zscaler.zpacloud.zpa_policy_access_isolation_rule module – Manage ZPA Access Isolation Policy Rules

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_isolation_rule.

New in zscaler.zpacloud 1.0.0

Synopsis

  • Create, update, or delete a ZPA Access Isolation Policy Rule.

  • These rules define whether application traffic should be isolated or bypassed, based on client identity, platform, or posture.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action to apply when the rule conditions match.

Choices:

  • "ISOLATE"

  • "isolate"

  • "BYPASS_ISOLATE"

  • "bypass_isolate"

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

conditions

list / elements=dictionary

Defines the match conditions under which the rule is applied.

operands

list / elements=dictionary

List of operand objects used to evaluate the condition.

idp_id

string

The ID of the identity provider, applicable if object_type is IDP.

lhs

string

Left-hand-side operand used for key comparison.

object_type

string

The type of object to match in the condition.

Choices:

  • "APP"

  • "APP_GROUP"

  • "CLIENT_TYPE"

  • "EDGE_CONNECTOR_GROUP"

  • "PLATFORM"

  • "IDP"

  • "SAML"

  • "SCIM"

  • "SCIM_GROUP"

rhs

string

Right-hand-side operand used for value comparison.

operator

string

Logical operator used to combine multiple operands.

Choices:

  • "AND"

  • "OR"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

description

string

A description of the isolation policy rule.

id

string

The unique identifier of the isolation rule.

microtenant_id

string

The unique identifier of the microtenant associated with the rule.

name

string / required

The name of the isolation policy rule.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

provider

dictionary

A dict containing authentication credentials.

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

rule_order

string

The evaluation order of the rule within the policy set.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

zpn_isolation_profile_id

string

The isolation profile ID associated with the rule.

Notes

Note

  • Check mode is supported.

Examples

- name: Gather information about all CBI Profile
  zscaler.zpacloud.zpa_isolation_profile_info:
    name: BD_SA_Profile1
  register: profile

- name: Create an Access Policy Isolation Rule V1
  zscaler.zpacloud.zpa_policy_access_isolation_rule:
    name: "Ansible_Policy_Isolation_Rule_v1"
    description: "Ansible_Policy_Isolation_Rule_v1"
    action: "ISOLATE"
    rule_order: "1"
    zpn_isolation_profile_id: "{{ profile.profiles[0].id }}"
    conditions:
      - operator: "AND"
        operands:
          - object_type: "APP"
            lhs: "id"
            rhs: "72058304855090129"
          - object_type: "APP_GROUP"
            lhs: "id"
            rhs: "72058304855114308"
      - operator: "AND"
        operands:
          - object_type: "PLATFORM"
            lhs: ios
            rhs: "true"
          - object_type: "PLATFORM"
            lhs: linux
            rhs: "true"
          - object_type: "PLATFORM"
            lhs: windows
            rhs: "true"
      - operator: "OR"
        operands:
          - object_type: "SCIM_GROUP"
            lhs: "72058304855015574"
            rhs: "490880"
            idp_id: "72058304855015574"
          - object_type: "SCIM_GROUP"
            lhs: "72058304855015574"
            rhs: "490877"
            idp_id: "72058304855015574"
      - operator: "AND"
        operands:
          - object_type: "SCIM"
            lhs: "72058304855015576"
            rhs: "Smith"
            idp_id: "72058304855015574"
      - operator: "AND"
        operands:
          - object_type: "SAML"
            lhs: "72058304855021553"
            rhs: "jdoe@acme.com"
            idp_id: "72058304855015574"
      - operator: "AND"
        operands:
          - object_type: "CLIENT_TYPE"
            lhs: "id"
            rhs: "zpn_client_type_exporter"

Authors

  • William Guilherme (@willguibr)