zscaler.zpacloud.zpa_application_segment module – Create an application segment in the ZPA Cloud.

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_application_segment.

New in zscaler.zpacloud 1.0.0

Synopsis

  • This module will create/update/delete an application segment

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

adp_enabled

boolean

Indicates if Active Directory Inspection is enabled or not for the application.

Choices:

  • false

  • true

bypass_on_reauth

boolean

Indicates whether application access during reauthentication bypasses ZPA (Enabled) or not (Disabled).

This feature is only applicable for Zscaler Client Connector-specific applications.

Choices:

  • false

  • true

bypass_type

string

Indicates whether users can bypass ZPA to access applications.

Choices:

  • "ALWAYS"

  • "NEVER" ← (default)

  • "ON_NET"

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

description

string

The description of the application resource.

domain_names

list / elements=string

The list of domains and IPs. The maximum limit for domains or IPs is 2,000 applications per application segment

The maximum limit for domains or IPs for the whole customer is 6,000 applications.

double_encrypt

boolean

Whether Double Encryption is enabled or disabled for the application..

Choices:

  • false

  • true

enabled

boolean

Whether this application resource is enabled or not.

Choices:

  • false

  • true

fqdn_dns_check

boolean

If set to true, performs a DNS check to find an A or AAAA record for this application.

Choices:

  • false

  • true

health_check_type

string

health check type.

Default: "DEFAULT"

health_reporting

string

Whether health reporting for the app is Continuous or On Access. Supported values are NONE, ON_ACCESS, CONTINUOUS

Choices:

  • "NONE" ← (default)

  • "ON_ACCESS"

  • "CONTINUOUS"

icmp_access_type

boolean

Indicates the ICMP access type.

Choices:

  • false

  • true

id

string

The unique identifier of the application resource.

inspect_traffic_with_zia

boolean

Indicates if Inspect Traffic with ZIA is enabled for the application

When enabled, this leverages a single posture for securing internet/SaaS and private applications

and applies Data Loss Prevention policies to the application segment you are creating

Choices:

  • false

  • true

ip_anchored

boolean

Whether Source IP Anchoring for use with ZIA is enabled or disabled for the application.

Choices:

  • false

  • true

is_cname_enabled

boolean

Indicates if the Zscaler Client Connector (formerly Zscaler App or Z App) receives CNAME DNS records from the connectors.

Choices:

  • false

  • true

is_incomplete_dr_config

boolean

Indicates whether or not the disaster recovery configuration is incomplete

Choices:

  • false

  • true

match_style

string

Indicates if Multimatch is enabled for the application segment.

If enabled (INCLUSIVE), the request allows traffic to match multiple applications.

If disabled (EXCLUSIVE), the request allows traffic to match a single application.

A domain can only be INCLUSIVE or EXCLUSIVE, and any application segment can only contain inclusive or exclusive domains.

A domain can only be INCLUSIVE or EXCLUSIVE, and any application segment can only contain inclusive or exclusive domains

Choices:

  • "EXCLUSIVE" ← (default)

  • "INCLUSIVE"

microtenant_id

string

The unique identifier of the Microtenant for the ZPA tenant

name

string / required

The name of the application resource.

passive_health_enabled

boolean

Indicates if passive health checks are enabled on the application..

Choices:

  • false

  • true ← (default)

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

provider

dictionary

A dict containing authentication credentials.

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

segment_group_id

string

ID of the segment group.

select_connector_close_to_app

boolean

Whether the App Connector is closest to the application (True) or closest to the user (False).

Choices:

  • false

  • true

server_group_ids

list / elements=string

ID of the server group.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

tcp_keep_alive

boolean

Indicates whether TCP communication sockets are enabled or disabled.

Choices:

  • false

  • true

tcp_port_range

list / elements=dictionary

List of tcp port range pairs, e.g. [22, 22] for port 22-22, [80, 100] for 80-100.

from

string

List of valid TCP ports. The application segment API supports multiple TCP and UDP port ranges.

to

string

List of valid TCP ports. The application segment API supports multiple TCP and UDP port ranges.

tcp_port_ranges

list / elements=string

The list of TCP port ranges used to access the application

tcp_protocols

list / elements=string

Indicates the AD Protection protocols to be inspected on the specified TCP port ranges

Choices:

  • "KERBEROS"

  • "LDAP"

  • "SMB"

udp_port_range

list / elements=dictionary

List of udp port range pairs, e.g. [‘35000’, ‘35000’] for port 35000.

from

string

List of valid UDP ports. The application segment API supports multiple TCP and UDP port ranges.

to

string

List of valid UDP ports. The application segment API supports multiple TCP and UDP port ranges.

udp_port_ranges

list / elements=string

The list of UDP port ranges used to access the application

udp_protocols

list / elements=string

Indicates the AD Protection protocols to be inspected on the specified UDP port ranges.

Choices:

  • "KERBEROS"

  • "LDAP"

  • "SMB"

use_in_dr_mode

boolean

Whether or not the application resource is designated for disaster recovery

Choices:

  • false

  • true

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

weighted_load_balancing

boolean

Indicates if the application load balancing configuration for application segments is enabled (true) or disabled (false)

Choices:

  • false

  • true

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

Notes

Note

  • Check mode is supported.

Examples

- name: Create/Update/Delete an application segment.
  zscaler.zpacloud.zpa_application_segment:
    provider: "{{ zpa_cloud }}"
    name: Example Application Segment
    description: Example Application Segment
    enabled: true
    health_reporting: ON_ACCESS
    bypass_type: NEVER
    is_cname_enabled: true
    tcp_port_range:
      - from: "80"
        to: "80"
    domain_names:
      - crm.example.com
    segment_group_id: "216196257331291896"
    server_group_ids:
      - "216196257331291969"

Authors

  • William Guilherme (@willguibr)