zscaler.zpacloud.zpa_policy_access_rule module – Create a Policy Access Rule

Note

This module is part of the zscaler.zpacloud collection (version 1.3.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_rule.

New in zscaler.zpacloud 1.0.0

Synopsis

  • This module create/update/delete a Policy Access Rule in the ZPA Cloud.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

This is for providing the rule action.

Choices:

  • "ALLOW"

  • "DENY"

  • "REQUIRE_APPROVAL"

  • "allow"

  • "deny"

  • "require_approval"

app_connector_group_ids

list / elements=string

List of App Connector Group IDs.

app_server_group_ids

list / elements=string

List of Server Group IDs.

client_id

string

The ZPA API client ID generated from the ZPA console.

client_secret

string

The ZPA API client secret generated from the ZPA console.

cloud

string

The ZPA cloud provisioned for your organization.

Choices:

  • "PRODUCTION"

  • "BETA"

  • "QA"

  • "QA2"

  • "GOV"

  • "GOVUS"

  • "PREVIEW"

  • "ZPATWO"

conditions

list / elements=dictionary

This is for providing the set of conditions for the policy.

operands

list / elements=dictionary

This signifies the various policy criteria.

idp_id

string

The unique identifier of the IdP.

lhs

string

This signifies the key for the object type.

object_type

string

This is for specifying the policy criteria.

Choices:

  • "APP"

  • "APP_GROUP"

  • "LOCATION"

  • "IDP"

  • "SAML"

  • "SCIM"

  • "SCIM_GROUP"

  • "CLIENT_TYPE"

  • "POSTURE"

  • "TRUSTED_NETWORK"

  • "BRANCH_CONNECTOR_GROUP"

  • "EDGE_CONNECTOR_GROUP"

  • "MACHINE_GRP"

  • "COUNTRY_CODE"

  • "PLATFORM"

rhs

string

This denotes the value for the given object type.

operator

string

This denotes the operation type.

Choices:

  • "AND"

  • "OR"

custom_msg

string

This is for providing a customer message for the user.

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

description

string

This is the description of the access rule

id

string

The unique identifier of the policy rule.

name

string / required

This is the name of the policy.

operator

string

This denotes the operation type.

Choices:

  • "AND"

  • "OR"

policy_type

string

The value for differentiating policy types.

provider

dictionary

A dict object containing authentication details.

client_id

string

The ZPA API client ID generated from the ZPA console.

client_secret

string

The ZPA API client secret generated from the ZPA console.

cloud

string

The ZPA cloud provisioned for your organization.

Choices:

  • "PRODUCTION"

  • "BETA"

  • "QA"

  • "QA2"

  • "GOV"

  • "GOVUS"

  • "PREVIEW"

  • "ZPATWO"

customer_id

string

The ZPA tenant ID found in the Administration Company menu in the ZPA console.

rule_order

string

The policy evaluation order number of the rule.

state

string

The state.

Choices:

  • "present" ← (default)

  • "absent"

Notes

Note

  • Check mode is supported.

Examples

- name: Gather ID for Trusted Network Corp-Trusted-Networks
  zscaler.zpacloud.zpa_trusted_networks_facts:
    provider: "{{ zpa_cloud }}"
    name: Corp-Trusted-Networks
  register: network_id

- name: Gather ID for Posture Profiles CrowdStrike_ZPA_ZTA_40
  zscaler.zpacloud.zpa_posture_profile_facts:
    provider: "{{ zpa_cloud }}"
    name: CrowdStrike_ZPA_ZTA_40
  register: posture1

- name: Gather ID for Machine Group CrowdStrike_ZPA_ZTA_80
  zscaler.zpacloud.zpa_machine_group_facts:
    provider: "{{ zpa_cloud }}"
    name: Example MGR01
  register: machine_groups

- name: Gather ID for Segment Group Example100
  zscaler.zpacloud.zpa_segment_group_facts:
    provider: "{{ zpa_cloud }}"
    name: "Example100"
  register: segment_group

- name: Gather ID for App Segment app01
  zscaler.zpacloud.zpa_application_segment_facts:
    provider: "{{ zpa_cloud }}"
    name: "app01"
  register: app01

- name: Create/update/delete a policy rule
  zscaler.zpacloud.zpa_policy_access_rule:
    provider: "{{ zpa_cloud }}"
    name: "Ansible_Access_Policy_Rule"
    description: "Ansible_Access_Policy_Rule"
    action: "ALLOW"
    rule_order: 1
    app_connector_group_ids:
      - "216196257331368721"
      - "216196257331368838"
    app_server_group_ids:
      - "216196257331368722"
      - "216196257331368839"
    operator: "AND"
    conditions:
      - operator: "AND"
        negated: false
        operands:
          - object_type: "TRUSTED_NETWORK"
            lhs: "{{ network_id.data[0].network_id }}"
            rhs: "true"
      - operator: "OR"
        negated: false
        operands:
          - object_type: "POSTURE"
            lhs: "{{ posture1.data[0].posture_udid }}"
            rhs: "true"
      - operator: "AND"
        negated: false
        operands:
          - object_type: "COUNTRY_CODE"
            lhs: "CA"
            rhs: "true"
      - operator: "AND"
        negated: false
        operands:
          - object_type: "MACHINE_GRP"
            lhs: "id"
            rhs: "{{ machine_groups.data[0].id }}"
      - operator: "AND"
        negated: false
        operands:
          - object_type: "APP_GROUP"
            lhs: "id"
            rhs: "{{ segment_group.data[0].id }}"
          - object_type: "APP"
            lhs: "id"
            rhs: "{{ app01.data[0].id }}"

Authors

  • William Guilherme (@willguibr)