zscaler.zpacloud.zpa_policy_access_forwarding_rule module – Create a Policy Forwarding Rule.

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_forwarding_rule.

New in zscaler.zpacloud 1.0.0

Synopsis

  • This module will create, update or delete a specific Policy Forwarding Rule

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action of the forwarding rule

Choices:

  • "INTERCEPT"

  • "INTERCEPT_ACCESSIBLE"

  • "BYPASS"

  • "bypass"

  • "intercept"

  • "intercept_accessible"

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

conditions

list / elements=dictionary

Specifies the set of conditions for the policy rule

operands

list / elements=dictionary

The operands of the condition set

idp_id

string

The unique identifier of the IdP

lhs

string

The key for the object type

object_type

string

The object type of the operand

Choices:

  • "APP"

  • "APP_GROUP"

  • "SAML"

  • "IDP"

  • "SCIM"

  • "SCIM_GROUP"

  • "CLIENT_TYPE"

  • "TRUSTED_NETWORK"

  • "MACHINE_GRP"

  • "POSTURE"

  • "PLATFORM"

  • "BRANCH_CONNECTOR_GROUP"

  • "EDGE_CONNECTOR_GROUP"

rhs

string

The value for the given object type. Its value depends upon the key

operator

string / required

The operator of the condition set

Choices:

  • "AND"

  • "OR"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

description

string

The description of the forwarding rule

id

string

The unique identifier of the policy set

microtenant_id

string

The unique identifier of the Microtenant for the ZPA tenant

name

string / required

The name of the forwarding rule

operator

string

Denotes the operation type. These are operands used between criteria

Choices:

  • "AND"

  • "OR"

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

provider

dictionary

A dict containing authentication credentials.

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

rule_order

string

The policy evaluation order number of the rule.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

Notes

Note

  • Check mode is supported.

Examples

- name: Policy Forwarding Rule - Example
  zscaler.zpacloud.zpa_policy_access_forwarding_rule:
    provider: "{{ zpa_cloud }}"
    name: "Policy Forwarding Rule - Example"
    description: "Policy Forwarding Rule - Example"
    action: "BYPASS"
    rule_order: 1
    operator: "AND"
    conditions:
      - operator: "OR"
        operands:
          - name: "app_segment"
            object_type: "APP"
            lhs: "id"
            rhs: "216196257331292105"
      - operator: "OR"
        operands:
          - name: "segment_group"
            object_type: "APP_GROUP"
            lhs: "id"
            rhs: "216196257331292103"
      - operator: "OR"
        operands:
          - name: "zpn_client_type_exporter"
            object_type: "CLIENT_TYPE"
            lhs: "id"
            rhs: "zpn_client_type_exporter"
          - name: "zpn_client_type_browser_isolation"
            object_type: "CLIENT_TYPE"
            lhs: "id"
            rhs: "zpn_client_type_browser_isolation"
          - name: "zpn_client_type_zapp"
            object_type: "CLIENT_TYPE"
            lhs: "id"
            rhs: "zpn_client_type_zapp"
      - operator: "OR"
        operands:
          - name: "CrowdStrike_ZPA_ZTA_80"
            object_type: "POSTURE"
            lhs: "{{ postures.data[0].posture_udid }}"
            rhs: "false"

Authors

  • William Guilherme (@willguibr)