-challenge-cookie-expiry) - Optional Number<br>Cookie Expiration Period. Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge
+<a id="captcha-challenge-custom-page"></a>&#x2022; [`custom_page`](#captcha-challenge-custom-page) - Optional String<br>Custom message for Captcha Challenge. Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. 'Please Wait.' or it can be HTML paragraph or a body string encoded as base64 string E.g. '`<p>` Please Wait `</p>`'. Base64 encoded string for this HTML is 'PHA+IFBsZWFzZSBXYWl0IDwvcD4='
+#### Coalescing Options
+A [`coalescing_options`](#coalescing-options) block supports the following:
+<a id="coalescing-options-default-coalescing"></a>&#x2022; [`default_coalescing`](#coalescing-options-default-coalescing) - Optional Block<br>Enable this option
+<a id="coalescing-options-strict-coalescing"></a>&#x2022; [`strict_coalescing`](#coalescing-options-strict-coalescing) - Optional Block<br>Enable this option
+#### Compression Params
+A [`compression_params`](#compression-params) block supports the following:
+<a id="compression-params-content-length"></a>&#x2022; [`content_length`](#compression-params-content-length) - Optional Number  Defaults to `30`<br>Content Length. Minimum response length, in bytes, which will trigger compression. The
+<a id="compression-params-content-type"></a>&#x2022; [`content_type`](#compression-params-content-type) - Optional List<br>Content Type. Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: 'application/javascript' 'application/JSON', 'application/xhtml+XML' 'image/svg+XML' 'text/CSS' 'text/HTML' 'text/plain' 'text/XML'
+<a id="compression-params-disable-on-etag-header"></a>&#x2022; [`disable_on_etag_header`](#compression-params-disable-on-etag-header) - Optional Bool<br>Disable On Etag Header. If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed
+<a id="compression-params-remove-accept-encoding-header"></a>&#x2022; [`remove_accept_encoding_header`](#compression-params-remove-accept-encoding-header) - Optional Bool<br>Remove Accept-Encoding Header. If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not get compressed before reaching the filter
+#### CORS Policy
+A [`cors_policy`](#cors-policy) block supports the following:
+<a id="cors-policy-allow-credentials"></a>&#x2022; [`allow_credentials`](#cors-policy-allow-credentials) - Optional Bool<br>Allow Credentials. Specifies whether the resource allows credentials
+<a id="cors-policy-allow-headers"></a>&#x2022; [`allow_headers`](#cors-policy-allow-headers) - Optional String<br>Allow Headers. Specifies the content for the access-control-allow-headers header
+<a id="cors-policy-allow-methods"></a>&#x2022; [`allow_methods`](#cors-policy-allow-methods) - Optional String<br>Allow Methods. Specifies the content for the access-control-allow-methods header
+<a id="cors-policy-allow-origin"></a>&#x2022; [`allow_origin`](#cors-policy-allow-origin) - Optional List<br>Allow Origin. Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match
+<a id="cors-policy-allow-origin-regex"></a>&#x2022; [`allow_origin_regex`](#cors-policy-allow-origin-regex) - Optional List<br>Allow Origin Regex. Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match
+<a id="cors-policy-disabled"></a>&#x2022; [`disabled`](#cors-policy-disabled) - Optional Bool<br>Disabled. Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host
+<a id="cors-policy-expose-headers"></a>&#x2022; [`expose_headers`](#cors-policy-expose-headers) - Optional String<br>Expose Headers. Specifies the content for the access-control-expose-headers header
+<a id="cors-policy-maximum-age"></a>&#x2022; [`maximum_age`](#cors-policy-maximum-age) - Optional Number<br>Maximum Age. Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
+#### CSRF Policy
+A [`csrf_policy`](#csrf-policy) block supports the following:
+<a id="csrf-policy-all-load-balancer-domains"></a>&#x2022; [`all_load_balancer_domains`](#csrf-policy-all-load-balancer-domains) - Optional Block<br>Enable this option
+<a id="csrf-policy-custom-domain-list"></a>&#x2022; [`custom_domain_list`](#csrf-policy-custom-domain-list) - Optional Block<br>Domain name list. List of domain names used for Host header matching<br>See [Custom Domain List](#csrf-policy-custom-domain-list) below.
+<a id="csrf-policy-disabled"></a>&#x2022; [`disabled`](#csrf-policy-disabled) - Optional Block<br>Enable this option
+#### CSRF Policy Custom Domain List
+A [`custom_domain_list`](#csrf-policy-custom-domain-list) block (within [`csrf_policy`](#csrf-policy)) supports the following:
+<a id="csrf-policy-custom-domain-list-domains"></a>&#x2022; [`domains`](#csrf-policy-custom-domain-list-domains) - Optional List<br>Domain names. A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form
+#### Dynamic Reverse Proxy
+A [`dynamic_reverse_proxy`](#dynamic-reverse-proxy) block supports the following:
+<a id="dynamic-reverse-proxy-connection-timeout"></a>&#x2022; [`connection_timeout`](#dynamic-reverse-proxy-connection-timeout) - Optional Number  Defaults to `2000`  Specified in milliseconds<br>Connection Timeout. The timeout for new network connections to upstream server.  The (2 seconds)
+<a id="dynamic-reverse-proxy-resolution-network"></a>&#x2022; [`resolution_network`](#dynamic-reverse-proxy-resolution-network) - Optional Block<br>Resolution Network. Reference to virtual network where the endpoint is resolved. Reference is valid only when the network type is VIRTUAL_NETWORK_PER_SITE or VIRTUAL_NETWORK_GLOBAL. It is ignored for all other network types<br>See [Resolution Network](#dynamic-reverse-proxy-resolution-network) below.
+<a id="dynamic-reverse-proxy-resolution-network-type"></a>&#x2022; [`resolution_network_type`](#dynamic-reverse-proxy-resolution-network-type) - Optional String  Defaults to `VIRTUAL_NETWORK_SITE_LOCAL`<br>Possible values are `VIRTUAL_NETWORK_SITE_LOCAL`, `VIRTUAL_NETWORK_SITE_LOCAL_INSIDE`, `VIRTUAL_NETWORK_PER_SITE`, `VIRTUAL_NETWORK_PUBLIC`, `VIRTUAL_NETWORK_GLOBAL`, `VIRTUAL_NETWORK_SITE_SERVICE`, `VIRTUAL_NETWORK_VER_INTERNAL`, `VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE`, `VIRTUAL_NETWORK_IP_AUTO`, `VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK`, `VIRTUAL_NETWORK_SRV6_NETWORK`, `VIRTUAL_NETWORK_IP_FABRIC`, `VIRTUAL_NETWORK_SEGMENT`<br>[Enum: VIRTUAL_NETWORK_SITE_LOCAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE|VIRTUAL_NETWORK_PER_SITE|VIRTUAL_NETWORK_PUBLIC|VIRTUAL_NETWORK_GLOBAL|VIRTUAL_NETWORK_SITE_SERVICE|VIRTUAL_NETWORK_VER_INTERNAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE|VIRTUAL_NETWORK_IP_AUTO|VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK|VIRTUAL_NETWORK_SRV6_NETWORK|VIRTUAL_NETWORK_IP_FABRIC|VIRTUAL_NETWORK_SEGMENT] Virtual Network Type. Different types of virtual networks understood by the system Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL provides connectivity to public (outside) network. This is an insecure network and is connected to public internet via NAT Gateways/firwalls Virtual-network of this type is local to every site. Two virtual networks of this type on different sites are neither related nor connected. Constraints: There can be atmost one virtual network of this type in a given site. This network type is supported on CE sites. This network is created automatically and present on all sites Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL_INSIDE is a private network inside site. It is a secure network and is not connected to public network. Virtual-network of this type is local to every site. Two virtual networks of this type on different sites are neither related nor connected. Constraints: There can be atmost one virtual network of this type in a given site. This network type is supported on CE sites. This network is created during provisioning of site User defined per-site virtual network. Scope of this virtual network is limited to the site. This is not yet supported Virtual-network of type VIRTUAL_NETWORK_PUBLIC directly conects to the public internet. Virtual-network of this type is local to every site. Two virtual networks of this type on different sites are neither related nor connected. Constraints: There can be atmost one virtual network of this type in a given site. This network type is supported on RE sites only It is an internally created by the system. They must not be created by user Virtual Neworks with global scope across different sites in F5XC domain. An example global virtual-network called 'AIN Network' is created for every tenant. for volterra fabric Constraints: It is currently only supported as internally created by the system. vK8s service network for a given tenant. Used to advertise a virtual host only to vk8s pods for that tenant Constraints: It is an internally created by the system. Must not be created by user VER internal network for the site. It can only be used for virtual hosts with SMA_PROXY type proxy Constraints: It is an internally created by the system. Must not be created by user Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE represents both VIRTUAL_NETWORK_SITE_LOCAL and VIRTUAL_NETWORK_SITE_LOCAL_INSIDE Constraints: This network type is only meaningful in an advertise policy When virtual-network of type VIRTUAL_NETWORK_IP_AUTO is selected for an endpoint, VER will try to determine the network based on the provided IP address Constraints: This network type is only meaningful in an endpoint VoltADN Private Network is used on volterra RE(s) to connect to customer private networks This network is created by opening a support ticket This network is per site srv6 network VER IP Fabric network for the site. This Virtual network type is used for exposing virtual host on IP Fabric network on the VER site or for endpoint in IP Fabric network Constraints: It is an internally created by the system. Must not be created by user Network internally created for a segment Constraints: It is an internally created by the system. Must not be created by user
+<a id="dynamic-reverse-proxy-resolve-endpoint-dynamically"></a>&#x2022; [`resolve_endpoint_dynamically`](#dynamic-reverse-proxy-resolve-endpoint-dynamically) - Optional Bool<br>Dynamic Endpoint Resolution. x-example : true In this mode of proxy, virtual host will resolve the destination endpoint dynamically. The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host. For HTTP traffic, i.e. with ProxyType as HTTP_PROXY or HTTPS_PROXY, virtual host will use the 'HOST' HTTP header from the request and perform DNS resolution to select destination endpoint. For TCP traffic with SNI, (If the ProxyType is TCP_PROXY_WITH_SNI), virtual host will perform DNS resolution using the SNI. The DNS resolution is performed in the virtual network specified in outside_network_type or outside_network In both modes of operation(either using Host header or SNI), the DNS resolution could return multiple addresses. First IPv4 address from such returned list is used as endpoint for the request. The DNS response is cached for 60s by default
+#### Dynamic Reverse Proxy Resolution Network
+A [`resolution_network`](#dynamic-reverse-proxy-resolution-network) block (within [`dynamic_reverse_proxy`](#dynamic-reverse-proxy)) supports the following:
+<a id="dynamic-reverse-proxy-resolution-network-kind"></a>&#x2022; [`kind`](#dynamic-reverse-proxy-resolution-network-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="dynamic-reverse-proxy-resolution-network-name"></a>&#x2022; [`name`](#dynamic-reverse-proxy-resolution-network-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="dynamic-reverse-proxy-resolution-network-namespace"></a>&#x2022; [`namespace`](#dynamic-reverse-proxy-resolution-network-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="dynamic-reverse-proxy-resolution-network-tenant"></a>&#x2022; [`tenant`](#dynamic-reverse-proxy-resolution-network-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="dynamic-reverse-proxy-resolution-network-uid"></a>&#x2022; [`uid`](#dynamic-reverse-proxy-resolution-network-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### HTTP Protocol Options
+A [`http_protocol_options`](#http-protocol-options) block supports the following:
+<a id="http-protocol-options-http-protocol-enable-v1-only"></a>&#x2022; [`http_protocol_enable_v1_only`](#http-protocol-options-http-protocol-enable-v1-only) - Optional Block<br>HTTP/1.1 Protocol Options. HTTP/1.1 Protocol options for downstream connections<br>See [HTTP Protocol Enable V1 Only](#http-protocol-options-http-protocol-enable-v1-only) below.
+<a id="http-protocol-options-http-protocol-enable-v1-v2"></a>&#x2022; [`http_protocol_enable_v1_v2`](#http-protocol-options-http-protocol-enable-v1-v2) - Optional Block<br>Enable this option
+<a id="http-protocol-options-http-protocol-enable-v2-only"></a>&#x2022; [`http_protocol_enable_v2_only`](#http-protocol-options-http-protocol-enable-v2-only) - Optional Block<br>Enable this option
+#### HTTP Protocol Options HTTP Protocol Enable V1 Only
+A [`http_protocol_enable_v1_only`](#http-protocol-options-http-protocol-enable-v1-only) block (within [`http_protocol_options`](#http-protocol-options)) supports the following:
+<a id="http-protocol-options-http-protocol-enable-v1-only-header-transformation"></a>&#x2022; [`header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation) - Optional Block<br>Header Transformation. Header Transformation options for HTTP/1.1 request/response headers<br>See [Header Transformation](#http-protocol-options-http-protocol-enable-v1-only-header-transformation) below.
+#### HTTP Protocol Options HTTP Protocol Enable V1 Only Header Transformation
+A [`header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation) block (within [`http_protocol_options.http_protocol_enable_v1_only`](#http-protocol-options-http-protocol-enable-v1-only)) supports the following:
+<a id="http-protocol-options-http-protocol-enable-v1-only-header-transformation-default-header-transformation"></a>&#x2022; [`default_header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation-default-header-transformation) - Optional Block<br>Enable this option
+<a id="http-protocol-options-http-protocol-enable-v1-only-header-transformation-legacy-header-transformation"></a>&#x2022; [`legacy_header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation-legacy-header-transformation) - Optional Block<br>Enable this option
+<a id="http-protocol-options-http-protocol-enable-v1-only-header-transformation-preserve-case-header-transformation"></a>&#x2022; [`preserve_case_header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation-preserve-case-header-transformation) - Optional Block<br>Enable this option
+<a id="http-protocol-options-http-protocol-enable-v1-only-header-transformation-proper-case-header-transformation"></a>&#x2022; [`proper_case_header_transformation`](#http-protocol-options-http-protocol-enable-v1-only-header-transformation-proper-case-header-transformation) - Optional Block<br>Enable this option
+#### Js Challenge
+A [`js_challenge`](#js-challenge) block supports the following:
+<a id="js-challenge-cookie-expiry"></a>&#x2022; [`cookie_expiry`](#js-challenge-cookie-expiry) - Optional Number<br>Cookie Expiration Period. Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge
+<a id="js-challenge-custom-page"></a>&#x2022; [`custom_page`](#js-challenge-custom-page) - Optional String<br>Custom Message for Javascript Challenge. Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. 'Please Wait.' or it can be HTML paragraph or a body string encoded as base64 string E.g. '`<p>` Please Wait `</p>`'. Base64 encoded string for this HTML is 'PHA+IFBsZWFzZSBXYWl0IDwvcD4='
+<a id="js-challenge-js-script-delay"></a>&#x2022; [`js_script_delay`](#js-challenge-js-script-delay) - Optional Number<br>Javascript Delay. Delay introduced by Javascript, in milliseconds
+#### Rate Limiter Allowed Prefixes
+A [`rate_limiter_allowed_prefixes`](#rate-limiter-allowed-prefixes) block supports the following:
+<a id="rate-limiter-allowed-prefixes-kind"></a>&#x2022; [`kind`](#rate-limiter-allowed-prefixes-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="rate-limiter-allowed-prefixes-name"></a>&#x2022; [`name`](#rate-limiter-allowed-prefixes-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="rate-limiter-allowed-prefixes-namespace"></a>&#x2022; [`namespace`](#rate-limiter-allowed-prefixes-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="rate-limiter-allowed-prefixes-tenant"></a>&#x2022; [`tenant`](#rate-limiter-allowed-prefixes-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="rate-limiter-allowed-prefixes-uid"></a>&#x2022; [`uid`](#rate-limiter-allowed-prefixes-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### Request Cookies To Add
+A [`request_cookies_to_add`](#request-cookies-to-add) block supports the following:
+<a id="request-cookies-to-add-name"></a>&#x2022; [`name`](#request-cookies-to-add-name) - Optional String<br>Name. Name of the cookie in Cookie header
+<a id="request-cookies-to-add-overwrite"></a>&#x2022; [`overwrite`](#request-cookies-to-add-overwrite) - Optional Bool  Defaults to `do`<br>Overwrite. Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite
+<a id="request-cookies-to-add-secret-value"></a>&#x2022; [`secret_value`](#request-cookies-to-add-secret-value) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Secret Value](#request-cookies-to-add-secret-value) below.
+<a id="request-cookies-to-add-value"></a>&#x2022; [`value`](#request-cookies-to-add-value) - Optional String<br>Value. Value of the Cookie header
+#### Request Cookies To Add Secret Value
+A [`secret_value`](#request-cookies-to-add-secret-value) block (within [`request_cookies_to_add`](#request-cookies-to-add)) supports the following:
+<a id="request-cookies-to-add-secret-value-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#request-cookies-to-add-secret-value-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#request-cookies-to-add-secret-value-blindfold-secret-info) below.
+<a id="request-cookies-to-add-secret-value-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#request-cookies-to-add-secret-value-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#request-cookies-to-add-secret-value-clear-secret-info) below.
+#### Request Cookies To Add Secret Value Blindfold Secret Info
+A [`blindfold_secret_info`](#request-cookies-to-add-secret-value-blindfold-secret-info) block (within [`request_cookies_to_add.secret_value`](#request-cookies-to-add-secret-value)) supports the following:
+<a id="request-cookies-to-add-secret-value-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#request-cookies-to-add-secret-value-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="request-cookies-to-add-secret-value-blindfold-secret-info-location"></a>&#x2022; [`location`](#request-cookies-to-add-secret-value-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="request-cookies-to-add-secret-value-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#request-cookies-to-add-secret-value-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Request Cookies To Add Secret Value Clear Secret Info
+A [`clear_secret_info`](#request-cookies-to-add-secret-value-clear-secret-info) block (within [`request_cookies_to_add.secret_value`](#request-cookies-to-add-secret-value)) supports the following:
+<a id="request-cookies-to-add-secret-value-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#request-cookies-to-add-secret-value-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="request-cookies-to-add-secret-value-clear-secret-info-url"></a>&#x2022; [`url`](#request-cookies-to-add-secret-value-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Request Headers To Add
+A [`request_headers_to_add`](#request-headers-to-add) block supports the following:
+<a id="request-headers-to-add-append"></a>&#x2022; [`append`](#request-headers-to-add-append) - Optional Bool  Defaults to `do`<br>Append. Should the value be appended? If true, the value is appended to existing values. not append
+<a id="request-headers-to-add-name"></a>&#x2022; [`name`](#request-headers-to-add-name) - Optional String<br>Name. Name of the HTTP header
+<a id="request-headers-to-add-secret-value"></a>&#x2022; [`secret_value`](#request-headers-to-add-secret-value) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Secret Value](#request-headers-to-add-secret-value) below.
+<a id="request-headers-to-add-value"></a>&#x2022; [`value`](#request-headers-to-add-value) - Optional String<br>Value. Value of the HTTP header
+#### Request Headers To Add Secret Value
+A [`secret_value`](#request-headers-to-add-secret-value) block (within [`request_headers_to_add`](#request-headers-to-add)) supports the following:
+<a id="request-headers-to-add-secret-value-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#request-headers-to-add-secret-value-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#request-headers-to-add-secret-value-blindfold-secret-info) below.
+<a id="request-headers-to-add-secret-value-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#request-headers-to-add-secret-value-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#request-headers-to-add-secret-value-clear-secret-info) below.
+#### Request Headers To Add Secret Value Blindfold Secret Info
+A [`blindfold_secret_info`](#request-headers-to-add-secret-value-blindfold-secret-info) block (within [`request_headers_to_add.secret_value`](#request-headers-to-add-secret-value)) supports the following:
+<a id="request-headers-to-add-secret-value-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#request-headers-to-add-secret-value-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="request-headers-to-add-secret-value-blindfold-secret-info-location"></a>&#x2022; [`location`](#request-headers-to-add-secret-value-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="request-headers-to-add-secret-value-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#request-headers-to-add-secret-value-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Request Headers To Add Secret Value Clear Secret Info
+A [`clear_secret_info`](#request-headers-to-add-secret-value-clear-secret-info) block (within [`request_headers_to_add.secret_value`](#request-headers-to-add-secret-value)) supports the following:
+<a id="request-headers-to-add-secret-value-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#request-headers-to-add-secret-value-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="request-headers-to-add-secret-value-clear-secret-info-url"></a>&#x2022; [`url`](#request-headers-to-add-secret-value-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Response Cookies To Add
+A [`response_cookies_to_add`](#response-cookies-to-add) block supports the following:
+<a id="response-cookies-to-add-add-domain"></a>&#x2022; [`add_domain`](#response-cookies-to-add-add-domain) - Optional String<br>Add Domain. Add domain attribute
+<a id="response-cookies-to-add-add-expiry"></a>&#x2022; [`add_expiry`](#response-cookies-to-add-add-expiry) - Optional String<br>Add expiry. Add expiry attribute
+<a id="response-cookies-to-add-add-httponly"></a>&#x2022; [`add_httponly`](#response-cookies-to-add-add-httponly) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-add-partitioned"></a>&#x2022; [`add_partitioned`](#response-cookies-to-add-add-partitioned) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-add-path"></a>&#x2022; [`add_path`](#response-cookies-to-add-add-path) - Optional String<br>Add path. Add path attribute
+<a id="response-cookies-to-add-add-secure"></a>&#x2022; [`add_secure`](#response-cookies-to-add-add-secure) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-domain"></a>&#x2022; [`ignore_domain`](#response-cookies-to-add-ignore-domain) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-expiry"></a>&#x2022; [`ignore_expiry`](#response-cookies-to-add-ignore-expiry) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-httponly"></a>&#x2022; [`ignore_httponly`](#response-cookies-to-add-ignore-httponly) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-max-age"></a>&#x2022; [`ignore_max_age`](#response-cookies-to-add-ignore-max-age) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-partitioned"></a>&#x2022; [`ignore_partitioned`](#response-cookies-to-add-ignore-partitioned) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-path"></a>&#x2022; [`ignore_path`](#response-cookies-to-add-ignore-path) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-samesite"></a>&#x2022; [`ignore_samesite`](#response-cookies-to-add-ignore-samesite) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-secure"></a>&#x2022; [`ignore_secure`](#response-cookies-to-add-ignore-secure) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-ignore-value"></a>&#x2022; [`ignore_value`](#response-cookies-to-add-ignore-value) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-max-age-value"></a>&#x2022; [`max_age_value`](#response-cookies-to-add-max-age-value) - Optional Number<br>Add Max Age. Add max age attribute
+<a id="response-cookies-to-add-name"></a>&#x2022; [`name`](#response-cookies-to-add-name) - Optional String<br>Name. Name of the cookie in Cookie header
+<a id="response-cookies-to-add-overwrite"></a>&#x2022; [`overwrite`](#response-cookies-to-add-overwrite) - Optional Bool  Defaults to `do`<br>Overwrite. Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite
+<a id="response-cookies-to-add-samesite-lax"></a>&#x2022; [`samesite_lax`](#response-cookies-to-add-samesite-lax) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-samesite-none"></a>&#x2022; [`samesite_none`](#response-cookies-to-add-samesite-none) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-samesite-strict"></a>&#x2022; [`samesite_strict`](#response-cookies-to-add-samesite-strict) - Optional Block<br>Enable this option
+<a id="response-cookies-to-add-secret-value"></a>&#x2022; [`secret_value`](#response-cookies-to-add-secret-value) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Secret Value](#response-cookies-to-add-secret-value) below.
+<a id="response-cookies-to-add-value"></a>&#x2022; [`value`](#response-cookies-to-add-value) - Optional String<br>Value. Value of the Cookie header
+#### Response Cookies To Add Secret Value
+A [`secret_value`](#response-cookies-to-add-secret-value) block (within [`response_cookies_to_add`](#response-cookies-to-add)) supports the following:
+<a id="response-cookies-to-add-secret-value-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#response-cookies-to-add-secret-value-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#response-cookies-to-add-secret-value-blindfold-secret-info) below.
+<a id="response-cookies-to-add-secret-value-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#response-cookies-to-add-secret-value-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#response-cookies-to-add-secret-value-clear-secret-info) below.
+#### Response Cookies To Add Secret Value Blindfold Secret Info
+A [`blindfold_secret_info`](#response-cookies-to-add-secret-value-blindfold-secret-info) block (within [`response_cookies_to_add.secret_value`](#response-cookies-to-add-secret-value)) supports the following:
+<a id="response-cookies-to-add-secret-value-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#response-cookies-to-add-secret-value-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="response-cookies-to-add-secret-value-blindfold-secret-info-location"></a>&#x2022; [`location`](#response-cookies-to-add-secret-value-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="response-cookies-to-add-secret-value-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#response-cookies-to-add-secret-value-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Response Cookies To Add Secret Value Clear Secret Info
+A [`clear_secret_info`](#response-cookies-to-add-secret-value-clear-secret-info) block (within [`response_cookies_to_add.secret_value`](#response-cookies-to-add-secret-value)) supports the following:
+<a id="response-cookies-to-add-secret-value-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#response-cookies-to-add-secret-value-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="response-cookies-to-add-secret-value-clear-secret-info-url"></a>&#x2022; [`url`](#response-cookies-to-add-secret-value-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Response Headers To Add
+A [`response_headers_to_add`](#response-headers-to-add) block supports the following:
+<a id="response-headers-to-add-append"></a>&#x2022; [`append`](#response-headers-to-add-append) - Optional Bool  Defaults to `do`<br>Append. Should the value be appended? If true, the value is appended to existing values. not append
+<a id="response-headers-to-add-name"></a>&#x2022; [`name`](#response-headers-to-add-name) - Optional String<br>Name. Name of the HTTP header
+<a id="response-headers-to-add-secret-value"></a>&#x2022; [`secret_value`](#response-headers-to-add-secret-value) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Secret Value](#response-headers-to-add-secret-value) below.
+<a id="response-headers-to-add-value"></a>&#x2022; [`value`](#response-headers-to-add-value) - Optional String<br>Value. Value of the HTTP header
+#### Response Headers To Add Secret Value
+A [`secret_value`](#response-headers-to-add-secret-value) block (within [`response_headers_to_add`](#response-headers-to-add)) supports the following:
+<a id="response-headers-to-add-secret-value-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#response-headers-to-add-secret-value-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#response-headers-to-add-secret-value-blindfold-secret-info) below.
+<a id="response-headers-to-add-secret-value-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#response-headers-to-add-secret-value-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#response-headers-to-add-secret-value-clear-secret-info) below.
+#### Response Headers To Add Secret Value Blindfold Secret Info
+A [`blindfold_secret_info`](#response-headers-to-add-secret-value-blindfold-secret-info) block (within [`response_headers_to_add.secret_value`](#response-headers-to-add-secret-value)) supports the following:
+<a id="response-headers-to-add-secret-value-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#response-headers-to-add-secret-value-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="response-headers-to-add-secret-value-blindfold-secret-info-location"></a>&#x2022; [`location`](#response-headers-to-add-secret-value-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="response-headers-to-add-secret-value-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#response-headers-to-add-secret-value-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### Response Headers To Add Secret Value Clear Secret Info
+A [`clear_secret_info`](#response-headers-to-add-secret-value-clear-secret-info) block (within [`response_headers_to_add.secret_value`](#response-headers-to-add-secret-value)) supports the following:
+<a id="response-headers-to-add-secret-value-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#response-headers-to-add-secret-value-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="response-headers-to-add-secret-value-clear-secret-info-url"></a>&#x2022; [`url`](#response-headers-to-add-secret-value-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### Retry Policy
+A [`retry_policy`](#retry-policy) block supports the following:
+<a id="retry-policy-back-off"></a>&#x2022; [`back_off`](#retry-policy-back-off) - Optional Block<br>Retry BackOff Interval. Specifies parameters that control retry back off<br>See [Back Off](#retry-policy-back-off) below.
+<a id="retry-policy-num-retries"></a>&#x2022; [`num_retries`](#retry-policy-num-retries) - Optional Number  Defaults to `1`<br>Number of Retries. Specifies the allowed number of retries. Retries can be done any number of times. An exponential back-off algorithm is used between each retry
+<a id="retry-policy-per-try-timeout"></a>&#x2022; [`per_try_timeout`](#retry-policy-per-try-timeout) - Optional Number<br>Per Try Timeout. Specifies a non-zero timeout per retry attempt. In milliseconds
+<a id="retry-policy-retriable-status-codes"></a>&#x2022; [`retriable_status_codes`](#retry-policy-retriable-status-codes) - Optional List<br>Status Code to Retry. HTTP status codes that should trigger a retry in addition to those specified by retry_on
+<a id="retry-policy-retry-condition"></a>&#x2022; [`retry_condition`](#retry-policy-retry-condition) - Optional List<br>Retry Condition. Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc The possible values are '5xx' : Retry will be done if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout). 'gateway-error' : Retry will be done only if the upstream server responds with 502, 503 or 504 responses (Included in 5xx) 'connect-failure' : Retry will be done if the request fails because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx) 'refused-stream' : Retry is done if the upstream server resets the stream with a REFUSED_STREAM error code (Included in 5xx) 'retriable-4xx' : Retry is done if the upstream server responds with a retriable 4xx response code. The only response code in this category is HTTP CONFLICT (409) 'retriable-status-codes' : Retry is done if the upstream server responds with any response code matching one defined in retriable_status_codes field 'reset' : Retry is done if the upstream server does not respond at all (disconnect/reset/read timeout.)
+#### Retry Policy Back Off
+A [`back_off`](#retry-policy-back-off) block (within [`retry_policy`](#retry-policy)) supports the following:
+<a id="retry-policy-back-off-base-interval"></a>&#x2022; [`base_interval`](#retry-policy-back-off-base-interval) - Optional Number<br>Base Retry Interval. Specifies the base interval between retries in milliseconds
+<a id="retry-policy-back-off-max-interval"></a>&#x2022; [`max_interval`](#retry-policy-back-off-max-interval) - Optional Number  Defaults to `10`<br>Maximum Retry Interval. Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The times the base_interval
+#### Routes
+A [`routes`](#routes) block supports the following:
+<a id="routes-kind"></a>&#x2022; [`kind`](#routes-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="routes-name"></a>&#x2022; [`name`](#routes-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="routes-namespace"></a>&#x2022; [`namespace`](#routes-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="routes-tenant"></a>&#x2022; [`tenant`](#routes-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="routes-uid"></a>&#x2022; [`uid`](#routes-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### Sensitive Data Policy
+A [`sensitive_data_policy`](#sensitive-data-policy) block supports the following:
+<a id="sensitive-data-policy-kind"></a>&#x2022; [`kind`](#sensitive-data-policy-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="sensitive-data-policy-name"></a>&#x2022; [`name`](#sensitive-data-policy-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="sensitive-data-policy-namespace"></a>&#x2022; [`namespace`](#sensitive-data-policy-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="sensitive-data-policy-tenant"></a>&#x2022; [`tenant`](#sensitive-data-policy-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="sensitive-data-policy-uid"></a>&#x2022; [`uid`](#sensitive-data-policy-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### Slow DDOS Mitigation
+A [`slow_ddos_mitigation`](#slow-ddos-mitigation) block supports the following:
+<a id="slow-ddos-mitigation-disable-request-timeout"></a>&#x2022; [`disable_request_timeout`](#slow-ddos-mitigation-disable-request-timeout) - Optional Block<br>Enable this option
+<a id="slow-ddos-mitigation-request-headers-timeout"></a>&#x2022; [`request_headers_timeout`](#slow-ddos-mitigation-request-headers-timeout) - Optional Number  Defaults to `10000`<br>Request Headers Timeout. The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The milliseconds. This setting provides protection against Slowloris attacks
+<a id="slow-ddos-mitigation-request-timeout"></a>&#x2022; [`request_timeout`](#slow-ddos-mitigation-request-timeout) - Optional Number<br>Custom Timeout
+#### Timeouts
+A [`timeouts`](#timeouts) block supports the following:
+<a id="timeouts-create"></a>&#x2022; [`create`](#timeouts-create) - Optional String (Defaults to `10 minutes`)<br>Used when creating the resource
+<a id="timeouts-delete"></a>&#x2022; [`delete`](#timeouts-delete) - Optional String (Defaults to `10 minutes`)<br>Used when deleting the resource
+<a id="timeouts-read"></a>&#x2022; [`read`](#timeouts-read) - Optional String (Defaults to `5 minutes`)<br>Used when retrieving the resource
+<a id="timeouts-update"></a>&#x2022; [`update`](#timeouts-update) - Optional String (Defaults to `10 minutes`)<br>Used when updating the resource
+#### TLS Cert Params
+A [`tls_cert_params`](#tls-cert-params) block supports the following:
+<a id="tls-cert-params-certificates"></a>&#x2022; [`certificates`](#tls-cert-params-certificates) - Optional Block<br>Certificates. Set of certificates<br>See [Certificates](#tls-cert-params-certificates) below.
+<a id="tls-cert-params-cipher-suites"></a>&#x2022; [`cipher_suites`](#tls-cert-params-cipher-suites) - Optional List<br>Cipher Suites. The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used
+<a id="tls-cert-params-client-certificate-optional"></a>&#x2022; [`client_certificate_optional`](#tls-cert-params-client-certificate-optional) - Optional Block<br>Enable this option
+<a id="tls-cert-params-client-certificate-required"></a>&#x2022; [`client_certificate_required`](#tls-cert-params-client-certificate-required) - Optional Block<br>Enable this option
+<a id="tls-cert-params-maximum-protocol-version"></a>&#x2022; [`maximum_protocol_version`](#tls-cert-params-maximum-protocol-version) - Optional String  Defaults to `TLS_AUTO`<br>Possible values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`<br>[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TLS Protocol. TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version
+<a id="tls-cert-params-minimum-protocol-version"></a>&#x2022; [`minimum_protocol_version`](#tls-cert-params-minimum-protocol-version) - Optional String  Defaults to `TLS_AUTO`<br>Possible values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`<br>[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TLS Protocol. TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version
+<a id="tls-cert-params-no-client-certificate"></a>&#x2022; [`no_client_certificate`](#tls-cert-params-no-client-certificate) - Optional Block<br>Enable this option
+<a id="tls-cert-params-validation-params"></a>&#x2022; [`validation_params`](#tls-cert-params-validation-params) - Optional Block<br>TLS Certificate Validation Parameters. This includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification<br>See [Validation Params](#tls-cert-params-validation-params) below.
+<a id="tls-cert-params-xfcc-header-elements"></a>&#x2022; [`xfcc_header_elements`](#tls-cert-params-xfcc-header-elements) - Optional List  Defaults to `XFCC_NONE`<br>Possible values are `XFCC_NONE`, `XFCC_CERT`, `XFCC_CHAIN`, `XFCC_SUBJECT`, `XFCC_URI`, `XFCC_DNS`<br>[Enum: XFCC_NONE|XFCC_CERT|XFCC_CHAIN|XFCC_SUBJECT|XFCC_URI|XFCC_DNS] XFCC Header. X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added
+#### TLS Cert Params Certificates
+A [`certificates`](#tls-cert-params-certificates) block (within [`tls_cert_params`](#tls-cert-params)) supports the following:
+<a id="tls-cert-params-certificates-kind"></a>&#x2022; [`kind`](#tls-cert-params-certificates-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="tls-cert-params-certificates-name"></a>&#x2022; [`name`](#tls-cert-params-certificates-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="tls-cert-params-certificates-namespace"></a>&#x2022; [`namespace`](#tls-cert-params-certificates-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="tls-cert-params-certificates-tenant"></a>&#x2022; [`tenant`](#tls-cert-params-certificates-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="tls-cert-params-certificates-uid"></a>&#x2022; [`uid`](#tls-cert-params-certificates-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### TLS Cert Params Validation Params
+A [`validation_params`](#tls-cert-params-validation-params) block (within [`tls_cert_params`](#tls-cert-params)) supports the following:
+<a id="tls-cert-params-validation-params-skip-hostname-verification"></a>&#x2022; [`skip_hostname_verification`](#tls-cert-params-validation-params-skip-hostname-verification) - Optional Bool<br>Skip verification of hostname. When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname
+<a id="tls-cert-params-validation-params-trusted-ca"></a>&#x2022; [`trusted_ca`](#tls-cert-params-validation-params-trusted-ca) - Optional Block<br>Root CA Certificate Reference. Reference to Root CA Certificate<br>See [Trusted CA](#tls-cert-params-validation-params-trusted-ca) below.
+<a id="tls-cert-params-validation-params-trusted-ca-url"></a>&#x2022; [`trusted_ca_url`](#tls-cert-params-validation-params-trusted-ca-url) - Optional String<br>Inline Root CA Certificate (legacy). Inline Root CA Certificate
+<a id="tls-cert-params-validation-params-verify-subject-alt-names"></a>&#x2022; [`verify_subject_alt_names`](#tls-cert-params-validation-params-verify-subject-alt-names) - Optional List<br>List of SANs for matching. List of acceptable Subject Alt Names/CN in the peer's certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer's certificate
+#### TLS Cert Params Validation Params Trusted CA
+A [`trusted_ca`](#tls-cert-params-validation-params-trusted-ca) block (within [`tls_cert_params.validation_params`](#tls-cert-params-validation-params)) supports the following:
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list"></a>&#x2022; [`trusted_ca_list`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list) - Optional Block<br>Root CA Certificate Reference. Reference to Root CA Certificate<br>See [Trusted CA List](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list) below.
+#### TLS Cert Params Validation Params Trusted CA Trusted CA List
+A [`trusted_ca_list`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list) block (within [`tls_cert_params.validation_params.trusted_ca`](#tls-cert-params-validation-params-trusted-ca)) supports the following:
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list-kind"></a>&#x2022; [`kind`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list-name"></a>&#x2022; [`name`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list-namespace"></a>&#x2022; [`namespace`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list-tenant"></a>&#x2022; [`tenant`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="tls-cert-params-validation-params-trusted-ca-trusted-ca-list-uid"></a>&#x2022; [`uid`](#tls-cert-params-validation-params-trusted-ca-trusted-ca-list-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### TLS Parameters
+A [`tls_parameters`](#tls-parameters) block supports the following:
+<a id="tls-parameters-client-certificate-optional"></a>&#x2022; [`client_certificate_optional`](#tls-parameters-client-certificate-optional) - Optional Block<br>Enable this option
+<a id="tls-parameters-client-certificate-required"></a>&#x2022; [`client_certificate_required`](#tls-parameters-client-certificate-required) - Optional Block<br>Enable this option
+<a id="tls-parameters-common-params"></a>&#x2022; [`common_params`](#tls-parameters-common-params) - Optional Block<br>TLS Parameters. Information of different aspects for TLS authentication related to ciphers, certificates and trust store<br>See [Common Params](#tls-parameters-common-params) below.
+<a id="tls-parameters-no-client-certificate"></a>&#x2022; [`no_client_certificate`](#tls-parameters-no-client-certificate) - Optional Block<br>Enable this option
+<a id="tls-parameters-xfcc-header-elements"></a>&#x2022; [`xfcc_header_elements`](#tls-parameters-xfcc-header-elements) - Optional List  Defaults to `XFCC_NONE`<br>Possible values are `XFCC_NONE`, `XFCC_CERT`, `XFCC_CHAIN`, `XFCC_SUBJECT`, `XFCC_URI`, `XFCC_DNS`<br>[Enum: XFCC_NONE|XFCC_CERT|XFCC_CHAIN|XFCC_SUBJECT|XFCC_URI|XFCC_DNS] XFCC Header. X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added
+#### TLS Parameters Common Params
+A [`common_params`](#tls-parameters-common-params) block (within [`tls_parameters`](#tls-parameters)) supports the following:
+<a id="tls-parameters-common-params-cipher-suites"></a>&#x2022; [`cipher_suites`](#tls-parameters-common-params-cipher-suites) - Optional List<br>Cipher Suites. The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used
+<a id="tls-parameters-common-params-maximum-protocol-version"></a>&#x2022; [`maximum_protocol_version`](#tls-parameters-common-params-maximum-protocol-version) - Optional String  Defaults to `TLS_AUTO`<br>Possible values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`<br>[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TLS Protocol. TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version
+<a id="tls-parameters-common-params-minimum-protocol-version"></a>&#x2022; [`minimum_protocol_version`](#tls-parameters-common-params-minimum-protocol-version) - Optional String  Defaults to `TLS_AUTO`<br>Possible values are `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, `TLSv1_3`<br>[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TLS Protocol. TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version
+<a id="tls-parameters-common-params-tls-certificates"></a>&#x2022; [`tls_certificates`](#tls-parameters-common-params-tls-certificates) - Optional Block<br>TLS Certificates. Set of TLS certificates<br>See [TLS Certificates](#tls-parameters-common-params-tls-certificates) below.
+<a id="tls-parameters-common-params-validation-params"></a>&#x2022; [`validation_params`](#tls-parameters-common-params-validation-params) - Optional Block<br>TLS Certificate Validation Parameters. This includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification<br>See [Validation Params](#tls-parameters-common-params-validation-params) below.
+#### TLS Parameters Common Params TLS Certificates
+A [`tls_certificates`](#tls-parameters-common-params-tls-certificates) block (within [`tls_parameters.common_params`](#tls-parameters-common-params)) supports the following:
+<a id="tls-parameters-common-params-tls-certificates-certificate-url"></a>&#x2022; [`certificate_url`](#tls-parameters-common-params-tls-certificates-certificate-url) - Optional String<br>Certificate. TLS certificate. Certificate or certificate chain in PEM format including the PEM headers
+<a id="tls-parameters-common-params-tls-certificates-custom-hash-algorithms"></a>&#x2022; [`custom_hash_algorithms`](#tls-parameters-common-params-tls-certificates-custom-hash-algorithms) - Optional Block<br>Hash Algorithms. Specifies the hash algorithms to be used<br>See [Custom Hash Algorithms](#tls-parameters-common-params-tls-certificates-custom-hash-algorithms) below.
+<a id="tls-parameters-common-params-tls-certificates-description-spec"></a>&#x2022; [`description_spec`](#tls-parameters-common-params-tls-certificates-description-spec) - Optional String<br>Description. Description for the certificate
+<a id="tls-parameters-common-params-tls-certificates-disable-ocsp-stapling"></a>&#x2022; [`disable_ocsp_stapling`](#tls-parameters-common-params-tls-certificates-disable-ocsp-stapling) - Optional Block<br>Enable this option
+<a id="tls-parameters-common-params-tls-certificates-private-key"></a>&#x2022; [`private_key`](#tls-parameters-common-params-tls-certificates-private-key) - Optional Block<br>Secret. SecretType is used in an object to indicate a sensitive/confidential field<br>See [Private Key](#tls-parameters-common-params-tls-certificates-private-key) below.
+<a id="tls-parameters-common-params-tls-certificates-use-system-defaults"></a>&#x2022; [`use_system_defaults`](#tls-parameters-common-params-tls-certificates-use-system-defaults) - Optional Block<br>Enable this option
+#### TLS Parameters Common Params TLS Certificates Custom Hash Algorithms
+A [`custom_hash_algorithms`](#tls-parameters-common-params-tls-certificates-custom-hash-algorithms) block (within [`tls_parameters.common_params.tls_certificates`](#tls-parameters-common-params-tls-certificates)) supports the following:
+<a id="tls-parameters-common-params-tls-certificates-custom-hash-algorithms-hash-algorithms"></a>&#x2022; [`hash_algorithms`](#tls-parameters-common-params-tls-certificates-custom-hash-algorithms-hash-algorithms) - Optional List  Defaults to `INVALID_HASH_ALGORITHM`<br>Possible values are `INVALID_HASH_ALGORITHM`, `SHA256`, `SHA1`<br>[Enum: INVALID_HASH_ALGORITHM|SHA256|SHA1] Hash Algorithms. Ordered list of hash algorithms to be used
+#### TLS Parameters Common Params TLS Certificates Private Key
+A [`private_key`](#tls-parameters-common-params-tls-certificates-private-key) block (within [`tls_parameters.common_params.tls_certificates`](#tls-parameters-common-params-tls-certificates)) supports the following:
+<a id="tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info"></a>&#x2022; [`blindfold_secret_info`](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info) - Optional Block<br>Blindfold Secret. BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management<br>See [Blindfold Secret Info](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info) below.
+<a id="tls-parameters-common-params-tls-certificates-private-key-clear-secret-info"></a>&#x2022; [`clear_secret_info`](#tls-parameters-common-params-tls-certificates-private-key-clear-secret-info) - Optional Block<br>In-Clear Secret. ClearSecretInfoType specifies information about the Secret that is not encrypted<br>See [Clear Secret Info](#tls-parameters-common-params-tls-certificates-private-key-clear-secret-info) below.
+#### TLS Parameters Common Params TLS Certificates Private Key Blindfold Secret Info
+A [`blindfold_secret_info`](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info) block (within [`tls_parameters.common_params.tls_certificates.private_key`](#tls-parameters-common-params-tls-certificates-private-key)) supports the following:
+<a id="tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-decryption-provider"></a>&#x2022; [`decryption_provider`](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-decryption-provider) - Optional String<br>Decryption Provider. Name of the Secret Management Access object that contains information about the backend Secret Management service
+<a id="tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-location"></a>&#x2022; [`location`](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-location) - Optional String<br>Location. Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
+<a id="tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-store-provider"></a>&#x2022; [`store_provider`](#tls-parameters-common-params-tls-certificates-private-key-blindfold-secret-info-store-provider) - Optional String<br>Store Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+#### TLS Parameters Common Params TLS Certificates Private Key Clear Secret Info
+A [`clear_secret_info`](#tls-parameters-common-params-tls-certificates-private-key-clear-secret-info) block (within [`tls_parameters.common_params.tls_certificates.private_key`](#tls-parameters-common-params-tls-certificates-private-key)) supports the following:
+<a id="tls-parameters-common-params-tls-certificates-private-key-clear-secret-info-provider-ref"></a>&#x2022; [`provider_ref`](#tls-parameters-common-params-tls-certificates-private-key-clear-secret-info-provider-ref) - Optional String<br>Provider. Name of the Secret Management Access object that contains information about the store to get encrypted bytes This field needs to be provided only if the URL scheme is not string:///
+<a id="tls-parameters-common-params-tls-certificates-private-key-clear-secret-info-url"></a>&#x2022; [`url`](#tls-parameters-common-params-tls-certificates-private-key-clear-secret-info-url) - Optional String<br>URL. URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will get Secret bytes after Base64 decoding
+#### TLS Parameters Common Params Validation Params
+A [`validation_params`](#tls-parameters-common-params-validation-params) block (within [`tls_parameters.common_params`](#tls-parameters-common-params)) supports the following:
+<a id="tls-parameters-common-params-validation-params-skip-hostname-verification"></a>&#x2022; [`skip_hostname_verification`](#tls-parameters-common-params-validation-params-skip-hostname-verification) - Optional Bool<br>Skip verification of hostname. When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname
+<a id="tls-parameters-common-params-validation-params-trusted-ca"></a>&#x2022; [`trusted_ca`](#tls-parameters-common-params-validation-params-trusted-ca) - Optional Block<br>Root CA Certificate Reference. Reference to Root CA Certificate<br>See [Trusted CA](#tls-parameters-common-params-validation-params-trusted-ca) below.
+<a id="tls-parameters-common-params-validation-params-trusted-ca-url"></a>&#x2022; [`trusted_ca_url`](#tls-parameters-common-params-validation-params-trusted-ca-url) - Optional String<br>Inline Root CA Certificate (legacy). Inline Root CA Certificate
+<a id="tls-parameters-common-params-validation-params-verify-subject-alt-names"></a>&#x2022; [`verify_subject_alt_names`](#tls-parameters-common-params-validation-params-verify-subject-alt-names) - Optional List<br>List of SANs for matching. List of acceptable Subject Alt Names/CN in the peer's certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer's certificate
+#### TLS Parameters Common Params Validation Params Trusted CA
+A [`trusted_ca`](#tls-parameters-common-params-validation-params-trusted-ca) block (within [`tls_parameters.common_params.validation_params`](#tls-parameters-common-params-validation-params)) supports the following:
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list"></a>&#x2022; [`trusted_ca_list`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list) - Optional Block<br>Root CA Certificate Reference. Reference to Root CA Certificate<br>See [Trusted CA List](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list) below.
+#### TLS Parameters Common Params Validation Params Trusted CA Trusted CA List
+A [`trusted_ca_list`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list) block (within [`tls_parameters.common_params.validation_params.trusted_ca`](#tls-parameters-common-params-validation-params-trusted-ca)) supports the following:
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-kind"></a>&#x2022; [`kind`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-name"></a>&#x2022; [`name`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-namespace"></a>&#x2022; [`namespace`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-tenant"></a>&#x2022; [`tenant`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-uid"></a>&#x2022; [`uid`](#tls-parameters-common-params-validation-params-trusted-ca-trusted-ca-list-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### User Identification
+An [`user_identification`](#user-identification) block supports the following:
+<a id="user-identification-kind"></a>&#x2022; [`kind`](#user-identification-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="user-identification-name"></a>&#x2022; [`name`](#user-identification-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="user-identification-namespace"></a>&#x2022; [`namespace`](#user-identification-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="user-identification-tenant"></a>&#x2022; [`tenant`](#user-identification-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="user-identification-uid"></a>&#x2022; [`uid`](#user-identification-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+#### WAF Type
+A [`waf_type`](#waf-type) block supports the following:
+<a id="waf-type-app-firewall"></a>&#x2022; [`app_firewall`](#waf-type-app-firewall) - Optional Block<br>App Firewall Reference. A list of references to the app_firewall configuration objects<br>See [App Firewall](#waf-type-app-firewall) below.
+<a id="waf-type-disable-waf"></a>&#x2022; [`disable_waf`](#waf-type-disable-waf) - Optional Block<br>Enable this option
+<a id="waf-type-inherit-waf"></a>&#x2022; [`inherit_waf`](#waf-type-inherit-waf) - Optional Block<br>Enable this option
+#### WAF Type App Firewall
+An [`app_firewall`](#waf-type-app-firewall) block (within [`waf_type`](#waf-type)) supports the following:
+<a id="waf-type-app-firewall-app-firewall"></a>&#x2022; [`app_firewall`](#waf-type-app-firewall-app-firewall) - Optional Block<br>Application Firewall. References to an Application Firewall configuration object<br>See [App Firewall](#waf-type-app-firewall-app-firewall) below.
+#### WAF Type App Firewall App Firewall
+An [`app_firewall`](#waf-type-app-firewall-app-firewall) block (within [`waf_type.app_firewall`](#waf-type-app-firewall)) supports the following:
+<a id="waf-type-app-firewall-app-firewall-kind"></a>&#x2022; [`kind`](#waf-type-app-firewall-app-firewall-kind) - Optional String<br>Kind. When a configuration object(e.g. virtual_host) refers to another(e.g route) then kind will hold the referred object's kind (e.g. 'route')
+<a id="waf-type-app-firewall-app-firewall-name"></a>&#x2022; [`name`](#waf-type-app-firewall-app-firewall-name) - Optional String<br>Name. When a configuration object(e.g. virtual_host) refers to another(e.g route) then name will hold the referred object's(e.g. route's) name
+<a id="waf-type-app-firewall-app-firewall-namespace"></a>&#x2022; [`namespace`](#waf-type-app-firewall-app-firewall-namespace) - Optional String<br>Namespace. When a configuration object(e.g. virtual_host) refers to another(e.g route) then namespace will hold the referred object's(e.g. route's) namespace
+<a id="waf-type-app-firewall-app-firewall-tenant"></a>&#x2022; [`tenant`](#waf-type-app-firewall-app-firewall-tenant) - Optional String<br>Tenant. When a configuration object(e.g. virtual_host) refers to another(e.g route) then tenant will hold the referred object's(e.g. route's) tenant
+<a id="waf-type-app-firewall-app-firewall-uid"></a>&#x2022; [`uid`](#waf-type-app-firewall-app-firewall-uid) - Optional String<br>UID. When a configuration object(e.g. virtual_host) refers to another(e.g route) then uid will hold the referred object's(e.g. route's) uid
+## Import
+Import is supported using the following syntax:
+```shell
+# Import using namespace/name format
+terraform import f5xc_virtual_host.example system/example
+```