zscaler.zpacloud.zpa_policy_access_rule_v2 module – Manage ZPA Access Policy Rules (v2)
Note
This module is part of the zscaler.zpacloud collection (version 2.0.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install zscaler.zpacloud.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_access_rule_v2.
New in zscaler.zpacloud 2.0.0
Synopsis
Create, update, or delete a ZPA Access Policy Rule using the v2 policy engine.
These rules determine access control based on identity, client posture, location, risk factors, and other attributes.
Requirements
The below requirements are needed on the host that executes this module.
Zscaler SDK Python (https://pypi.org/project/zscaler-sdk-python/)
Parameters
Parameter |
Comments |
|---|---|
The access control action to apply when the rule conditions match. Choices:
|
|
List of App Connector Group IDs to apply this rule to. |
|
List of App Server Group IDs to apply this rule to. |
|
The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false. |
|
The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key. |
|
The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices:
|
|
Defines the match conditions under which the access rule is applied. |
|
List of operand objects used to evaluate the condition. |
|
A dictionary of left-hand side (lhs) and right-hand side (rhs) values used for advanced condition matching. |
|
Left-hand-side value used in operand evaluation. |
|
Right-hand-side value used in operand evaluation. |
|
The type of object to match in the condition. Choices:
|
|
A list of values to match for the object type. |
|
Logical operator used to combine multiple operands. Choices:
|
|
Custom message to display to users when the rule is triggered. |
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
A description of the access policy rule. |
|
The unique identifier of the access policy rule. |
|
The identifier of the microtenant associated with the rule. |
|
The name of the access policy rule. |
|
The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret. |
|
A dict containing authentication credentials. |
|
The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false. |
|
The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key. |
|
The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret. |
|
Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices:
|
|
The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true. |
|
The evaluation order of the rule within the policy set. |
|
Specifies the desired state of the resource. Choices:
|
|
Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices:
|
|
The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true. |
Notes
Note
Check mode is supported.
Examples
- name: "Policy Access Rule - Example"
zscaler.zpacloud.zpa_policy_access_rule_v2:
provider: "{{ zpa_cloud }}"
name: "Ansible_Policy_Access_Rule_V2"
description: "Ansible_Policy_Access_Rule_V2"
action: "ALLOW"
rule_order: "1"
app_connector_group_ids:
- "72058304855047746"
app_server_group_ids:
- "72058304855090128"
- "72058304855047747"
conditions:
- operands:
- object_type: "CHROME_ENTERPRISE"
entry_values:
lhs: "managed"
rhs: "true"
- object_type: "CHROME_POSTURE_PROFILE"
values:
- "72058304855116487"
- operator: "OR"
operands:
- object_type: "APP"
values:
- "72058304855116918"
- object_type: "APP_GROUP"
values:
- "72058304855114308"
- operator: "AND"
operands:
- object_type: "SCIM_GROUP"
entry_values:
lhs: "72058304855015574"
rhs: "490880"
- operator: "AND"
operands:
- object_type: "SCIM_GROUP"
entry_values:
lhs: "72058304855015574"
rhs: "490877"
- operator: "AND"
operands:
- object_type: "SCIM"
entry_values:
lhs: "72058304855015576"
rhs: "Smith"
- operator: "OR"
operands:
- object_type: "SAML"
entry_values:
lhs: "72058304855021553"
rhs: "janedoe@acme.com"
- operator: "OR"
operands:
- object_type: "SAML"
entry_values:
lhs: "72058304855021553"
rhs: "jdoe@acme.com"
- operands:
- object_type: "PLATFORM"
entry_values:
lhs: "linux"
rhs: "true"
- object_type: "PLATFORM"
entry_values:
lhs: "ios"
rhs: "true"
- object_type: "PLATFORM"
entry_values:
lhs: "windows"
rhs: "true"
- operands:
- object_type: "COUNTRY_CODE"
entry_values:
lhs: "BR"
rhs: "true"
- object_type: "COUNTRY_CODE"
entry_values:
lhs: "CA"
rhs: "true"
- operands:
- object_type: "CLIENT_TYPE"
values:
- zpn_client_type_browser_isolation
- zpn_client_type_zapp_partner
- zpn_client_type_exporter
- zpn_client_type_zapp