zscaler.zpacloud.zpa_policy_access_app_protection_rule module – Create a Policy App Protection Rule in the ZPA Cloud.

Note

This module is part of the zscaler.zpacloud collection (version 1.4.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_app_protection_rule.

New in zscaler.zpacloud 1.0.0

Synopsis

  • This module create/update/delete a Policy Isolation Rule in the ZPA Cloud.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

This is for providing the rule action.

Choices:

  • "INSPECT"

  • "BYPASS_INSPECT"

  • "inspect"

  • "bypass_inspect"

client_id

string

The ZPA API client ID generated from the ZPA console.

client_secret

string

The ZPA API client secret generated from the ZPA console.

cloud

string

The ZPA cloud provisioned for your organization.

Choices:

  • "PRODUCTION"

  • "BETA"

  • "QA"

  • "QA2"

  • "GOV"

  • "GOVUS"

  • "PREVIEW"

  • "ZPATWO"

conditions

list / elements=dictionary

This is for providing the set of conditions for the policy

operands

list / elements=dictionary

The various policy criteria. Array of attributes (e.g., objectType, lhs, rhs, name)

idp_id

string

The ID information for the Identity Provider (IdP)

lhs

string

The key for the object type. String ID example: id

object_type

string

  • This is for specifying the policy criteria - Supported values: APP, APP_GROUP, SAML, IDP, CLIENT_TYPE, POSTURE, TRUSTED_NETWORK, MACHINE_GRP, SCIM, SCIM_GROUP. - POSTURE and TRUSTED_NETWORK values are only supported for the CLIENT_TYPE.

rhs

string

  • The value for the given object type. Its value depends upon the key - For APP, APP_GROUP, and IDP, the supported value is entity id - For CLIENT_TYPE, the supported values are: zpn_client_type_zapp (for Zscaler Client Connector), zpn_client_type_exporter (for Clientless) - For POSTURE, the supported values are: true (verified), false (verification failed) - For TRUSTED_NETWORK, the supported value is true

operator

string

The operation type. Supported values: AND, OR

Choices:

  • "AND"

  • "OR"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

description

string

This is the description of the access policy.

id

string

The unique identifier of the policy rule

name

string / required

The name of the isolation rule.

operator

string

Denotes the operation type

These are operands used between criteria

Choices:

  • "AND"

  • "OR"

policy_type

string

Indicates the policy type. The following value is supported: client_forwarding

provider

dictionary

A dict object containing authentication details.

client_id

string

The ZPA API client ID generated from the ZPA console.

client_secret

string

The ZPA API client secret generated from the ZPA console.

cloud

string

The ZPA cloud provisioned for your organization.

Choices:

  • "PRODUCTION"

  • "BETA"

  • "QA"

  • "QA2"

  • "GOV"

  • "GOVUS"

  • "PREVIEW"

  • "ZPATWO"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

rule_order

string

The policy evaluation order number of the rule.

state

string

The state.

Choices:

  • "present" ← (default)

  • "absent"

zpn_inspection_profile_id

string

The isolation profile ID associated with the rule.

Notes

Note

  • Check mode is supported.

Examples

- name: "Policy App Protection Rule - Example"
  zscaler.zpacloud.zpa_policy_access_app_protection_rule:
    provider: "{{ zpa_cloud }}"
    name: "Policy App Protection Rule - Example"
    description: "Policy App Protection Rule"
    rule_order: 1
    action: "INSPECT"
    operator: "AND"
    zpn_inspection_profile_id: "216196257331286656"
    conditions:
      - operator: "OR"
        operands:
          - object_type: "APP"
            lhs: "id"
            rhs: "216196257331292105"
          - object_type: "APP_GROUP"
            lhs: "id"
            rhs: "216196257331292103"
      - operator: "OR"
        operands:
          - name:
            object_type: "CLIENT_TYPE"
            lhs: "id"
            rhs: "zpn_client_type_zapp"

Authors

  • William Guilherme (@willguibr)