zscaler.zpacloud.zpa_policy_access_app_protection_rule_v2 module – Manage ZPA Access App Protection Rules (v2)

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_app_protection_rule_v2.

New in zscaler.zpacloud 2.0.0

Synopsis

  • Create, update, or delete a ZPA Access App Protection Rule using the v2 policy engine.

  • These rules enforce inspection or bypass logic on selected traffic based on identity, posture, or other conditions.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action to apply when the rule conditions match.

Choices:

  • "INSPECT"

  • "inspect"

  • "BYPASS_INSPECT"

  • "bypass_inspect"

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

conditions

list / elements=dictionary

Defines the match conditions under which the rule is applied.

operands

list / elements=dictionary

List of operand objects used to evaluate the condition.

entry_values

dictionary

Dictionary of LHS and RHS entries for advanced operands.

lhs

string

Left-hand-side value used in operand evaluation.

rhs

string

Right-hand-side value used in operand evaluation.

object_type

string

The type of object to evaluate.

Choices:

  • "APP"

  • "APP_GROUP"

  • "CLIENT_TYPE"

  • "EDGE_CONNECTOR_GROUP"

  • "IDP"

  • "POSTURE"

  • "SAML"

  • "SCIM"

  • "SCIM_GROUP"

  • "TRUSTED_NETWORK"

  • "PLATFORM"

  • "MACHINE_GRP"

values

list / elements=string

A list of string values to compare for the operand.

operator

string

Logical operator used to combine multiple operands.

Choices:

  • "AND"

  • "OR"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

description

string

A description of the app protection rule.

id

string

The unique identifier of the policy rule.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

name

string / required

The name of the app protection rule.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

provider

dictionary

A dict containing authentication credentials.

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

rule_order

string

The evaluation order of the rule within the policy set.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

zpn_inspection_profile_id

string

The ID of the inspection profile to associate with the rule.

Notes

Note

  • Check mode is supported.

Examples

- name: "Policy App Protection Rule - Example"
  zscaler.zpacloud.zpa_policy_access_app_protection_rule_v2:
    provider: "{{ zpa_cloud }}"
    name: "Ansible_App_Protection_Rule_V2"
    description: "Ansible_App_Protection_Rule_V2"
    rule_order: "1"
    action: "INSPECT"
    zpn_inspection_profile_id: "{{ profile.profiles[0].id }}"
    conditions:
      - operator: "OR"
        operands:
          - object_type: "APP"
            values:
              - "72058304855116918"
          - object_type: "APP_GROUP"
            values:
              - "72058304855114308"
      - operator: "AND"
        operands:
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "490880"
      - operator: "AND"
        operands:
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "490877"
      - operator: "AND"
        operands:
          - object_type: "SCIM"
            entry_values:
              lhs: "72058304855015576"
              rhs: "Smith"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "janedoe@acme.com"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "jdoe@acme.com"
      - operands:
          - object_type: "PLATFORM"
            entry_values:
              lhs: "linux"
              rhs: "true"
          - object_type: "PLATFORM"
            entry_values:
              lhs: "ios"
              rhs: "true"
          - object_type: "PLATFORM"
            entry_values:
              lhs: "windows"
              rhs: "true"
      - operands:
          - object_type: "CLIENT_TYPE"
            values:
              - zpn_client_type_browser_isolation
              - zpn_client_type_zapp_partner
              - zpn_client_type_exporter
              - zpn_client_type_zapp

Authors

  • William Guilherme (@willguibr)