» nsxt_lb_client_ssl_profile
Provides a resource to configure lb client ssl profile on NSX-T manager
» Example Usage
resource "nsxt_lb_client_ssl_profile" "lb_client_ssl_profile" {
description = "lb_client_ssl_profile provisioned by Terraform"
display_name = "lb_client_ssl_profile"
protocols = ["TLS_V1_2"]
ciphers = ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"]
prefer_server_ciphers = true
session_cache_enabled = true
session_cache_timeout = 200
tag {
scope = "color"
tag = "red"
}
}
» Argument Reference
The following arguments are supported:
-
description
- (Optional) Description of this resource. -
display_name
- (Optional) The display name of this resource. Defaults to ID if not set. -
tag
- (Optional) A list of scope + tag pairs to associate with this lb client ssl profile. -
prefer_server_ciphers
- (Optional) During SSL handshake as part of the SSL client Hello client sends an ordered list of ciphers that it can support (or prefers) and typically server selects the first one from the top of that list it can also support. For Perfect Forward Secrecy(PFS), server could override the client's preference. Defaults to false. -
ciphers
- (Optional) supported SSL cipher list to client side. The supported ciphers can contain: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384. -
prefer_server_ciphers
- (Optional) During SSL handshake as part of the SSL client Hello client sends an ordered list of ciphers that it can support (or prefers) and typically server selects the first one from the top of that list it can also support. For Perfect Forward Secrecy(PFS), server could override the client's preference. Defaults to false. -
protocols
- (Optional) SSL versions TLS_V1_1 and TLS_V1_2 are supported and enabled by default. SSL_V2, SSL_V3, and TLS_V1 are supported, but disabled by default. -
session_cache_enabled
- (Optional) SSL session caching allows SSL client and server to reuse previously negotiated security parameters avoiding the expensive public key operation during handshake. Defaults to true. -
session_cache_timeout
- (Optional) Session cache timeout specifies how long the SSL session parameters are held on to and can be reused. Default value is 300.
» Attributes Reference
In addition to arguments listed above, the following attributes are exported:
-
id
- ID of the lb client ssl profile. -
revision
- Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging. -
is_secure
- This flag is set to true when all the ciphers and protocols are secure. It is set to false when one of the ciphers or protocols is insecure.
» Importing
An existing lb client ssl profile can be imported into this resource, via the following command:
terraform import nsxt_lb_client_ssl_profile.lb_client_ssl_profile UUID
The above would import the lb client ssl profile named lb_client_ssl_profile
with the nsx id UUID