zscaler.zpacloud.zpa_policy_access_isolation_rule_v2 module – Manage ZPA Access Isolation Rules (v2)

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_isolation_rule_v2.

New in zscaler.zpacloud 2.0.0

Synopsis

  • Create, update, or delete a ZPA Access Isolation Policy Rule using the v2 policy engine.

  • These rules apply browser isolation or bypass actions to applications based on identity, platform, or client conditions.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action to take when the rule matches.

Choices:

  • "ISOLATE"

  • "isolate"

  • "BYPASS_ISOLATE"

  • "bypass_isolate"

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

conditions

list / elements=dictionary

Defines the match conditions under which the rule is applied.

operands

list / elements=dictionary

List of operand objects used to evaluate the condition.

entry_values

dictionary

A dictionary of left-hand side (lhs) and right-hand side (rhs) values used for advanced condition matching.

lhs

string

Left-hand-side value used in operand evaluation.

rhs

string

Right-hand-side value used in operand evaluation.

object_type

string

The type of object to match.

Choices:

  • "APP"

  • "APP_GROUP"

  • "CLIENT_TYPE"

  • "EDGE_CONNECTOR_GROUP"

  • "PLATFORM"

  • "IDP"

  • "SAML"

  • "SCIM"

  • "SCIM_GROUP"

values

list / elements=string

A list of string values to match for the operand.

operator

string

Logical operator used to combine multiple operands.

Choices:

  • "AND"

  • "OR"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

description

string

A description of the isolation rule.

id

string

The unique identifier of the isolation policy rule.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

name

string / required

The name of the isolation rule.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

provider

dictionary

A dict containing authentication credentials.

client_id

string

The client ID for OAuth2 authentication.

Required for OneAPI client authentication when use_legacy_client=false.

client_secret

string

The client secret for OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using private_key.

cloud

string

The ZPA cloud provisioned for your organization.

Used for OneAPI client authentication when use_legacy_client=false.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for OneAPI client authentication when use_legacy_client=false.

private_key

string

The private key for JWT-based OAuth2 authentication.

Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

rule_order

string

The evaluation order of the rule within the policy set.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication.

When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication.

Choices:

  • false ← (default)

  • true

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

Required for OneAPI client authentication when use_legacy_client=false.

zpa_client_id

string

The ZPA API client ID generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_client_secret

string

The ZPA API client secret generated from the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_cloud

string

The ZPA cloud provisioned for your organization.

Required for legacy client authentication when use_legacy_client=true.

Choices:

  • "BETA"

  • "GOV"

  • "GOVUS"

  • "PRODUCTION"

  • "QA"

  • "QA2"

  • "PREVIEW"

  • "beta"

  • "production"

zpa_customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

Required for legacy client authentication when use_legacy_client=true.

zpa_microtenant_id

string

The ZPA Microtenant ID found in the Administration Company menu in the ZPA console.

Used for legacy client authentication when use_legacy_client=true.

zpn_isolation_profile_id

string

The ID of the browser isolation profile associated with the rule.

Notes

Note

  • Check mode is supported.

Examples

- name: "Policy Isolation Rule - Example"
  zscaler.zpacloud.zpa_policy_access_isolation_rule:
    provider: "{{ zpa_cloud }}"
    name: "Ansible_Policy_Isolation_Rule_v2"
    description: "Ansible_Policy_Isolation_Rule_v2"
    action: "ISOLATE"
    rule_order: "1"
    zpn_isolation_profile_id: "{{ profile.data[0].id }}"
    conditions:
      - operator: "OR"
        operands:
          - object_type: "APP"
            values:
              - "72058304855116918"
          - object_type: "APP_GROUP"
            values:
              - "72058304855114308"
      - operator: "AND"
        operands:
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "490880"
      - operator: "AND"
        operands:
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "490877"
      - operator: "AND"
        operands:
          - object_type: "SCIM"
            entry_values:
              lhs: "72058304855015576"
              rhs: "Smith"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "jdoe@acme.com"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "janedoe@acme.com"
      - operands:
          - object_type: "PLATFORM"
            entry_values:
              lhs: "linux"
              rhs: "true"
          - object_type: "PLATFORM"
            entry_values:
              lhs: "ios"
              rhs: "true"
          - object_type: "PLATFORM"
            entry_values:
              lhs: "windows"
              rhs: "true"
      - operands:
          - object_type: "CLIENT_TYPE"
            values:
              - "zpn_client_type_exporter"

Authors

  • William Guilherme (@willguibr)