Viewing docs for pulumi-resource-zia v1.3.8
published on Friday, Mar 13, 2026 by Zscaler
published on Friday, Mar 13, 2026 by Zscaler
Viewing docs for pulumi-resource-zia v1.3.8
published on Friday, Mar 13, 2026 by Zscaler
published on Friday, Mar 13, 2026 by Zscaler
The zia_url_filtering_rules resource manages URL filtering rules in the Zscaler Internet Access (ZIA) cloud service. URL filtering rules define the actions to take when users access URLs that match specific categories, protocols, locations, departments, groups, or users.
For more information, see the ZIA URL Filtering documentation.
Example Usage
Basic URL Filtering Rule
Example coming soon!
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
zia "github.com/zscaler/pulumi-zia/sdk/go/pulumi-zia"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := zia.NewURLFilteringRule(ctx, "example", &zia.URLFilteringRuleArgs{
Name: pulumi.String("Example URL Filtering Rule"),
Description: pulumi.StringRef("Allow access to business URLs"),
Order: pulumi.Int(1),
State: pulumi.StringRef("ENABLED"),
Action: pulumi.StringRef("ALLOW"),
Protocols: pulumi.ToStringArray([]string{"ANY_RULE"}),
UrlCategories: pulumi.ToStringArray([]string{"ANY"}),
})
return err
})
}
Example coming soon!
import * as zia from "@bdzscaler/pulumi-zia";
const example = new zia.URLFilteringRule("example", {
name: "Example URL Filtering Rule",
description: "Allow access to business URLs",
order: 1,
state: "ENABLED",
action: "ALLOW",
protocols: ["ANY_RULE"],
urlCategories: ["ANY"],
});
import zscaler_pulumi_zia as zia
example = zia.URLFilteringRule("example",
name="Example URL Filtering Rule",
description="Allow access to business URLs",
order=1,
state="ENABLED",
action="ALLOW",
protocols=["ANY_RULE"],
url_categories=["ANY"],
)
resources:
example:
type: zia:URLFilteringRule
properties:
name: Example URL Filtering Rule
description: Allow access to business URLs
order: 1
state: ENABLED
action: ALLOW
protocols:
- ANY_RULE
urlCategories:
- ANY
Create URLFilteringRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new URLFilteringRule(name: string, args: URLFilteringRuleArgs, opts?: CustomResourceOptions);@overload
def URLFilteringRule(resource_name: str,
args: URLFilteringRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def URLFilteringRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
name: Optional[str] = None,
order: Optional[int] = None,
override_groups: Optional[Sequence[int]] = None,
override_users: Optional[Sequence[int]] = None,
ciparule: Optional[bool] = None,
departments: Optional[Sequence[int]] = None,
description: Optional[str] = None,
device_groups: Optional[Sequence[int]] = None,
device_trust_levels: Optional[Sequence[str]] = None,
devices: Optional[Sequence[int]] = None,
end_user_notification_url: Optional[str] = None,
enforce_time_validity: Optional[bool] = None,
groups: Optional[Sequence[int]] = None,
labels: Optional[Sequence[int]] = None,
location_groups: Optional[Sequence[int]] = None,
locations: Optional[Sequence[int]] = None,
browser_eun_template_id: Optional[int] = None,
block_override: Optional[bool] = None,
cbi_profile: Optional[CBIProfileInputArgs] = None,
action: Optional[str] = None,
protocols: Optional[Sequence[str]] = None,
rank: Optional[int] = None,
request_methods: Optional[Sequence[str]] = None,
size_quota: Optional[int] = None,
source_countries: Optional[Sequence[str]] = None,
source_ip_groups: Optional[Sequence[int]] = None,
state: Optional[str] = None,
time_quota: Optional[int] = None,
time_windows: Optional[Sequence[int]] = None,
url_categories: Optional[Sequence[str]] = None,
user_agent_types: Optional[Sequence[str]] = None,
user_risk_score_levels: Optional[Sequence[str]] = None,
users: Optional[Sequence[int]] = None,
validity_end_time: Optional[str] = None,
validity_start_time: Optional[str] = None,
validity_time_zone_id: Optional[str] = None,
workload_groups: Optional[Sequence[WorkloadGroupInputArgs]] = None)func NewURLFilteringRule(ctx *Context, name string, args URLFilteringRuleArgs, opts ...ResourceOption) (*URLFilteringRule, error)public URLFilteringRule(string name, URLFilteringRuleArgs args, CustomResourceOptions? opts = null)
public URLFilteringRule(String name, URLFilteringRuleArgs args)
public URLFilteringRule(String name, URLFilteringRuleArgs args, CustomResourceOptions options)
type: zia:URLFilteringRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args URLFilteringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args URLFilteringRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args URLFilteringRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args URLFilteringRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args URLFilteringRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var urlfilteringRuleResource = new Zia.URLFilteringRule("urlfilteringRuleResource", new()
{
Name = "string",
Order = 0,
OverrideGroups = new[]
{
0,
},
OverrideUsers = new[]
{
0,
},
Ciparule = false,
Departments = new[]
{
0,
},
Description = "string",
DeviceGroups = new[]
{
0,
},
DeviceTrustLevels = new[]
{
"string",
},
Devices = new[]
{
0,
},
EndUserNotificationUrl = "string",
EnforceTimeValidity = false,
Groups = new[]
{
0,
},
Labels = new[]
{
0,
},
LocationGroups = new[]
{
0,
},
Locations = new[]
{
0,
},
BrowserEunTemplateId = 0,
BlockOverride = false,
CbiProfile = new Zia.Inputs.CBIProfileInputArgs
{
Name = "string",
ProfileSeq = 0,
ResourceId = "string",
Url = "string",
},
Action = "string",
Protocols = new[]
{
"string",
},
Rank = 0,
RequestMethods = new[]
{
"string",
},
SizeQuota = 0,
SourceCountries = new[]
{
"string",
},
SourceIpGroups = new[]
{
0,
},
State = "string",
TimeQuota = 0,
TimeWindows = new[]
{
0,
},
UrlCategories = new[]
{
"string",
},
UserAgentTypes = new[]
{
"string",
},
UserRiskScoreLevels = new[]
{
"string",
},
Users = new[]
{
0,
},
ValidityEndTime = "string",
ValidityStartTime = "string",
ValidityTimeZoneId = "string",
WorkloadGroups = new[]
{
new Zia.Inputs.WorkloadGroupInputArgs
{
ResourceId = 0,
Name = "string",
},
},
});
example, err := zia.NewURLFilteringRule(ctx, "urlfilteringRuleResource", &zia.URLFilteringRuleArgs{
Name: pulumi.String("string"),
Order: pulumi.Int(0),
OverrideGroups: pulumi.IntArray{
pulumi.Int(0),
},
OverrideUsers: pulumi.IntArray{
pulumi.Int(0),
},
Ciparule: pulumi.Bool(false),
Departments: pulumi.IntArray{
pulumi.Int(0),
},
Description: pulumi.String("string"),
DeviceGroups: pulumi.IntArray{
pulumi.Int(0),
},
DeviceTrustLevels: pulumi.StringArray{
pulumi.String("string"),
},
Devices: pulumi.IntArray{
pulumi.Int(0),
},
EndUserNotificationUrl: pulumi.String("string"),
EnforceTimeValidity: pulumi.Bool(false),
Groups: pulumi.IntArray{
pulumi.Int(0),
},
Labels: pulumi.IntArray{
pulumi.Int(0),
},
LocationGroups: pulumi.IntArray{
pulumi.Int(0),
},
Locations: pulumi.IntArray{
pulumi.Int(0),
},
BrowserEunTemplateId: pulumi.Int(0),
BlockOverride: pulumi.Bool(false),
CbiProfile: &pulumizia.CBIProfileInputArgs{
Name: pulumi.String("string"),
ProfileSeq: pulumi.Int(0),
ResourceId: pulumi.String("string"),
Url: pulumi.String("string"),
},
Action: pulumi.String("string"),
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Rank: pulumi.Int(0),
RequestMethods: pulumi.StringArray{
pulumi.String("string"),
},
SizeQuota: pulumi.Int(0),
SourceCountries: pulumi.StringArray{
pulumi.String("string"),
},
SourceIpGroups: pulumi.IntArray{
pulumi.Int(0),
},
State: pulumi.String("string"),
TimeQuota: pulumi.Int(0),
TimeWindows: pulumi.IntArray{
pulumi.Int(0),
},
UrlCategories: pulumi.StringArray{
pulumi.String("string"),
},
UserAgentTypes: pulumi.StringArray{
pulumi.String("string"),
},
UserRiskScoreLevels: pulumi.StringArray{
pulumi.String("string"),
},
Users: pulumi.IntArray{
pulumi.Int(0),
},
ValidityEndTime: pulumi.String("string"),
ValidityStartTime: pulumi.String("string"),
ValidityTimeZoneId: pulumi.String("string"),
WorkloadGroups: pulumizia.WorkloadGroupInputTypeArray{
&pulumizia.WorkloadGroupInputTypeArgs{
ResourceId: pulumi.Int(0),
Name: pulumi.String("string"),
},
},
})
var urlfilteringRuleResource = new URLFilteringRule("urlfilteringRuleResource", URLFilteringRuleArgs.builder()
.name("string")
.order(0)
.overrideGroups(0)
.overrideUsers(0)
.ciparule(false)
.departments(0)
.description("string")
.deviceGroups(0)
.deviceTrustLevels("string")
.devices(0)
.endUserNotificationUrl("string")
.enforceTimeValidity(false)
.groups(0)
.labels(0)
.locationGroups(0)
.locations(0)
.browserEunTemplateId(0)
.blockOverride(false)
.cbiProfile(CBIProfileInputArgs.builder()
.name("string")
.profileSeq(0)
.resourceId("string")
.url("string")
.build())
.action("string")
.protocols("string")
.rank(0)
.requestMethods("string")
.sizeQuota(0)
.sourceCountries("string")
.sourceIpGroups(0)
.state("string")
.timeQuota(0)
.timeWindows(0)
.urlCategories("string")
.userAgentTypes("string")
.userRiskScoreLevels("string")
.users(0)
.validityEndTime("string")
.validityStartTime("string")
.validityTimeZoneId("string")
.workloadGroups(WorkloadGroupInputArgs.builder()
.resourceId(0)
.name("string")
.build())
.build());
urlfiltering_rule_resource = zia.URLFilteringRule("urlfilteringRuleResource",
name="string",
order=0,
override_groups=[0],
override_users=[0],
ciparule=False,
departments=[0],
description="string",
device_groups=[0],
device_trust_levels=["string"],
devices=[0],
end_user_notification_url="string",
enforce_time_validity=False,
groups=[0],
labels=[0],
location_groups=[0],
locations=[0],
browser_eun_template_id=0,
block_override=False,
cbi_profile={
"name": "string",
"profile_seq": 0,
"resource_id": "string",
"url": "string",
},
action="string",
protocols=["string"],
rank=0,
request_methods=["string"],
size_quota=0,
source_countries=["string"],
source_ip_groups=[0],
state="string",
time_quota=0,
time_windows=[0],
url_categories=["string"],
user_agent_types=["string"],
user_risk_score_levels=["string"],
users=[0],
validity_end_time="string",
validity_start_time="string",
validity_time_zone_id="string",
workload_groups=[{
"resource_id": 0,
"name": "string",
}])
const urlfilteringRuleResource = new zia.URLFilteringRule("urlfilteringRuleResource", {
name: "string",
order: 0,
overrideGroups: [0],
overrideUsers: [0],
ciparule: false,
departments: [0],
description: "string",
deviceGroups: [0],
deviceTrustLevels: ["string"],
devices: [0],
endUserNotificationUrl: "string",
enforceTimeValidity: false,
groups: [0],
labels: [0],
locationGroups: [0],
locations: [0],
browserEunTemplateId: 0,
blockOverride: false,
cbiProfile: {
name: "string",
profileSeq: 0,
resourceId: "string",
url: "string",
},
action: "string",
protocols: ["string"],
rank: 0,
requestMethods: ["string"],
sizeQuota: 0,
sourceCountries: ["string"],
sourceIpGroups: [0],
state: "string",
timeQuota: 0,
timeWindows: [0],
urlCategories: ["string"],
userAgentTypes: ["string"],
userRiskScoreLevels: ["string"],
users: [0],
validityEndTime: "string",
validityStartTime: "string",
validityTimeZoneId: "string",
workloadGroups: [{
resourceId: 0,
name: "string",
}],
});
type: zia:URLFilteringRule
properties:
action: string
blockOverride: false
browserEunTemplateId: 0
cbiProfile:
name: string
profileSeq: 0
resourceId: string
url: string
ciparule: false
departments:
- 0
description: string
deviceGroups:
- 0
deviceTrustLevels:
- string
devices:
- 0
endUserNotificationUrl: string
enforceTimeValidity: false
groups:
- 0
labels:
- 0
locationGroups:
- 0
locations:
- 0
name: string
order: 0
overrideGroups:
- 0
overrideUsers:
- 0
protocols:
- string
rank: 0
requestMethods:
- string
sizeQuota: 0
sourceCountries:
- string
sourceIpGroups:
- 0
state: string
timeQuota: 0
timeWindows:
- 0
urlCategories:
- string
userAgentTypes:
- string
userRiskScoreLevels:
- string
users:
- 0
validityEndTime: string
validityStartTime: string
validityTimeZoneId: string
workloadGroups:
- name: string
resourceId: 0
URLFilteringRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The URLFilteringRule resource accepts the following input properties:
- Name string
- The name of the URL filtering rule. Must be unique.
- Order int
- The order of execution of the rule with respect to other URL filtering rules.
- Action string
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - Block
Override bool - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- Browser
Eun intTemplate Id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- Cbi
Profile zscaler.Pulumi Package. Zia. Inputs. CBIProfile Input - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- Ciparule bool
- If set to true, the CIPA Compliance rule is enabled.
- Departments List<int>
- IDs of departments for which the rule must be applied.
- Description string
- Additional information about the URL filtering rule. Maximum 10240 characters.
- Device
Groups List<int> - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- Device
Trust List<string>Levels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - Devices List<int>
- IDs of devices for which the rule must be applied.
- End
User stringNotification Url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- Enforce
Time boolValidity - Enforce a set validity time period for the URL filtering rule.
- Groups List<int>
- IDs of groups for which the rule must be applied.
- Labels List<int>
- IDs of labels associated with the URL filtering rule.
- Location
Groups List<int> - IDs of location groups to which the rule must be applied.
- Locations List<int>
- IDs of locations for which the rule must be applied.
- Override
Groups List<int> - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- Override
Users List<int> - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- Protocols List<string>
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - Rank int
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- Request
Methods List<string> - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - Size
Quota int - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- Source
Countries List<string> - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- Source
Ip List<int>Groups - IDs of source IP address groups.
- State string
- Rule state. Valid values:
ENABLED,DISABLED. - Time
Quota int - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- Time
Windows List<int> - IDs of time intervals during which the rule must be enforced.
- Url
Categories List<string> - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- User
Agent List<string>Types - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - User
Risk List<string>Score Levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - Users List<int>
- IDs of users for which the rule must be applied.
- Validity
End stringTime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- Validity
Start stringTime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- Validity
Time stringZone Id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- Workload
Groups List<zscaler.Pulumi Package. Zia. Inputs. Workload Group Input> - List of preconfigured workload groups to which the policy must be applied.
- Name string
- The name of the URL filtering rule. Must be unique.
- Order int
- The order of execution of the rule with respect to other URL filtering rules.
- Action string
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - Block
Override bool - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- Browser
Eun intTemplate Id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- Cbi
Profile CBIProfileInput Args - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- Ciparule bool
- If set to true, the CIPA Compliance rule is enabled.
- Departments []int
- IDs of departments for which the rule must be applied.
- Description string
- Additional information about the URL filtering rule. Maximum 10240 characters.
- Device
Groups []int - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- Device
Trust []stringLevels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - Devices []int
- IDs of devices for which the rule must be applied.
- End
User stringNotification Url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- Enforce
Time boolValidity - Enforce a set validity time period for the URL filtering rule.
- Groups []int
- IDs of groups for which the rule must be applied.
- Labels []int
- IDs of labels associated with the URL filtering rule.
- Location
Groups []int - IDs of location groups to which the rule must be applied.
- Locations []int
- IDs of locations for which the rule must be applied.
- Override
Groups []int - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- Override
Users []int - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- Protocols []string
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - Rank int
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- Request
Methods []string - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - Size
Quota int - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- Source
Countries []string - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- Source
Ip []intGroups - IDs of source IP address groups.
- State string
- Rule state. Valid values:
ENABLED,DISABLED. - Time
Quota int - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- Time
Windows []int - IDs of time intervals during which the rule must be enforced.
- Url
Categories []string - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- User
Agent []stringTypes - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - User
Risk []stringScore Levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - Users []int
- IDs of users for which the rule must be applied.
- Validity
End stringTime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- Validity
Start stringTime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- Validity
Time stringZone Id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- Workload
Groups []WorkloadGroup Input Type Args - List of preconfigured workload groups to which the policy must be applied.
- name String
- The name of the URL filtering rule. Must be unique.
- order Integer
- The order of execution of the rule with respect to other URL filtering rules.
- action String
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - block
Override Boolean - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- browser
Eun IntegerTemplate Id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- cbi
Profile CBIProfileInput - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- ciparule Boolean
- If set to true, the CIPA Compliance rule is enabled.
- departments List<Integer>
- IDs of departments for which the rule must be applied.
- description String
- Additional information about the URL filtering rule. Maximum 10240 characters.
- device
Groups List<Integer> - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- device
Trust List<String>Levels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - devices List<Integer>
- IDs of devices for which the rule must be applied.
- end
User StringNotification Url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- enforce
Time BooleanValidity - Enforce a set validity time period for the URL filtering rule.
- groups List<Integer>
- IDs of groups for which the rule must be applied.
- labels List<Integer>
- IDs of labels associated with the URL filtering rule.
- location
Groups List<Integer> - IDs of location groups to which the rule must be applied.
- locations List<Integer>
- IDs of locations for which the rule must be applied.
- override
Groups List<Integer> - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- override
Users List<Integer> - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- protocols List<String>
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - rank Integer
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- request
Methods List<String> - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - size
Quota Integer - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- source
Countries List<String> - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- source
Ip List<Integer>Groups - IDs of source IP address groups.
- state String
- Rule state. Valid values:
ENABLED,DISABLED. - time
Quota Integer - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- time
Windows List<Integer> - IDs of time intervals during which the rule must be enforced.
- url
Categories List<String> - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- user
Agent List<String>Types - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - user
Risk List<String>Score Levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - users List<Integer>
- IDs of users for which the rule must be applied.
- validity
End StringTime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- validity
Start StringTime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- validity
Time StringZone Id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- workload
Groups List<WorkloadGroup Input> - List of preconfigured workload groups to which the policy must be applied.
- name string
- The name of the URL filtering rule. Must be unique.
- order number
- The order of execution of the rule with respect to other URL filtering rules.
- action string
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - block
Override boolean - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- browser
Eun numberTemplate Id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- cbi
Profile CBIProfileInput - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- ciparule boolean
- If set to true, the CIPA Compliance rule is enabled.
- departments number[]
- IDs of departments for which the rule must be applied.
- description string
- Additional information about the URL filtering rule. Maximum 10240 characters.
- device
Groups number[] - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- device
Trust string[]Levels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - devices number[]
- IDs of devices for which the rule must be applied.
- end
User stringNotification Url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- enforce
Time booleanValidity - Enforce a set validity time period for the URL filtering rule.
- groups number[]
- IDs of groups for which the rule must be applied.
- labels number[]
- IDs of labels associated with the URL filtering rule.
- location
Groups number[] - IDs of location groups to which the rule must be applied.
- locations number[]
- IDs of locations for which the rule must be applied.
- override
Groups number[] - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- override
Users number[] - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- protocols string[]
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - rank number
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- request
Methods string[] - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - size
Quota number - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- source
Countries string[] - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- source
Ip number[]Groups - IDs of source IP address groups.
- state string
- Rule state. Valid values:
ENABLED,DISABLED. - time
Quota number - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- time
Windows number[] - IDs of time intervals during which the rule must be enforced.
- url
Categories string[] - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- user
Agent string[]Types - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - user
Risk string[]Score Levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - users number[]
- IDs of users for which the rule must be applied.
- validity
End stringTime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- validity
Start stringTime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- validity
Time stringZone Id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- workload
Groups WorkloadGroup Input[] - List of preconfigured workload groups to which the policy must be applied.
- name str
- The name of the URL filtering rule. Must be unique.
- order int
- The order of execution of the rule with respect to other URL filtering rules.
- action str
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - block_
override bool - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- browser_
eun_ inttemplate_ id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- cbi_
profile CBIProfileInput Args - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- ciparule bool
- If set to true, the CIPA Compliance rule is enabled.
- departments Sequence[int]
- IDs of departments for which the rule must be applied.
- description str
- Additional information about the URL filtering rule. Maximum 10240 characters.
- device_
groups Sequence[int] - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- device_
trust_ Sequence[str]levels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - devices Sequence[int]
- IDs of devices for which the rule must be applied.
- end_
user_ strnotification_ url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- enforce_
time_ boolvalidity - Enforce a set validity time period for the URL filtering rule.
- groups Sequence[int]
- IDs of groups for which the rule must be applied.
- labels Sequence[int]
- IDs of labels associated with the URL filtering rule.
- location_
groups Sequence[int] - IDs of location groups to which the rule must be applied.
- locations Sequence[int]
- IDs of locations for which the rule must be applied.
- override_
groups Sequence[int] - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- override_
users Sequence[int] - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- protocols Sequence[str]
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - rank int
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- request_
methods Sequence[str] - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - size_
quota int - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- source_
countries Sequence[str] - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- source_
ip_ Sequence[int]groups - IDs of source IP address groups.
- state str
- Rule state. Valid values:
ENABLED,DISABLED. - time_
quota int - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- time_
windows Sequence[int] - IDs of time intervals during which the rule must be enforced.
- url_
categories Sequence[str] - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- user_
agent_ Sequence[str]types - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - user_
risk_ Sequence[str]score_ levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - users Sequence[int]
- IDs of users for which the rule must be applied.
- validity_
end_ strtime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- validity_
start_ strtime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- validity_
time_ strzone_ id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- workload_
groups Sequence[WorkloadGroup Input Args] - List of preconfigured workload groups to which the policy must be applied.
- name String
- The name of the URL filtering rule. Must be unique.
- order Number
- The order of execution of the rule with respect to other URL filtering rules.
- action String
- Action taken when traffic matches rule criteria. Valid values:
BLOCK,CAUTION,ALLOW,ISOLATE. - block
Override Boolean - When set to true, a 'BLOCK' action can be overridden. Can only be set when action is 'BLOCK'.
- browser
Eun NumberTemplate Id - Browser End User Notification template ID. Only applicable when action is 'BLOCK' or 'CAUTION'.
- cbi
Profile Property Map - The Cloud Browser Isolation (CBI) profile. Required when action is 'ISOLATE'.
- ciparule Boolean
- If set to true, the CIPA Compliance rule is enabled.
- departments List<Number>
- IDs of departments for which the rule must be applied.
- description String
- Additional information about the URL filtering rule. Maximum 10240 characters.
- device
Groups List<Number> - IDs of device groups for which the rule must be applied. Applicable for devices managed using Zscaler Client Connector.
- device
Trust List<String>Levels - Device trust levels for the rule. Valid values:
ANY,UNKNOWN_DEVICETRUSTLEVEL,LOW_TRUST,MEDIUM_TRUST,HIGH_TRUST. - devices List<Number>
- IDs of devices for which the rule must be applied.
- end
User StringNotification Url - URL of end user notification page to be displayed when the rule is matched. Not applicable if either 'overrideUsers' or 'overrideGroups' is specified.
- enforce
Time BooleanValidity - Enforce a set validity time period for the URL filtering rule.
- groups List<Number>
- IDs of groups for which the rule must be applied.
- labels List<Number>
- IDs of labels associated with the URL filtering rule.
- location
Groups List<Number> - IDs of location groups to which the rule must be applied.
- locations List<Number>
- IDs of locations for which the rule must be applied.
- override
Groups List<Number> - IDs of groups for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- override
Users List<Number> - IDs of users for which this rule can be overridden. Only applicable when action is 'BLOCK' and blockOverride is true.
- protocols List<String>
- Protocols to which the rule applies. Valid values:
SMRULEF_ZPA_BROKERS_RULE,ANY_RULE,TCP_RULE,UDP_RULE,DOHTTPS_RULE,TUNNELSSL_RULE,HTTP_PROXY,FOHTTP_RULE,FTP_RULE,SSL_RULE. - rank Number
- Admin rank of the URL filtering policy rule. Valid values: 0-7. Default: 7.
- request
Methods List<String> - Request methods to which the rule applies. Valid values:
CONNECT,DELETE,GET,HEAD,OPTIONS,OTHER,POST,PUT,TRACE. - size
Quota Number - Size quota in MB beyond which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 10-100000. Not applicable when action is 'BLOCK'.
- source
Countries List<String> - Source countries (ISO 3166-1 alpha-2 codes) for the rule.
- source
Ip List<Number>Groups - IDs of source IP address groups.
- state String
- Rule state. Valid values:
ENABLED,DISABLED. - time
Quota Number - Time quota in minutes, after which the URL filtering rule is applied. If not set, no quota is enforced. Valid range: 15-600. Not applicable when action is 'BLOCK'.
- time
Windows List<Number> - IDs of time intervals during which the rule must be enforced.
- url
Categories List<String> - List of URL categories to which the rule applies. See the URL Categories API for available categories.
- user
Agent List<String>Types - User agent types the rule applies to. Valid values:
CHROME,FIREFOX,MSIE,MSEDGE,MSCHREDGE,OPERA,SAFARI,OTHER. - user
Risk List<String>Score Levels - User risk score levels for the rule. Valid values:
LOW,MEDIUM,HIGH,CRITICAL. - users List<Number>
- IDs of users for which the rule must be applied.
- validity
End StringTime - If enforceTimeValidity is set to true, the URL filtering rule ceases to be valid on this end date and time (RFC 1123 format).
- validity
Start StringTime - If enforceTimeValidity is set to true, the URL filtering rule is valid starting on this date and time (RFC 1123 format).
- validity
Time StringZone Id - If enforceTimeValidity is set to true, the URL filtering rule date and time is valid based on this time zone ID. Use IANA format (e.g. 'America/Los_Angeles'). See https://nodatime.org/TimeZones for the complete list.
- workload
Groups List<Property Map> - List of preconfigured workload groups to which the policy must be applied.
Outputs
All input properties are implicitly available as output properties. Additionally, the URLFilteringRule resource produces the following output properties:
Supporting Types
CBIProfileInput, CBIProfileInputArgs
- Name string
- Profile
Seq int - Resource
Id string - Url string
- Name string
- Profile
Seq int - Resource
Id string - Url string
- name String
- profile
Seq Integer - resource
Id String - url String
- name string
- profile
Seq number - resource
Id string - url string
- name str
- profile_
seq int - resource_
id str - url str
- name String
- profile
Seq Number - resource
Id String - url String
WorkloadGroupInput, WorkloadGroupInputArgs
- Resource
Id int - Name string
- Resource
Id int - Name string
- resource
Id Integer - name String
- resource
Id number - name string
- resource_
id int - name str
- resource
Id Number - name String
Import
An existing URL Filtering Rule can be imported using its resource ID, e.g.
$ pulumi import zia:index:URLFilteringRule example 12345
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- zia zscaler/pulumi-zia
- License
Viewing docs for pulumi-resource-zia v1.3.8
published on Friday, Mar 13, 2026 by Zscaler
published on Friday, Mar 13, 2026 by Zscaler
