zscaler.zpacloud.zpa_policy_credential_access_rule module – Manage ZPA Privileged Credential Access Rules
Note
This module is part of the zscaler.zpacloud collection (version 2.0.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install zscaler.zpacloud.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_credential_access_rule.
New in zscaler.zpacloud 2.0.0
Synopsis
Create, update, or delete a ZPA Privileged Credential Access Policy Rule.
These rules define how credentials are injected or managed for console and identity-based access using specific conditions.
Requirements
The below requirements are needed on the host that executes this module.
Zscaler SDK Python (https://pypi.org/project/zscaler-sdk-python/)
Parameters
Parameter |
Comments |
|---|---|
The action to apply when the rule matches. Default: |
|
The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false. |
|
The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key. |
|
The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices:
|
|
Defines the match conditions under which the rule is applied. |
|
List of operand objects used to evaluate the condition. |
|
A dictionary of left-hand side (lhs) and right-hand side (rhs) values used for complex operand matching. |
|
Left-hand-side value used in the operand. |
|
Right-hand-side value used in the operand. |
|
The type of object to match in the condition. Choices:
|
|
A list of values for the given object type. |
|
Logical operator used to combine multiple operands. Choices:
|
|
Specifies the individual credential object to use. |
|
The ID of the credential. |
|
Specifies the credential pool object to use. |
|
The ID of the credential pool. |
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
A description of the credential policy rule. |
|
The unique identifier of the credential policy rule. |
|
The identifier of the microtenant associated with the rule. |
|
The name of the privileged credential rule. |
|
The policy type that determines the rule context. |
|
The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret. |
|
A dict containing authentication credentials. |
|
The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false. |
|
The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key. |
|
The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false. |
|
The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret. |
|
Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices:
|
|
The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true. |
|
The evaluation order of the rule within the policy set. |
|
Specifies the desired state of the resource. Choices:
|
|
Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices:
|
|
The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false. |
|
The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices:
|
|
The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true. |
|
The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true. |
Notes
Note
Check mode is supported.
Examples
- name: Ansible_Creddential_Access_Rule
zscaler.zpacloud.zpa_policy_credential_access_rule:
name: "Ansible_Creddential_Access_Rule"
description: "Access Credential Rule Ansible"
rule_order: "1"
credential:
id: "6014"
conditions:
- operator: "AND"
operands:
- object_type: "CONSOLE"
values:
- "72058304855117245"
- "72058304855117244"
- operator: "AND"
operands:
- object_type: "SCIM_GROUP"
entry_values:
lhs: "72058304855015574"
rhs: "490880"
- operator: "AND"
operands:
- object_type: "SCIM_GROUP"
entry_values:
lhs: "72058304855015574"
rhs: "490877"
- operator: "AND"
operands:
- object_type: "SCIM"
entry_values:
lhs: "72058304855015576"
rhs: "Smith"
- operator: "OR"
operands:
- object_type: "SAML"
entry_values:
lhs: "72058304855021553"
rhs: "jdoe@acme.com"
- operator: "OR"
operands:
- object_type: "SAML"
entry_values:
lhs: "72058304855021553"
rhs: "janedoe@acme.com"