zscaler.ziacloud.zia_cloud_app_control_rules module – Adds a new Cloud App Control rule.

Note

This module is part of the zscaler.ziacloud collection (version 1.3.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_cloud_app_control_rules.

New in zscaler.ziacloud 1.0.0

Synopsis

  • Adds a new Cloud App Control rule.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

actions

list / elements=string

Actions allowed for the specified type.

api_key

string

A string that contains the obfuscated API key.

applications

list / elements=string

List of cloud applications for which rule will be applied

cascading_enabled

boolean

Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.

The URL Filtering policy does not apply if the transaction is blocked by the Cloud App Control policy.

Choices:

  • false

  • true

cbi_profile

dictionary

The cloud browser isolation profile to which the ISOLATE action is applied in the Cloud App Control Policy rules.

This parameter is required for the ISOLATE action and is not applicable to other actions.

id

string / required

The universally unique identifier (UUID) for the browser isolation profile.

name

string / required

Name of the browser isolation profile.

url

string / required

The browser isolation profile URL.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

cloud_app_instances

list / elements=integer

Name-ID pair of Cloud application instances for which rule will be applied.

cloud_app_risk_profile

list / elements=integer

Name-ID pair of cloud Application Risk Profile for which rule will be applied.

departments

list / elements=integer

Name-ID pairs of departments for which rule will be applied

description

string

Additional information about the rule

device_groups

list / elements=integer

Name-ID pairs of device groups for which the rule must be applied.

This field is applicable for devices that are managed using Zscaler Client Connector.

If no value is set, this field is ignored during the policy evaluation.

device_trust_levels

list / elements=string

List of device trust levels for which the rule must be applied.

This field is applicable for devices that are managed using Zscaler Client Connector.

The trust levels are assigned to the devices based on your posture configurations.

If no value is set, this field is ignored during the policy evaluation.

Choices:

  • "ANY"

  • "UNKNOWN_DEVICETRUSTLEVEL"

  • "LOW_TRUST"

  • "MEDIUM_TRUST"

  • "HIGH_TRUST"

devices

list / elements=integer

Name-ID pairs of devices for which rule must be applied.

Specifies devices that are managed using Zscaler Client Connector.

If no value is set, this field is ignored during the policy evaluation.

enabled

boolean

Determines whether the Cloud App Control rule is enabled or disabled

Choices:

  • false

  • true

enforce_time_validity

boolean

Enforce a set a validity time period for the Cloud App Control rule.

Choices:

  • false

  • true

groups

list / elements=integer

Name-ID pairs of groups for which rule must be applied

id

integer

Unique identifier for the Cloud App Control policy rule

labels

list / elements=integer

The Cloud App Control rule label. Rule labels allow you to logically group your organization policy rules.

Policy rules that are not associated with a rule label are grouped under the Untagged label.

location_groups

list / elements=integer

Name-ID pairs of the location groups to which the rule must be applied.

locations

list / elements=integer

Name-ID pairs of locations for which rule must be applied

name

string / required

Name of the Cloud App Control policy rule

order

integer

Rule order number of the Cloud App Control policy rule

password

string

A string that contains the password for the API admin.

provider

dictionary

A dict object containing connection details. This is optional; credentials can also be provided directly at the top level.

api_key

string

A string that contains the obfuscated API key.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

password

string

A string that contains the password for the API admin.

sandbox_token

string

A string that contains the Sandbox API Key.

username

string

A string that contains the email ID of the API admin.

rank

integer

Admin rank of the admin who creates this rule

Default: 7

rule_type

string / required

The rule type selected from the available options.

Choices:

  • "SOCIAL_NETWORKING"

  • "STREAMING_MEDIA"

  • "WEBMAIL"

  • "INSTANT_MESSAGING"

  • "BUSINESS_PRODUCTIVITY"

  • "ENTERPRISE_COLLABORATION"

  • "SALES_AND_MARKETING"

  • "SYSTEM_AND_DEVELOPMENT"

  • "CONSUMER"

  • "HOSTING_PROVIDER"

  • "IT_SERVICES"

  • "FILE_SHARE"

  • "DNS_OVER_HTTPS"

  • "HUMAN_RESOURCES"

  • "LEGAL"

  • "HEALTH_CARE"

  • "FINANCE"

  • "CUSTOM_CAPP"

  • "AI_ML"

sandbox_token

string

A string that contains the Sandbox API Key.

size_quota

integer

Action must be set to CAUTION

Size quota in MB beyond which the Cloud App Control rule is applied.

The allowed range is between 10 MB and 100000 MB

If not set, no quota is enforced. If a policy rule action is set to BLOCK, this field is not applicable.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

tenancy_profile_ids

list / elements=integer

Name-ID pair of Tenant Profile for which rule will be applied.

time_quota

integer

Action must be set to CAUTION

Time quota in minutes, after which the Cloud App Control rule is applied.

The allowed range is between 15 minutes and 600 minutes.

If not set, no quota is enforced. If a policy rule action is set to BLOCK, this field is not applicable.

time_windows

list / elements=integer

Name-ID pairs of time interval during which rule must be enforced.

user_agent_types

list / elements=string

Any number of user agents to which the rule applies.

Choices:

  • "OPERA"

  • "FIREFOX"

  • "MSIE"

  • "MSEDGE"

  • "CHROME"

  • "SAFARI"

  • "OTHER"

  • "MSCHREDGE"

user_risk_score_levels

list / elements=string

Indicates the user risk level selected for the DLP rule violation.

Choices:

  • "LOW"

  • "MEDIUM"

  • "HIGH"

  • "CRITICAL"

username

string

A string that contains the email ID of the API admin.

users

list / elements=integer

Name-ID pairs of users for which rule must be applied

validity_end_time

string

If enforce_time_validity is set to true, the Cloud App Control rule will cease to be valid on this end date and time.

Example ( 12/21/2023 12:00 AM )

validity_start_time

string

If enforce_time_validity is set to true, the Cloud App Control rule will be valid starting on this date and time.

Example ( 11/20/2023 11:59 PM )

Notice that validity_start_time cannot be in the past

validity_time_zone_id

string

If enforceTimeValidity is set to true, the Cloud App Control rule date and time is valid based on this time zone ID.

Notes

Note

  • Check mode is supported.

Examples

- name: Create/Update/Delete a Cloud App Control Rule.
  zscaler.ziacloud.zia_cloud_app_control_rules:
    provider: '{{ provider }}'
    name: "Example_WebMail_Rule"
    description: "Example_WebMail_Rule"
    enabled: true
    order: 1
    actions:
      - ALLOW_WEBMAIL_VIEW
      - ALLOW_WEBMAIL_ATTACHMENT_SEND
      - ALLOW_WEBMAIL_SEND
    applications:
      - "GOOGLE_WEBMAIL"
      - "YAHOO_WEBMAIL"

Authors

  • William Guilherme (@willguibr)