1. Packages
  2. Zscaler Private Access (ZPA)
  3. API Docs
  4. PolicyAccessRule
Zscaler Private Access v0.0.11 published on Saturday, May 4, 2024 by Zscaler

zpa.PolicyAccessRule

Explore with Pulumi AI

zpa logo
Zscaler Private Access v0.0.11 published on Saturday, May 4, 2024 by Zscaler

    The zpa_policy_access_rule resource creates and manages policy access rule in the Zscaler Private Access cloud.

    ⚠️ WARNING:: The attribute rule_order is now deprecated in favor of the new resource policy_access_rule_reorder

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as zpa from "@bdzscaler/pulumi-zpa";
    import * as zpa from "@pulumi/zpa";
    
    const idpName = zpa.getIdPController({
        name: "IdP_Name",
    });
    const engineering = zpa.getSCIMGroups({
        name: "Engineering",
        idpName: "IdP_Name",
    });
    //Create Policy Access Rule
    const _this = new zpa.PolicyAccessRule("this", {
        description: "Example",
        action: "ALLOW",
        operator: "AND",
        conditions: [
            {
                operator: "OR",
                operands: [{
                    objectType: "APP",
                    lhs: "id",
                    rhs: zpa_application_segment["this"].id,
                }],
            },
            {
                operator: "OR",
                operands: [{
                    objectType: "SCIM_GROUP",
                    lhs: idpName.then(idpName => idpName.id),
                    rhs: engineering.then(engineering => engineering.id),
                }],
            },
        ],
    });
    
    import pulumi
    import pulumi_zpa as zpa
    import zscaler_pulumi_zpa as zpa
    
    idp_name = zpa.get_id_p_controller(name="IdP_Name")
    engineering = zpa.get_scim_groups(name="Engineering",
        idp_name="IdP_Name")
    #Create Policy Access Rule
    this = zpa.PolicyAccessRule("this",
        description="Example",
        action="ALLOW",
        operator="AND",
        conditions=[
            zpa.PolicyAccessRuleConditionArgs(
                operator="OR",
                operands=[zpa.PolicyAccessRuleConditionOperandArgs(
                    object_type="APP",
                    lhs="id",
                    rhs=zpa_application_segment["this"]["id"],
                )],
            ),
            zpa.PolicyAccessRuleConditionArgs(
                operator="OR",
                operands=[zpa.PolicyAccessRuleConditionOperandArgs(
                    object_type="SCIM_GROUP",
                    lhs=idp_name.id,
                    rhs=engineering.id,
                )],
            ),
        ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		idpName, err := zpa.GetIdPController(ctx, &zpa.GetIdPControllerArgs{
    			Name: pulumi.StringRef("IdP_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		engineering, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
    			Name:    pulumi.StringRef("Engineering"),
    			IdpName: pulumi.StringRef("IdP_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		// Create Policy Access Rule
    		_, err = zpa.NewPolicyAccessRule(ctx, "this", &zpa.PolicyAccessRuleArgs{
    			Description: pulumi.String("Example"),
    			Action:      pulumi.String("ALLOW"),
    			Operator:    pulumi.String("AND"),
    			Conditions: zpa.PolicyAccessRuleConditionArray{
    				&zpa.PolicyAccessRuleConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleConditionOperandArray{
    						&zpa.PolicyAccessRuleConditionOperandArgs{
    							ObjectType: pulumi.String("APP"),
    							Lhs:        pulumi.String("id"),
    							Rhs:        pulumi.Any(zpa_application_segment.This.Id),
    						},
    					},
    				},
    				&zpa.PolicyAccessRuleConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleConditionOperandArray{
    						&zpa.PolicyAccessRuleConditionOperandArgs{
    							ObjectType: pulumi.String("SCIM_GROUP"),
    							Lhs:        pulumi.String(idpName.Id),
    							Rhs:        pulumi.String(engineering.Id),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Zpa = Pulumi.Zpa;
    using Zpa = Zscaler.Zpa;
    
    return await Deployment.RunAsync(() => 
    {
        var idpName = Zpa.GetIdPController.Invoke(new()
        {
            Name = "IdP_Name",
        });
    
        var engineering = Zpa.GetSCIMGroups.Invoke(new()
        {
            Name = "Engineering",
            IdpName = "IdP_Name",
        });
    
        //Create Policy Access Rule
        var @this = new Zpa.PolicyAccessRule("this", new()
        {
            Description = "Example",
            Action = "ALLOW",
            Operator = "AND",
            Conditions = new[]
            {
                new Zpa.Inputs.PolicyAccessRuleConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleConditionOperandArgs
                        {
                            ObjectType = "APP",
                            Lhs = "id",
                            Rhs = zpa_application_segment.This.Id,
                        },
                    },
                },
                new Zpa.Inputs.PolicyAccessRuleConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleConditionOperandArgs
                        {
                            ObjectType = "SCIM_GROUP",
                            Lhs = idpName.Apply(getIdPControllerResult => getIdPControllerResult.Id),
                            Rhs = engineering.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.zpa.ZpaFunctions;
    import com.pulumi.zpa.inputs.GetIdPControllerArgs;
    import com.pulumi.zpa.inputs.GetSCIMGroupsArgs;
    import com.pulumi.zpa.PolicyAccessRule;
    import com.pulumi.zpa.PolicyAccessRuleArgs;
    import com.pulumi.zpa.inputs.PolicyAccessRuleConditionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var idpName = ZpaFunctions.getIdPController(GetIdPControllerArgs.builder()
                .name("IdP_Name")
                .build());
    
            final var engineering = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
                .name("Engineering")
                .idpName("IdP_Name")
                .build());
    
            //Create Policy Access Rule
            var this_ = new PolicyAccessRule("this", PolicyAccessRuleArgs.builder()        
                .description("Example")
                .action("ALLOW")
                .operator("AND")
                .conditions(            
                    PolicyAccessRuleConditionArgs.builder()
                        .operator("OR")
                        .operands(PolicyAccessRuleConditionOperandArgs.builder()
                            .objectType("APP")
                            .lhs("id")
                            .rhs(zpa_application_segment.this().id())
                            .build())
                        .build(),
                    PolicyAccessRuleConditionArgs.builder()
                        .operator("OR")
                        .operands(PolicyAccessRuleConditionOperandArgs.builder()
                            .objectType("SCIM_GROUP")
                            .lhs(idpName.applyValue(getIdPControllerResult -> getIdPControllerResult.id()))
                            .rhs(engineering.applyValue(getSCIMGroupsResult -> getSCIMGroupsResult.id()))
                            .build())
                        .build())
                .build());
    
        }
    }
    
    resources:
      #Create Policy Access Rule
      this:
        type: zpa:PolicyAccessRule
        properties:
          description: Example
          action: ALLOW
          operator: AND
          conditions:
            - operator: OR
              operands:
                - objectType: APP
                  lhs: id
                  rhs: ${zpa_application_segment.this.id}
            - operator: OR
              operands:
                - objectType: SCIM_GROUP
                  lhs: ${idpName.id}
                  rhs: ${engineering.id}
    variables:
      idpName:
        fn::invoke:
          Function: zpa:getIdPController
          Arguments:
            name: IdP_Name
      engineering:
        fn::invoke:
          Function: zpa:getSCIMGroups
          Arguments:
            name: Engineering
            idpName: IdP_Name
    

    LHS and RHS Values

    Object TypeLHSRHS
    APP"id"application_segment_id
    APP_GROUP"id"segment_group_id
    CLIENT_TYPE"id"zpn_client_type_zappl, zpn_client_type_exporter, zpn_client_type_browser_isolation, zpn_client_type_ip_anchoring, zpn_client_type_edge_connector, zpn_client_type_branch_connector, zpn_client_type_zapp_partner, zpn_client_type_zapp
    EDGE_CONNECTOR_GROUP"id"<edge_connector_id>
    IDP"id"identity_provider_id
    SAMLsaml_attribute_idattribute_value_to_match
    SCIMscim_attribute_idattribute_value_to_match
    SCIM_GROUPscim_group_attribute_idattribute_value_to_match
    PLATFORMmac, ios, windows, android, linux"true" / "false"
    MACHINE_GRP"id"machine_group_id
    POSTUREposture_udid"true" / "false"
    TRUSTED_NETWORKnetwork_id"true"
    COUNTRY_CODE2 Letter ISO3166 Alpha2"true" / "false"

    Create PolicyAccessRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new PolicyAccessRule(name: string, args?: PolicyAccessRuleArgs, opts?: CustomResourceOptions);
    @overload
    def PolicyAccessRule(resource_name: str,
                         args: Optional[PolicyAccessRuleArgs] = None,
                         opts: Optional[ResourceOptions] = None)
    
    @overload
    def PolicyAccessRule(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         action: Optional[str] = None,
                         action_id: Optional[str] = None,
                         app_connector_groups: Optional[Sequence[PolicyAccessRuleAppConnectorGroupArgs]] = None,
                         app_server_groups: Optional[Sequence[PolicyAccessRuleAppServerGroupArgs]] = None,
                         bypass_default_rule: Optional[bool] = None,
                         conditions: Optional[Sequence[PolicyAccessRuleConditionArgs]] = None,
                         custom_msg: Optional[str] = None,
                         default_rule: Optional[bool] = None,
                         description: Optional[str] = None,
                         lss_default_rule: Optional[bool] = None,
                         microtenant_id: Optional[str] = None,
                         name: Optional[str] = None,
                         operator: Optional[str] = None,
                         policy_set_id: Optional[str] = None,
                         policy_type: Optional[str] = None,
                         priority: Optional[str] = None,
                         reauth_default_rule: Optional[bool] = None,
                         reauth_idle_timeout: Optional[str] = None,
                         reauth_timeout: Optional[str] = None,
                         rule_order: Optional[str] = None,
                         zpn_cbi_profile_id: Optional[str] = None,
                         zpn_inspection_profile_id: Optional[str] = None,
                         zpn_isolation_profile_id: Optional[str] = None)
    func NewPolicyAccessRule(ctx *Context, name string, args *PolicyAccessRuleArgs, opts ...ResourceOption) (*PolicyAccessRule, error)
    public PolicyAccessRule(string name, PolicyAccessRuleArgs? args = null, CustomResourceOptions? opts = null)
    public PolicyAccessRule(String name, PolicyAccessRuleArgs args)
    public PolicyAccessRule(String name, PolicyAccessRuleArgs args, CustomResourceOptions options)
    
    type: zpa:PolicyAccessRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyAccessRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyAccessRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyAccessRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyAccessRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyAccessRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var policyAccessRuleResource = new Zpa.PolicyAccessRule("policyAccessRuleResource", new()
    {
        Action = "string",
        ActionId = "string",
        AppConnectorGroups = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleAppConnectorGroupArgs
            {
                Ids = new[]
                {
                    "string",
                },
            },
        },
        AppServerGroups = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleAppServerGroupArgs
            {
                Ids = new[]
                {
                    "string",
                },
            },
        },
        BypassDefaultRule = false,
        Conditions = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleConditionArgs
            {
                Operator = "string",
                Id = "string",
                MicrotenantId = "string",
                Operands = new[]
                {
                    new Zpa.Inputs.PolicyAccessRuleConditionOperandArgs
                    {
                        Lhs = "string",
                        ObjectType = "string",
                        Id = "string",
                        IdpId = "string",
                        MicrotenantId = "string",
                        Name = "string",
                        Rhs = "string",
                        RhsLists = new[]
                        {
                            "string",
                        },
                    },
                },
            },
        },
        CustomMsg = "string",
        DefaultRule = false,
        Description = "string",
        LssDefaultRule = false,
        MicrotenantId = "string",
        Name = "string",
        Operator = "string",
        PolicySetId = "string",
        PolicyType = "string",
        Priority = "string",
        ReauthDefaultRule = false,
        ReauthIdleTimeout = "string",
        ReauthTimeout = "string",
        ZpnCbiProfileId = "string",
        ZpnInspectionProfileId = "string",
        ZpnIsolationProfileId = "string",
    });
    
    example, err := zpa.NewPolicyAccessRule(ctx, "policyAccessRuleResource", &zpa.PolicyAccessRuleArgs{
    	Action:   pulumi.String("string"),
    	ActionId: pulumi.String("string"),
    	AppConnectorGroups: zpa.PolicyAccessRuleAppConnectorGroupArray{
    		&zpa.PolicyAccessRuleAppConnectorGroupArgs{
    			Ids: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	AppServerGroups: zpa.PolicyAccessRuleAppServerGroupArray{
    		&zpa.PolicyAccessRuleAppServerGroupArgs{
    			Ids: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	BypassDefaultRule: pulumi.Bool(false),
    	Conditions: zpa.PolicyAccessRuleConditionArray{
    		&zpa.PolicyAccessRuleConditionArgs{
    			Operator:      pulumi.String("string"),
    			Id:            pulumi.String("string"),
    			MicrotenantId: pulumi.String("string"),
    			Operands: zpa.PolicyAccessRuleConditionOperandArray{
    				&zpa.PolicyAccessRuleConditionOperandArgs{
    					Lhs:           pulumi.String("string"),
    					ObjectType:    pulumi.String("string"),
    					Id:            pulumi.String("string"),
    					IdpId:         pulumi.String("string"),
    					MicrotenantId: pulumi.String("string"),
    					Name:          pulumi.String("string"),
    					Rhs:           pulumi.String("string"),
    					RhsLists: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    		},
    	},
    	CustomMsg:              pulumi.String("string"),
    	DefaultRule:            pulumi.Bool(false),
    	Description:            pulumi.String("string"),
    	LssDefaultRule:         pulumi.Bool(false),
    	MicrotenantId:          pulumi.String("string"),
    	Name:                   pulumi.String("string"),
    	Operator:               pulumi.String("string"),
    	PolicySetId:            pulumi.String("string"),
    	PolicyType:             pulumi.String("string"),
    	Priority:               pulumi.String("string"),
    	ReauthDefaultRule:      pulumi.Bool(false),
    	ReauthIdleTimeout:      pulumi.String("string"),
    	ReauthTimeout:          pulumi.String("string"),
    	ZpnCbiProfileId:        pulumi.String("string"),
    	ZpnInspectionProfileId: pulumi.String("string"),
    	ZpnIsolationProfileId:  pulumi.String("string"),
    })
    
    var policyAccessRuleResource = new PolicyAccessRule("policyAccessRuleResource", PolicyAccessRuleArgs.builder()
        .action("string")
        .actionId("string")
        .appConnectorGroups(PolicyAccessRuleAppConnectorGroupArgs.builder()
            .ids("string")
            .build())
        .appServerGroups(PolicyAccessRuleAppServerGroupArgs.builder()
            .ids("string")
            .build())
        .bypassDefaultRule(false)
        .conditions(PolicyAccessRuleConditionArgs.builder()
            .operator("string")
            .id("string")
            .microtenantId("string")
            .operands(PolicyAccessRuleConditionOperandArgs.builder()
                .lhs("string")
                .objectType("string")
                .id("string")
                .idpId("string")
                .microtenantId("string")
                .name("string")
                .rhs("string")
                .rhsLists("string")
                .build())
            .build())
        .customMsg("string")
        .defaultRule(false)
        .description("string")
        .lssDefaultRule(false)
        .microtenantId("string")
        .name("string")
        .operator("string")
        .policySetId("string")
        .policyType("string")
        .priority("string")
        .reauthDefaultRule(false)
        .reauthIdleTimeout("string")
        .reauthTimeout("string")
        .zpnCbiProfileId("string")
        .zpnInspectionProfileId("string")
        .zpnIsolationProfileId("string")
        .build());
    
    policy_access_rule_resource = zpa.PolicyAccessRule("policyAccessRuleResource",
        action="string",
        action_id="string",
        app_connector_groups=[zpa.PolicyAccessRuleAppConnectorGroupArgs(
            ids=["string"],
        )],
        app_server_groups=[zpa.PolicyAccessRuleAppServerGroupArgs(
            ids=["string"],
        )],
        bypass_default_rule=False,
        conditions=[zpa.PolicyAccessRuleConditionArgs(
            operator="string",
            id="string",
            microtenant_id="string",
            operands=[zpa.PolicyAccessRuleConditionOperandArgs(
                lhs="string",
                object_type="string",
                id="string",
                idp_id="string",
                microtenant_id="string",
                name="string",
                rhs="string",
                rhs_lists=["string"],
            )],
        )],
        custom_msg="string",
        default_rule=False,
        description="string",
        lss_default_rule=False,
        microtenant_id="string",
        name="string",
        operator="string",
        policy_set_id="string",
        policy_type="string",
        priority="string",
        reauth_default_rule=False,
        reauth_idle_timeout="string",
        reauth_timeout="string",
        zpn_cbi_profile_id="string",
        zpn_inspection_profile_id="string",
        zpn_isolation_profile_id="string")
    
    const policyAccessRuleResource = new zpa.PolicyAccessRule("policyAccessRuleResource", {
        action: "string",
        actionId: "string",
        appConnectorGroups: [{
            ids: ["string"],
        }],
        appServerGroups: [{
            ids: ["string"],
        }],
        bypassDefaultRule: false,
        conditions: [{
            operator: "string",
            id: "string",
            microtenantId: "string",
            operands: [{
                lhs: "string",
                objectType: "string",
                id: "string",
                idpId: "string",
                microtenantId: "string",
                name: "string",
                rhs: "string",
                rhsLists: ["string"],
            }],
        }],
        customMsg: "string",
        defaultRule: false,
        description: "string",
        lssDefaultRule: false,
        microtenantId: "string",
        name: "string",
        operator: "string",
        policySetId: "string",
        policyType: "string",
        priority: "string",
        reauthDefaultRule: false,
        reauthIdleTimeout: "string",
        reauthTimeout: "string",
        zpnCbiProfileId: "string",
        zpnInspectionProfileId: "string",
        zpnIsolationProfileId: "string",
    });
    
    type: zpa:PolicyAccessRule
    properties:
        action: string
        actionId: string
        appConnectorGroups:
            - ids:
                - string
        appServerGroups:
            - ids:
                - string
        bypassDefaultRule: false
        conditions:
            - id: string
              microtenantId: string
              operands:
                - id: string
                  idpId: string
                  lhs: string
                  microtenantId: string
                  name: string
                  objectType: string
                  rhs: string
                  rhsLists:
                    - string
              operator: string
        customMsg: string
        defaultRule: false
        description: string
        lssDefaultRule: false
        microtenantId: string
        name: string
        operator: string
        policySetId: string
        policyType: string
        priority: string
        reauthDefaultRule: false
        reauthIdleTimeout: string
        reauthTimeout: string
        zpnCbiProfileId: string
        zpnInspectionProfileId: string
        zpnIsolationProfileId: string
    

    PolicyAccessRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The PolicyAccessRule resource accepts the following input properties:

    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    ActionId string
    This field defines the description of the server.
    AppConnectorGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleAppConnectorGroup>
    List of app-connector IDs.
    AppServerGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleAppServerGroup>
    List of the server group IDs.
    BypassDefaultRule bool
    Conditions List<Zscaler.Zpa.Inputs.PolicyAccessRuleCondition>
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    DefaultRule bool
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    LssDefaultRule bool
    MicrotenantId string
    Name string
    This is the name of the policy rule.
    Operator string
    Supported values: AND, OR
    PolicySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    PolicyType string
    Priority string
    ReauthDefaultRule bool
    ReauthIdleTimeout string
    ReauthTimeout string
    RuleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    ZpnCbiProfileId string
    ZpnInspectionProfileId string
    ZpnIsolationProfileId string
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    ActionId string
    This field defines the description of the server.
    AppConnectorGroups []PolicyAccessRuleAppConnectorGroupArgs
    List of app-connector IDs.
    AppServerGroups []PolicyAccessRuleAppServerGroupArgs
    List of the server group IDs.
    BypassDefaultRule bool
    Conditions []PolicyAccessRuleConditionArgs
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    DefaultRule bool
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    LssDefaultRule bool
    MicrotenantId string
    Name string
    This is the name of the policy rule.
    Operator string
    Supported values: AND, OR
    PolicySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    PolicyType string
    Priority string
    ReauthDefaultRule bool
    ReauthIdleTimeout string
    ReauthTimeout string
    RuleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    ZpnCbiProfileId string
    ZpnInspectionProfileId string
    ZpnIsolationProfileId string
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId String
    This field defines the description of the server.
    appConnectorGroups List<PolicyAccessRuleAppConnectorGroup>
    List of app-connector IDs.
    appServerGroups List<PolicyAccessRuleAppServerGroup>
    List of the server group IDs.
    bypassDefaultRule Boolean
    conditions List<PolicyAccessRuleCondition>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    defaultRule Boolean
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    lssDefaultRule Boolean
    microtenantId String
    name String
    This is the name of the policy rule.
    operator String
    Supported values: AND, OR
    policySetId String
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType String
    priority String
    reauthDefaultRule Boolean
    reauthIdleTimeout String
    reauthTimeout String
    ruleOrder String

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId String
    zpnInspectionProfileId String
    zpnIsolationProfileId String
    action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId string
    This field defines the description of the server.
    appConnectorGroups PolicyAccessRuleAppConnectorGroup[]
    List of app-connector IDs.
    appServerGroups PolicyAccessRuleAppServerGroup[]
    List of the server group IDs.
    bypassDefaultRule boolean
    conditions PolicyAccessRuleCondition[]
    This is for proviidng the set of conditions for the policy.
    customMsg string
    This is for providing a customer message for the user.
    defaultRule boolean
    This is for providing a customer message for the user.
    description string
    This is the description of the access policy rule.
    lssDefaultRule boolean
    microtenantId string
    name string
    This is the name of the policy rule.
    operator string
    Supported values: AND, OR
    policySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType string
    priority string
    reauthDefaultRule boolean
    reauthIdleTimeout string
    reauthTimeout string
    ruleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId string
    zpnInspectionProfileId string
    zpnIsolationProfileId string
    action str
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    action_id str
    This field defines the description of the server.
    app_connector_groups Sequence[PolicyAccessRuleAppConnectorGroupArgs]
    List of app-connector IDs.
    app_server_groups Sequence[PolicyAccessRuleAppServerGroupArgs]
    List of the server group IDs.
    bypass_default_rule bool
    conditions Sequence[PolicyAccessRuleConditionArgs]
    This is for proviidng the set of conditions for the policy.
    custom_msg str
    This is for providing a customer message for the user.
    default_rule bool
    This is for providing a customer message for the user.
    description str
    This is the description of the access policy rule.
    lss_default_rule bool
    microtenant_id str
    name str
    This is the name of the policy rule.
    operator str
    Supported values: AND, OR
    policy_set_id str
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policy_type str
    priority str
    reauth_default_rule bool
    reauth_idle_timeout str
    reauth_timeout str
    rule_order str

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpn_cbi_profile_id str
    zpn_inspection_profile_id str
    zpn_isolation_profile_id str
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId String
    This field defines the description of the server.
    appConnectorGroups List<Property Map>
    List of app-connector IDs.
    appServerGroups List<Property Map>
    List of the server group IDs.
    bypassDefaultRule Boolean
    conditions List<Property Map>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    defaultRule Boolean
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    lssDefaultRule Boolean
    microtenantId String
    name String
    This is the name of the policy rule.
    operator String
    Supported values: AND, OR
    policySetId String
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType String
    priority String
    reauthDefaultRule Boolean
    reauthIdleTimeout String
    reauthTimeout String
    ruleOrder String

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId String
    zpnInspectionProfileId String
    zpnIsolationProfileId String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the PolicyAccessRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing PolicyAccessRule Resource

    Get an existing PolicyAccessRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyAccessRuleState, opts?: CustomResourceOptions): PolicyAccessRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            action_id: Optional[str] = None,
            app_connector_groups: Optional[Sequence[PolicyAccessRuleAppConnectorGroupArgs]] = None,
            app_server_groups: Optional[Sequence[PolicyAccessRuleAppServerGroupArgs]] = None,
            bypass_default_rule: Optional[bool] = None,
            conditions: Optional[Sequence[PolicyAccessRuleConditionArgs]] = None,
            custom_msg: Optional[str] = None,
            default_rule: Optional[bool] = None,
            description: Optional[str] = None,
            lss_default_rule: Optional[bool] = None,
            microtenant_id: Optional[str] = None,
            name: Optional[str] = None,
            operator: Optional[str] = None,
            policy_set_id: Optional[str] = None,
            policy_type: Optional[str] = None,
            priority: Optional[str] = None,
            reauth_default_rule: Optional[bool] = None,
            reauth_idle_timeout: Optional[str] = None,
            reauth_timeout: Optional[str] = None,
            rule_order: Optional[str] = None,
            zpn_cbi_profile_id: Optional[str] = None,
            zpn_inspection_profile_id: Optional[str] = None,
            zpn_isolation_profile_id: Optional[str] = None) -> PolicyAccessRule
    func GetPolicyAccessRule(ctx *Context, name string, id IDInput, state *PolicyAccessRuleState, opts ...ResourceOption) (*PolicyAccessRule, error)
    public static PolicyAccessRule Get(string name, Input<string> id, PolicyAccessRuleState? state, CustomResourceOptions? opts = null)
    public static PolicyAccessRule get(String name, Output<String> id, PolicyAccessRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    ActionId string
    This field defines the description of the server.
    AppConnectorGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleAppConnectorGroup>
    List of app-connector IDs.
    AppServerGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleAppServerGroup>
    List of the server group IDs.
    BypassDefaultRule bool
    Conditions List<Zscaler.Zpa.Inputs.PolicyAccessRuleCondition>
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    DefaultRule bool
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    LssDefaultRule bool
    MicrotenantId string
    Name string
    This is the name of the policy rule.
    Operator string
    Supported values: AND, OR
    PolicySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    PolicyType string
    Priority string
    ReauthDefaultRule bool
    ReauthIdleTimeout string
    ReauthTimeout string
    RuleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    ZpnCbiProfileId string
    ZpnInspectionProfileId string
    ZpnIsolationProfileId string
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    ActionId string
    This field defines the description of the server.
    AppConnectorGroups []PolicyAccessRuleAppConnectorGroupArgs
    List of app-connector IDs.
    AppServerGroups []PolicyAccessRuleAppServerGroupArgs
    List of the server group IDs.
    BypassDefaultRule bool
    Conditions []PolicyAccessRuleConditionArgs
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    DefaultRule bool
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    LssDefaultRule bool
    MicrotenantId string
    Name string
    This is the name of the policy rule.
    Operator string
    Supported values: AND, OR
    PolicySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    PolicyType string
    Priority string
    ReauthDefaultRule bool
    ReauthIdleTimeout string
    ReauthTimeout string
    RuleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    ZpnCbiProfileId string
    ZpnInspectionProfileId string
    ZpnIsolationProfileId string
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId String
    This field defines the description of the server.
    appConnectorGroups List<PolicyAccessRuleAppConnectorGroup>
    List of app-connector IDs.
    appServerGroups List<PolicyAccessRuleAppServerGroup>
    List of the server group IDs.
    bypassDefaultRule Boolean
    conditions List<PolicyAccessRuleCondition>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    defaultRule Boolean
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    lssDefaultRule Boolean
    microtenantId String
    name String
    This is the name of the policy rule.
    operator String
    Supported values: AND, OR
    policySetId String
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType String
    priority String
    reauthDefaultRule Boolean
    reauthIdleTimeout String
    reauthTimeout String
    ruleOrder String

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId String
    zpnInspectionProfileId String
    zpnIsolationProfileId String
    action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId string
    This field defines the description of the server.
    appConnectorGroups PolicyAccessRuleAppConnectorGroup[]
    List of app-connector IDs.
    appServerGroups PolicyAccessRuleAppServerGroup[]
    List of the server group IDs.
    bypassDefaultRule boolean
    conditions PolicyAccessRuleCondition[]
    This is for proviidng the set of conditions for the policy.
    customMsg string
    This is for providing a customer message for the user.
    defaultRule boolean
    This is for providing a customer message for the user.
    description string
    This is the description of the access policy rule.
    lssDefaultRule boolean
    microtenantId string
    name string
    This is the name of the policy rule.
    operator string
    Supported values: AND, OR
    policySetId string
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType string
    priority string
    reauthDefaultRule boolean
    reauthIdleTimeout string
    reauthTimeout string
    ruleOrder string

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId string
    zpnInspectionProfileId string
    zpnIsolationProfileId string
    action str
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    action_id str
    This field defines the description of the server.
    app_connector_groups Sequence[PolicyAccessRuleAppConnectorGroupArgs]
    List of app-connector IDs.
    app_server_groups Sequence[PolicyAccessRuleAppServerGroupArgs]
    List of the server group IDs.
    bypass_default_rule bool
    conditions Sequence[PolicyAccessRuleConditionArgs]
    This is for proviidng the set of conditions for the policy.
    custom_msg str
    This is for providing a customer message for the user.
    default_rule bool
    This is for providing a customer message for the user.
    description str
    This is the description of the access policy rule.
    lss_default_rule bool
    microtenant_id str
    name str
    This is the name of the policy rule.
    operator str
    Supported values: AND, OR
    policy_set_id str
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policy_type str
    priority str
    reauth_default_rule bool
    reauth_idle_timeout str
    reauth_timeout str
    rule_order str

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpn_cbi_profile_id str
    zpn_inspection_profile_id str
    zpn_isolation_profile_id str
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    actionId String
    This field defines the description of the server.
    appConnectorGroups List<Property Map>
    List of app-connector IDs.
    appServerGroups List<Property Map>
    List of the server group IDs.
    bypassDefaultRule Boolean
    conditions List<Property Map>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    defaultRule Boolean
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    lssDefaultRule Boolean
    microtenantId String
    name String
    This is the name of the policy rule.
    operator String
    Supported values: AND, OR
    policySetId String
    • (String) Use zpapolicytype data source to retrieve the necessary policy Set ID policy_set_id

    NOTE As of v3.2.0 the policy_set_id attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.

    policyType String
    priority String
    reauthDefaultRule Boolean
    reauthIdleTimeout String
    reauthTimeout String
    ruleOrder String

    Deprecated: The rule_order field is now deprecated for all zpa access policy resources in favor of the resource zpa.PolicyAccessReorderRule

    zpnCbiProfileId String
    zpnInspectionProfileId String
    zpnIsolationProfileId String

    Supporting Types

    PolicyAccessRuleAppConnectorGroup, PolicyAccessRuleAppConnectorGroupArgs

    Ids List<string>
    Ids []string
    ids List<String>
    ids string[]
    ids Sequence[str]
    ids List<String>

    PolicyAccessRuleAppServerGroup, PolicyAccessRuleAppServerGroupArgs

    Ids List<string>
    Ids []string
    ids List<String>
    ids string[]
    ids Sequence[str]
    ids List<String>

    PolicyAccessRuleCondition, PolicyAccessRuleConditionArgs

    Operator string
    Supported values: AND, OR
    Id string
    MicrotenantId string
    Operands List<Zscaler.Zpa.Inputs.PolicyAccessRuleConditionOperand>
    This signifies the various policy criteria.
    Operator string
    Supported values: AND, OR
    Id string
    MicrotenantId string
    Operands []PolicyAccessRuleConditionOperand
    This signifies the various policy criteria.
    operator String
    Supported values: AND, OR
    id String
    microtenantId String
    operands List<PolicyAccessRuleConditionOperand>
    This signifies the various policy criteria.
    operator string
    Supported values: AND, OR
    id string
    microtenantId string
    operands PolicyAccessRuleConditionOperand[]
    This signifies the various policy criteria.
    operator str
    Supported values: AND, OR
    id str
    microtenant_id str
    operands Sequence[PolicyAccessRuleConditionOperand]
    This signifies the various policy criteria.
    operator String
    Supported values: AND, OR
    id String
    microtenantId String
    operands List<Property Map>
    This signifies the various policy criteria.

    PolicyAccessRuleConditionOperand, PolicyAccessRuleConditionOperandArgs

    Lhs string
    This signifies the key for the object type. String ID example: id
    ObjectType string
    This is for specifying the policy critiera.
    Id string
    IdpId string
    MicrotenantId string
    This denotes the value for the given object type. Its value depends upon the key.
    Name string
    This is the name of the policy rule.
    Rhs string
    This denotes the value for the given object type. Its value depends upon the key.
    RhsLists List<string>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    Lhs string
    This signifies the key for the object type. String ID example: id
    ObjectType string
    This is for specifying the policy critiera.
    Id string
    IdpId string
    MicrotenantId string
    This denotes the value for the given object type. Its value depends upon the key.
    Name string
    This is the name of the policy rule.
    Rhs string
    This denotes the value for the given object type. Its value depends upon the key.
    RhsLists []string
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    lhs String
    This signifies the key for the object type. String ID example: id
    objectType String
    This is for specifying the policy critiera.
    id String
    idpId String
    microtenantId String
    This denotes the value for the given object type. Its value depends upon the key.
    name String
    This is the name of the policy rule.
    rhs String
    This denotes the value for the given object type. Its value depends upon the key.
    rhsLists List<String>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    lhs string
    This signifies the key for the object type. String ID example: id
    objectType string
    This is for specifying the policy critiera.
    id string
    idpId string
    microtenantId string
    This denotes the value for the given object type. Its value depends upon the key.
    name string
    This is the name of the policy rule.
    rhs string
    This denotes the value for the given object type. Its value depends upon the key.
    rhsLists string[]
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    lhs str
    This signifies the key for the object type. String ID example: id
    object_type str
    This is for specifying the policy critiera.
    id str
    idp_id str
    microtenant_id str
    This denotes the value for the given object type. Its value depends upon the key.
    name str
    This is the name of the policy rule.
    rhs str
    This denotes the value for the given object type. Its value depends upon the key.
    rhs_lists Sequence[str]
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    lhs String
    This signifies the key for the object type. String ID example: id
    objectType String
    This is for specifying the policy critiera.
    id String
    idpId String
    microtenantId String
    This denotes the value for the given object type. Its value depends upon the key.
    name String
    This is the name of the policy rule.
    rhs String
    This denotes the value for the given object type. Its value depends upon the key.
    rhsLists List<String>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored

    Import

    Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.

    Visit

    Policy access rule can be imported by using <POLICY ACCESS RULE ID> as the import ID.

    For example:

    $ pulumi import zpa:index/policyAccessRule:PolicyAccessRule example <policy_access_rule_id>
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    zpa zscaler/pulumi-zpa
    License
    MIT
    Notes
    This Pulumi package is based on the zpa Terraform Provider.
    zpa logo
    Zscaler Private Access v0.0.11 published on Saturday, May 4, 2024 by Zscaler