Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
The zpa_policy_inspection_rule_v2 resource creates and manages policy access inspection rule in the Zscaler Private Access cloud using a new v2 API endpoint.
⚠️ NOTE: This resource is recommended if your configuration requires the association of more than 1000 resource criteria per rule.
⚠️ WARNING:: The attribute <span pulumi-lang-nodejs="ruleOrder" pulumi-lang-dotnet="RuleOrder" pulumi-lang-go="ruleOrder" pulumi-lang-python="rule_order" pulumi-lang-yaml="ruleOrder" pulumi-lang-java="ruleOrder">rule_order</span> is now deprecated in favor of the new resource <span pulumi-lang-nodejs="policyAccessRuleReorder" pulumi-lang-dotnet="PolicyAccessRuleReorder" pulumi-lang-go="policyAccessRuleReorder" pulumi-lang-python="policy_access_rule_reorder" pulumi-lang-yaml="policyAccessRuleReorder" pulumi-lang-java="policyAccessRuleReorder">policy_access_rule_reorder</span>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
const _this = zpa.getInspectionPredefinedControls({
name: "Failed to parse request body",
version: "OWASP_CRS/3.3.0",
});
const defaultPredefinedControls = zpa.getInspectionAllPredefinedControls({
version: "OWASP_CRS/3.3.0",
groupName: "preprocessors",
});
const thisInspectionProfile = new zpa.InspectionProfile("this", {
predefinedControls: [{
id: _this.then(_this => _this.id),
action: "BLOCK",
}],
name: "Example",
description: "Example",
paranoiaLevel: "1",
});
// Retrieve Identity Provider ID
const thisGetIdPController = zpa.getIdPController({
name: "Idp_Name",
});
// Retrieve SAML Attribute ID
const emailUserSso = zpa.getSAMLAttribute({
name: "Email_Users",
idpName: "Idp_Name",
});
// Retrieve SAML Attribute ID
const groupUser = zpa.getSAMLAttribute({
name: "GroupName_Users",
idpName: "Idp_Name",
});
// Retrieve SCIM Group ID
const a000 = zpa.getSCIMGroups({
name: "A000",
idpName: "Idp_Name",
});
// Retrieve SCIM Group ID
const b000 = zpa.getSCIMGroups({
name: "B000",
idpName: "Idp_Name",
});
// Create Policy Access Isolation Rule V2
const thisPolicyAccessInspectionRuleV2 = new zpa.PolicyAccessInspectionRuleV2("this", {
name: "Example",
description: "Example",
action: "INSPECT",
zpnInspectionProfileId: thisInspectionProfile.id,
conditions: [
{
operator: "OR",
operands: [{
objectType: "CLIENT_TYPE",
values: ["zpn_client_type_exporter"],
}],
},
{
operator: "OR",
operands: [
{
objectType: "SAML",
entryValues: [
{
rhs: "user1@acme.com",
lhs: emailUserSso.then(emailUserSso => emailUserSso.id),
},
{
rhs: "A000",
lhs: groupUser.then(groupUser => groupUser.id),
},
],
},
{
objectType: "SCIM_GROUP",
entryValues: [
{
rhs: a000.then(a000 => a000.id),
lhs: thisGetIdPController.then(thisGetIdPController => thisGetIdPController.id),
},
{
rhs: b000.then(b000 => b000.id),
lhs: thisGetIdPController.then(thisGetIdPController => thisGetIdPController.id),
},
],
},
],
},
],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
this = zpa.get_inspection_predefined_controls(name="Failed to parse request body",
version="OWASP_CRS/3.3.0")
default_predefined_controls = zpa.get_inspection_all_predefined_controls(version="OWASP_CRS/3.3.0",
group_name="preprocessors")
this_inspection_profile = zpa.InspectionProfile("this",
predefined_controls=[{
"id": this.id,
"action": "BLOCK",
}],
name="Example",
description="Example",
paranoia_level="1")
# Retrieve Identity Provider ID
this_get_id_p_controller = zpa.get_id_p_controller(name="Idp_Name")
# Retrieve SAML Attribute ID
email_user_sso = zpa.get_saml_attribute(name="Email_Users",
idp_name="Idp_Name")
# Retrieve SAML Attribute ID
group_user = zpa.get_saml_attribute(name="GroupName_Users",
idp_name="Idp_Name")
# Retrieve SCIM Group ID
a000 = zpa.get_scim_groups(name="A000",
idp_name="Idp_Name")
# Retrieve SCIM Group ID
b000 = zpa.get_scim_groups(name="B000",
idp_name="Idp_Name")
# Create Policy Access Isolation Rule V2
this_policy_access_inspection_rule_v2 = zpa.PolicyAccessInspectionRuleV2("this",
name="Example",
description="Example",
action="INSPECT",
zpn_inspection_profile_id=this_inspection_profile.id,
conditions=[
{
"operator": "OR",
"operands": [{
"object_type": "CLIENT_TYPE",
"values": ["zpn_client_type_exporter"],
}],
},
{
"operator": "OR",
"operands": [
{
"object_type": "SAML",
"entry_values": [
{
"rhs": "user1@acme.com",
"lhs": email_user_sso.id,
},
{
"rhs": "A000",
"lhs": group_user.id,
},
],
},
{
"object_type": "SCIM_GROUP",
"entry_values": [
{
"rhs": a000.id,
"lhs": this_get_id_p_controller.id,
},
{
"rhs": b000.id,
"lhs": this_get_id_p_controller.id,
},
],
},
],
},
])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := zpa.GetInspectionPredefinedControls(ctx, &zpa.GetInspectionPredefinedControlsArgs{
Name: pulumi.StringRef("Failed to parse request body"),
Version: pulumi.StringRef("OWASP_CRS/3.3.0"),
}, nil)
if err != nil {
return err
}
_, err = zpa.GetInspectionAllPredefinedControls(ctx, &zpa.GetInspectionAllPredefinedControlsArgs{
Version: pulumi.StringRef("OWASP_CRS/3.3.0"),
GroupName: pulumi.StringRef("preprocessors"),
}, nil)
if err != nil {
return err
}
thisInspectionProfile, err := zpa.NewInspectionProfile(ctx, "this", &zpa.InspectionProfileArgs{
PredefinedControls: zpa.InspectionProfilePredefinedControlArray{
&zpa.InspectionProfilePredefinedControlArgs{
Id: pulumi.String(this.Id),
Action: pulumi.String("BLOCK"),
},
},
Name: pulumi.String("Example"),
Description: pulumi.String("Example"),
ParanoiaLevel: pulumi.String("1"),
})
if err != nil {
return err
}
// Retrieve Identity Provider ID
thisGetIdPController, err := zpa.GetIdPController(ctx, &zpa.GetIdPControllerArgs{
Name: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SAML Attribute ID
emailUserSso, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
Name: pulumi.StringRef("Email_Users"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SAML Attribute ID
groupUser, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
Name: pulumi.StringRef("GroupName_Users"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SCIM Group ID
a000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
Name: pulumi.StringRef("A000"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SCIM Group ID
b000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
Name: pulumi.StringRef("B000"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Create Policy Access Isolation Rule V2
_, err = zpa.NewPolicyAccessInspectionRuleV2(ctx, "this", &zpa.PolicyAccessInspectionRuleV2Args{
Name: pulumi.String("Example"),
Description: pulumi.String("Example"),
Action: pulumi.String("INSPECT"),
ZpnInspectionProfileId: thisInspectionProfile.ID(),
Conditions: zpa.PolicyAccessInspectionRuleV2ConditionArray{
&zpa.PolicyAccessInspectionRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessInspectionRuleV2ConditionOperandArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("CLIENT_TYPE"),
Values: pulumi.StringArray{
pulumi.String("zpn_client_type_exporter"),
},
},
},
},
&zpa.PolicyAccessInspectionRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessInspectionRuleV2ConditionOperandArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("SAML"),
EntryValues: zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("user1@acme.com"),
Lhs: pulumi.String(emailUserSso.Id),
},
&zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("A000"),
Lhs: pulumi.String(groupUser.Id),
},
},
},
&zpa.PolicyAccessInspectionRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("SCIM_GROUP"),
EntryValues: zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String(a000.Id),
Lhs: pulumi.String(thisGetIdPController.Id),
},
&zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String(b000.Id),
Lhs: pulumi.String(thisGetIdPController.Id),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
var @this = Zpa.GetInspectionPredefinedControls.Invoke(new()
{
Name = "Failed to parse request body",
Version = "OWASP_CRS/3.3.0",
});
var defaultPredefinedControls = Zpa.GetInspectionAllPredefinedControls.Invoke(new()
{
Version = "OWASP_CRS/3.3.0",
GroupName = "preprocessors",
});
var thisInspectionProfile = new Zpa.InspectionProfile("this", new()
{
PredefinedControls = new[]
{
new Zpa.Inputs.InspectionProfilePredefinedControlArgs
{
Id = @this.Apply(@this => @this.Apply(getInspectionPredefinedControlsResult => getInspectionPredefinedControlsResult.Id)),
Action = "BLOCK",
},
},
Name = "Example",
Description = "Example",
ParanoiaLevel = "1",
});
// Retrieve Identity Provider ID
var thisGetIdPController = Zpa.GetIdPController.Invoke(new()
{
Name = "Idp_Name",
});
// Retrieve SAML Attribute ID
var emailUserSso = Zpa.GetSAMLAttribute.Invoke(new()
{
Name = "Email_Users",
IdpName = "Idp_Name",
});
// Retrieve SAML Attribute ID
var groupUser = Zpa.GetSAMLAttribute.Invoke(new()
{
Name = "GroupName_Users",
IdpName = "Idp_Name",
});
// Retrieve SCIM Group ID
var a000 = Zpa.GetSCIMGroups.Invoke(new()
{
Name = "A000",
IdpName = "Idp_Name",
});
// Retrieve SCIM Group ID
var b000 = Zpa.GetSCIMGroups.Invoke(new()
{
Name = "B000",
IdpName = "Idp_Name",
});
// Create Policy Access Isolation Rule V2
var thisPolicyAccessInspectionRuleV2 = new Zpa.PolicyAccessInspectionRuleV2("this", new()
{
Name = "Example",
Description = "Example",
Action = "INSPECT",
ZpnInspectionProfileId = thisInspectionProfile.Id,
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandArgs
{
ObjectType = "CLIENT_TYPE",
Values = new[]
{
"zpn_client_type_exporter",
},
},
},
},
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandArgs
{
ObjectType = "SAML",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
{
Rhs = "user1@acme.com",
Lhs = emailUserSso.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
},
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
{
Rhs = "A000",
Lhs = groupUser.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
},
},
},
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandArgs
{
ObjectType = "SCIM_GROUP",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
{
Rhs = a000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = thisGetIdPController.Apply(getIdPControllerResult => getIdPControllerResult.Id),
},
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
{
Rhs = b000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = thisGetIdPController.Apply(getIdPControllerResult => getIdPControllerResult.Id),
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetInspectionPredefinedControlsArgs;
import com.pulumi.zpa.inputs.GetInspectionAllPredefinedControlsArgs;
import com.pulumi.zpa.InspectionProfile;
import com.pulumi.zpa.InspectionProfileArgs;
import com.pulumi.zpa.inputs.InspectionProfilePredefinedControlArgs;
import com.pulumi.zpa.inputs.GetIdPControllerArgs;
import com.pulumi.zpa.inputs.GetSAMLAttributeArgs;
import com.pulumi.zpa.inputs.GetSCIMGroupsArgs;
import com.pulumi.zpa.PolicyAccessInspectionRuleV2;
import com.pulumi.zpa.PolicyAccessInspectionRuleV2Args;
import com.pulumi.zpa.inputs.PolicyAccessInspectionRuleV2ConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = ZpaFunctions.getInspectionPredefinedControls(GetInspectionPredefinedControlsArgs.builder()
.name("Failed to parse request body")
.version("OWASP_CRS/3.3.0")
.build());
final var defaultPredefinedControls = ZpaFunctions.getInspectionAllPredefinedControls(GetInspectionAllPredefinedControlsArgs.builder()
.version("OWASP_CRS/3.3.0")
.groupName("preprocessors")
.build());
var thisInspectionProfile = new InspectionProfile("thisInspectionProfile", InspectionProfileArgs.builder()
.predefinedControls(InspectionProfilePredefinedControlArgs.builder()
.id(this_.id())
.action("BLOCK")
.build())
.name("Example")
.description("Example")
.paranoiaLevel("1")
.build());
// Retrieve Identity Provider ID
final var thisGetIdPController = ZpaFunctions.getIdPController(GetIdPControllerArgs.builder()
.name("Idp_Name")
.build());
// Retrieve SAML Attribute ID
final var emailUserSso = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
.name("Email_Users")
.idpName("Idp_Name")
.build());
// Retrieve SAML Attribute ID
final var groupUser = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
.name("GroupName_Users")
.idpName("Idp_Name")
.build());
// Retrieve SCIM Group ID
final var a000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.name("A000")
.idpName("Idp_Name")
.build());
// Retrieve SCIM Group ID
final var b000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.name("B000")
.idpName("Idp_Name")
.build());
// Create Policy Access Isolation Rule V2
var thisPolicyAccessInspectionRuleV2 = new PolicyAccessInspectionRuleV2("thisPolicyAccessInspectionRuleV2", PolicyAccessInspectionRuleV2Args.builder()
.name("Example")
.description("Example")
.action("INSPECT")
.zpnInspectionProfileId(thisInspectionProfile.id())
.conditions(
PolicyAccessInspectionRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessInspectionRuleV2ConditionOperandArgs.builder()
.objectType("CLIENT_TYPE")
.values("zpn_client_type_exporter")
.build())
.build(),
PolicyAccessInspectionRuleV2ConditionArgs.builder()
.operator("OR")
.operands(
PolicyAccessInspectionRuleV2ConditionOperandArgs.builder()
.objectType("SAML")
.entryValues(
PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("user1@acme.com")
.lhs(emailUserSso.id())
.build(),
PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("A000")
.lhs(groupUser.id())
.build())
.build(),
PolicyAccessInspectionRuleV2ConditionOperandArgs.builder()
.objectType("SCIM_GROUP")
.entryValues(
PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs.builder()
.rhs(a000.id())
.lhs(thisGetIdPController.id())
.build(),
PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs.builder()
.rhs(b000.id())
.lhs(thisGetIdPController.id())
.build())
.build())
.build())
.build());
}
}
resources:
thisInspectionProfile:
type: zpa:InspectionProfile
name: this
properties:
predefinedControls:
- id: ${this.id}
action: BLOCK
name: Example
description: Example
paranoiaLevel: '1'
# Create Policy Access Isolation Rule V2
thisPolicyAccessInspectionRuleV2:
type: zpa:PolicyAccessInspectionRuleV2
name: this
properties:
name: Example
description: Example
action: INSPECT
zpnInspectionProfileId: ${thisInspectionProfile.id}
conditions:
- operator: OR
operands:
- objectType: CLIENT_TYPE
values:
- zpn_client_type_exporter
- operator: OR
operands:
- objectType: SAML
entryValues:
- rhs: user1@acme.com
lhs: ${emailUserSso.id}
- rhs: A000
lhs: ${groupUser.id}
- objectType: SCIM_GROUP
entryValues:
- rhs: ${a000.id}
lhs: ${thisGetIdPController.id}
- rhs: ${b000.id}
lhs: ${thisGetIdPController.id}
variables:
this:
fn::invoke:
function: zpa:getInspectionPredefinedControls
arguments:
name: Failed to parse request body
version: OWASP_CRS/3.3.0
defaultPredefinedControls:
fn::invoke:
function: zpa:getInspectionAllPredefinedControls
arguments:
version: OWASP_CRS/3.3.0
groupName: preprocessors
# Retrieve Identity Provider ID
thisGetIdPController:
fn::invoke:
function: zpa:getIdPController
arguments:
name: Idp_Name
# Retrieve SAML Attribute ID
emailUserSso:
fn::invoke:
function: zpa:getSAMLAttribute
arguments:
name: Email_Users
idpName: Idp_Name
# Retrieve SAML Attribute ID
groupUser:
fn::invoke:
function: zpa:getSAMLAttribute
arguments:
name: GroupName_Users
idpName: Idp_Name
# Retrieve SCIM Group ID
a000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
name: A000
idpName: Idp_Name
# Retrieve SCIM Group ID
b000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
name: B000
idpName: Idp_Name
LHS and RHS Values
| Object Type | LHS | RHS | VALUES |
|---|---|---|---|
| APP | <span pulumi-lang-nodejs="applicationSegmentId" pulumi-lang-dotnet="ApplicationSegmentId" pulumi-lang-go="applicationSegmentId" pulumi-lang-python="application_segment_id" pulumi-lang-yaml="applicationSegmentId" pulumi-lang-java="applicationSegmentId">application_segment_id</span> | ||
| APP_GROUP | <span pulumi-lang-nodejs="segmentGroupId" pulumi-lang-dotnet="SegmentGroupId" pulumi-lang-go="segmentGroupId" pulumi-lang-python="segment_group_id" pulumi-lang-yaml="segmentGroupId" pulumi-lang-java="segmentGroupId">segment_group_id</span> | ||
| CLIENT_TYPE | <span pulumi-lang-nodejs="zpnClientTypeZappl" pulumi-lang-dotnet="ZpnClientTypeZappl" pulumi-lang-go="zpnClientTypeZappl" pulumi-lang-python="zpn_client_type_zappl" pulumi-lang-yaml="zpnClientTypeZappl" pulumi-lang-java="zpnClientTypeZappl">zpn_client_type_zappl</span>, <span pulumi-lang-nodejs="zpnClientTypeExporter" pulumi-lang-dotnet="ZpnClientTypeExporter" pulumi-lang-go="zpnClientTypeExporter" pulumi-lang-python="zpn_client_type_exporter" pulumi-lang-yaml="zpnClientTypeExporter" pulumi-lang-java="zpnClientTypeExporter">zpn_client_type_exporter</span>, <span pulumi-lang-nodejs="zpnClientTypeBrowserIsolation" pulumi-lang-dotnet="ZpnClientTypeBrowserIsolation" pulumi-lang-go="zpnClientTypeBrowserIsolation" pulumi-lang-python="zpn_client_type_browser_isolation" pulumi-lang-yaml="zpnClientTypeBrowserIsolation" pulumi-lang-java="zpnClientTypeBrowserIsolation">zpn_client_type_browser_isolation</span>, <span pulumi-lang-nodejs="zpnClientTypeIpAnchoring" pulumi-lang-dotnet="ZpnClientTypeIpAnchoring" pulumi-lang-go="zpnClientTypeIpAnchoring" pulumi-lang-python="zpn_client_type_ip_anchoring" pulumi-lang-yaml="zpnClientTypeIpAnchoring" pulumi-lang-java="zpnClientTypeIpAnchoring">zpn_client_type_ip_anchoring</span>, <span pulumi-lang-nodejs="zpnClientTypeEdgeConnector" pulumi-lang-dotnet="ZpnClientTypeEdgeConnector" pulumi-lang-go="zpnClientTypeEdgeConnector" pulumi-lang-python="zpn_client_type_edge_connector" pulumi-lang-yaml="zpnClientTypeEdgeConnector" pulumi-lang-java="zpnClientTypeEdgeConnector">zpn_client_type_edge_connector</span>, <span pulumi-lang-nodejs="zpnClientTypeBranchConnector" pulumi-lang-dotnet="ZpnClientTypeBranchConnector" pulumi-lang-go="zpnClientTypeBranchConnector" pulumi-lang-python="zpn_client_type_branch_connector" pulumi-lang-yaml="zpnClientTypeBranchConnector" pulumi-lang-java="zpnClientTypeBranchConnector">zpn_client_type_branch_connector</span>, <span pulumi-lang-nodejs="zpnClientTypeZappPartner" pulumi-lang-dotnet="ZpnClientTypeZappPartner" pulumi-lang-go="zpnClientTypeZappPartner" pulumi-lang-python="zpn_client_type_zapp_partner" pulumi-lang-yaml="zpnClientTypeZappPartner" pulumi-lang-java="zpnClientTypeZappPartner">zpn_client_type_zapp_partner</span>, <span pulumi-lang-nodejs="zpnClientTypeZapp" pulumi-lang-dotnet="ZpnClientTypeZapp" pulumi-lang-go="zpnClientTypeZapp" pulumi-lang-python="zpn_client_type_zapp" pulumi-lang-yaml="zpnClientTypeZapp" pulumi-lang-java="zpnClientTypeZapp">zpn_client_type_zapp</span> | ||
| EDGE_CONNECTOR_GROUP | <edge_connector_id> | ||
| MACHINE_GRP | <span pulumi-lang-nodejs="machineGroupId" pulumi-lang-dotnet="MachineGroupId" pulumi-lang-go="machineGroupId" pulumi-lang-python="machine_group_id" pulumi-lang-yaml="machineGroupId" pulumi-lang-java="machineGroupId">machine_group_id</span> | ||
| SAML | <span pulumi-lang-nodejs="samlAttributeId" pulumi-lang-dotnet="SamlAttributeId" pulumi-lang-go="samlAttributeId" pulumi-lang-python="saml_attribute_id" pulumi-lang-yaml="samlAttributeId" pulumi-lang-java="samlAttributeId">saml_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM | <span pulumi-lang-nodejs="scimAttributeId" pulumi-lang-dotnet="ScimAttributeId" pulumi-lang-go="scimAttributeId" pulumi-lang-python="scim_attribute_id" pulumi-lang-yaml="scimAttributeId" pulumi-lang-java="scimAttributeId">scim_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM_GROUP | <span pulumi-lang-nodejs="scimGroupAttributeId" pulumi-lang-dotnet="ScimGroupAttributeId" pulumi-lang-go="scimGroupAttributeId" pulumi-lang-python="scim_group_attribute_id" pulumi-lang-yaml="scimGroupAttributeId" pulumi-lang-java="scimGroupAttributeId">scim_group_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| PLATFORM | <span pulumi-lang-nodejs="mac" pulumi-lang-dotnet="Mac" pulumi-lang-go="mac" pulumi-lang-python="mac" pulumi-lang-yaml="mac" pulumi-lang-java="mac">mac</span>, <span pulumi-lang-nodejs="ios" pulumi-lang-dotnet="Ios" pulumi-lang-go="ios" pulumi-lang-python="ios" pulumi-lang-yaml="ios" pulumi-lang-java="ios">ios</span>, <span pulumi-lang-nodejs="windows" pulumi-lang-dotnet="Windows" pulumi-lang-go="windows" pulumi-lang-python="windows" pulumi-lang-yaml="windows" pulumi-lang-java="windows">windows</span>, <span pulumi-lang-nodejs="android" pulumi-lang-dotnet="Android" pulumi-lang-go="android" pulumi-lang-python="android" pulumi-lang-yaml="android" pulumi-lang-java="android">android</span>, <span pulumi-lang-nodejs="linux" pulumi-lang-dotnet="Linux" pulumi-lang-go="linux" pulumi-lang-python="linux" pulumi-lang-yaml="linux" pulumi-lang-java="linux">linux</span> | "true" / "false" | |
| POSTURE | <span pulumi-lang-nodejs="postureUdid" pulumi-lang-dotnet="PostureUdid" pulumi-lang-go="postureUdid" pulumi-lang-python="posture_udid" pulumi-lang-yaml="postureUdid" pulumi-lang-java="postureUdid">posture_udid</span> | "true" / "false" |
Create PolicyAccessInspectionRuleV2 Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PolicyAccessInspectionRuleV2(name: string, args?: PolicyAccessInspectionRuleV2Args, opts?: CustomResourceOptions);@overload
def PolicyAccessInspectionRuleV2(resource_name: str,
args: Optional[PolicyAccessInspectionRuleV2Args] = None,
opts: Optional[ResourceOptions] = None)
@overload
def PolicyAccessInspectionRuleV2(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
conditions: Optional[Sequence[PolicyAccessInspectionRuleV2ConditionArgs]] = None,
description: Optional[str] = None,
microtenant_id: Optional[str] = None,
name: Optional[str] = None,
zpn_inspection_profile_id: Optional[str] = None)func NewPolicyAccessInspectionRuleV2(ctx *Context, name string, args *PolicyAccessInspectionRuleV2Args, opts ...ResourceOption) (*PolicyAccessInspectionRuleV2, error)public PolicyAccessInspectionRuleV2(string name, PolicyAccessInspectionRuleV2Args? args = null, CustomResourceOptions? opts = null)
public PolicyAccessInspectionRuleV2(String name, PolicyAccessInspectionRuleV2Args args)
public PolicyAccessInspectionRuleV2(String name, PolicyAccessInspectionRuleV2Args args, CustomResourceOptions options)
type: zpa:PolicyAccessInspectionRuleV2
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyAccessInspectionRuleV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyAccessInspectionRuleV2Args
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyAccessInspectionRuleV2Args
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyAccessInspectionRuleV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyAccessInspectionRuleV2Args
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyAccessInspectionRuleV2Resource = new Zpa.PolicyAccessInspectionRuleV2("policyAccessInspectionRuleV2Resource", new()
{
Action = "string",
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionArgs
{
Id = "string",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandArgs
{
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
{
Lhs = "string",
Rhs = "string",
},
},
ObjectType = "string",
Values = new[]
{
"string",
},
},
},
Operator = "string",
},
},
Description = "string",
MicrotenantId = "string",
Name = "string",
ZpnInspectionProfileId = "string",
});
example, err := zpa.NewPolicyAccessInspectionRuleV2(ctx, "policyAccessInspectionRuleV2Resource", &zpa.PolicyAccessInspectionRuleV2Args{
Action: pulumi.String("string"),
Conditions: zpa.PolicyAccessInspectionRuleV2ConditionArray{
&zpa.PolicyAccessInspectionRuleV2ConditionArgs{
Id: pulumi.String("string"),
Operands: zpa.PolicyAccessInspectionRuleV2ConditionOperandArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandArgs{
EntryValues: zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("string"),
Rhs: pulumi.String("string"),
},
},
ObjectType: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Operator: pulumi.String("string"),
},
},
Description: pulumi.String("string"),
MicrotenantId: pulumi.String("string"),
Name: pulumi.String("string"),
ZpnInspectionProfileId: pulumi.String("string"),
})
var policyAccessInspectionRuleV2Resource = new PolicyAccessInspectionRuleV2("policyAccessInspectionRuleV2Resource", PolicyAccessInspectionRuleV2Args.builder()
.action("string")
.conditions(PolicyAccessInspectionRuleV2ConditionArgs.builder()
.id("string")
.operands(PolicyAccessInspectionRuleV2ConditionOperandArgs.builder()
.entryValues(PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("string")
.rhs("string")
.build())
.objectType("string")
.values("string")
.build())
.operator("string")
.build())
.description("string")
.microtenantId("string")
.name("string")
.zpnInspectionProfileId("string")
.build());
policy_access_inspection_rule_v2_resource = zpa.PolicyAccessInspectionRuleV2("policyAccessInspectionRuleV2Resource",
action="string",
conditions=[{
"id": "string",
"operands": [{
"entry_values": [{
"lhs": "string",
"rhs": "string",
}],
"object_type": "string",
"values": ["string"],
}],
"operator": "string",
}],
description="string",
microtenant_id="string",
name="string",
zpn_inspection_profile_id="string")
const policyAccessInspectionRuleV2Resource = new zpa.PolicyAccessInspectionRuleV2("policyAccessInspectionRuleV2Resource", {
action: "string",
conditions: [{
id: "string",
operands: [{
entryValues: [{
lhs: "string",
rhs: "string",
}],
objectType: "string",
values: ["string"],
}],
operator: "string",
}],
description: "string",
microtenantId: "string",
name: "string",
zpnInspectionProfileId: "string",
});
type: zpa:PolicyAccessInspectionRuleV2
properties:
action: string
conditions:
- id: string
operands:
- entryValues:
- lhs: string
rhs: string
objectType: string
values:
- string
operator: string
description: string
microtenantId: string
name: string
zpnInspectionProfileId: string
PolicyAccessInspectionRuleV2 Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PolicyAccessInspectionRuleV2 resource accepts the following input properties:
- Action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Inspection Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy rule.
- Microtenant
Id string - Name string
- (String) This is the name of the policy rule.
- Zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- Action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - Conditions
[]Policy
Access Inspection Rule V2Condition Args - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy rule.
- Microtenant
Id string - Name string
- (String) This is the name of the policy rule.
- Zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action String
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
List<Policy
Access Inspection Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy rule.
- microtenant
Id String - name String
- (String) This is the name of the policy rule.
- zpn
Inspection StringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
Policy
Access Inspection Rule V2Condition[] - This is for proviidng the set of conditions for the policy.
- description string
- This is the description of the access policy rule.
- microtenant
Id string - name string
- (String) This is the name of the policy rule.
- zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action str
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
Sequence[Policy
Access Inspection Rule V2Condition Args] - This is for proviidng the set of conditions for the policy.
- description str
- This is the description of the access policy rule.
- microtenant_
id str - name str
- (String) This is the name of the policy rule.
- zpn_
inspection_ strprofile_ id - An inspection profile is required if the
actionis set toINSPECT
- action String
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy rule.
- microtenant
Id String - name String
- (String) This is the name of the policy rule.
- zpn
Inspection StringProfile Id - An inspection profile is required if the
actionis set toINSPECT
Outputs
All input properties are implicitly available as output properties. Additionally, the PolicyAccessInspectionRuleV2 resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Set stringId
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
set_ strid
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
Look up Existing PolicyAccessInspectionRuleV2 Resource
Get an existing PolicyAccessInspectionRuleV2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyAccessInspectionRuleV2State, opts?: CustomResourceOptions): PolicyAccessInspectionRuleV2@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
conditions: Optional[Sequence[PolicyAccessInspectionRuleV2ConditionArgs]] = None,
description: Optional[str] = None,
microtenant_id: Optional[str] = None,
name: Optional[str] = None,
policy_set_id: Optional[str] = None,
zpn_inspection_profile_id: Optional[str] = None) -> PolicyAccessInspectionRuleV2func GetPolicyAccessInspectionRuleV2(ctx *Context, name string, id IDInput, state *PolicyAccessInspectionRuleV2State, opts ...ResourceOption) (*PolicyAccessInspectionRuleV2, error)public static PolicyAccessInspectionRuleV2 Get(string name, Input<string> id, PolicyAccessInspectionRuleV2State? state, CustomResourceOptions? opts = null)public static PolicyAccessInspectionRuleV2 get(String name, Output<String> id, PolicyAccessInspectionRuleV2State state, CustomResourceOptions options)resources: _: type: zpa:PolicyAccessInspectionRuleV2 get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Inspection Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy rule.
- Microtenant
Id string - Name string
- (String) This is the name of the policy rule.
- Policy
Set stringId - Zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- Action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - Conditions
[]Policy
Access Inspection Rule V2Condition Args - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy rule.
- Microtenant
Id string - Name string
- (String) This is the name of the policy rule.
- Policy
Set stringId - Zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action String
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
List<Policy
Access Inspection Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy rule.
- microtenant
Id String - name String
- (String) This is the name of the policy rule.
- policy
Set StringId - zpn
Inspection StringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action string
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
Policy
Access Inspection Rule V2Condition[] - This is for proviidng the set of conditions for the policy.
- description string
- This is the description of the access policy rule.
- microtenant
Id string - name string
- (String) This is the name of the policy rule.
- policy
Set stringId - zpn
Inspection stringProfile Id - An inspection profile is required if the
actionis set toINSPECT
- action str
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions
Sequence[Policy
Access Inspection Rule V2Condition Args] - This is for proviidng the set of conditions for the policy.
- description str
- This is the description of the access policy rule.
- microtenant_
id str - name str
- (String) This is the name of the policy rule.
- policy_
set_ strid - zpn_
inspection_ strprofile_ id - An inspection profile is required if the
actionis set toINSPECT
- action String
- This is for providing the rule action. Supported values:
INSPECTandBYPASS_INSPECT. - conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy rule.
- microtenant
Id String - name String
- (String) This is the name of the policy rule.
- policy
Set StringId - zpn
Inspection StringProfile Id - An inspection profile is required if the
actionis set toINSPECT
Supporting Types
PolicyAccessInspectionRuleV2Condition, PolicyAccessInspectionRuleV2ConditionArgs
- Id string
- Operands
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Inspection Rule V2Condition Operand> - This signifies the various policy criteria.
- Operator string
- Id string
- Operands
[]Policy
Access Inspection Rule V2Condition Operand - This signifies the various policy criteria.
- Operator string
- id String
- operands
List<Policy
Access Inspection Rule V2Condition Operand> - This signifies the various policy criteria.
- operator String
- id string
- operands
Policy
Access Inspection Rule V2Condition Operand[] - This signifies the various policy criteria.
- operator string
- id str
- operands
Sequence[Policy
Access Inspection Rule V2Condition Operand] - This signifies the various policy criteria.
- operator str
- id String
- operands List<Property Map>
- This signifies the various policy criteria.
- operator String
PolicyAccessInspectionRuleV2ConditionOperand, PolicyAccessInspectionRuleV2ConditionOperandArgs
- Entry
Values List<zscaler.Pulumi Package. Zpa. Inputs. Policy Access Inspection Rule V2Condition Operand Entry Value> - Object
Type string - This is for specifying the policy critiera.
- Values List<string>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- Entry
Values []PolicyAccess Inspection Rule V2Condition Operand Entry Value - Object
Type string - This is for specifying the policy critiera.
- Values []string
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<PolicyAccess Inspection Rule V2Condition Operand Entry Value> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values PolicyAccess Inspection Rule V2Condition Operand Entry Value[] - object
Type string - This is for specifying the policy critiera.
- values string[]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry_
values Sequence[PolicyAccess Inspection Rule V2Condition Operand Entry Value] - object_
type str - This is for specifying the policy critiera.
- values Sequence[str]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<Property Map> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
PolicyAccessInspectionRuleV2ConditionOperandEntryValue, PolicyAccessInspectionRuleV2ConditionOperandEntryValueArgs
Import
Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.
Visit
Policy access inspection rule can be imported by using <RULE ID> as the import ID.
For example:
$ pulumi import zpa:index/policyAccessInspectionRuleV2:PolicyAccessInspectionRuleV2 example <rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- zpa zscaler/pulumi-zpa
- License
- MIT
- Notes
- This Pulumi package is based on the
zpaTerraform Provider.
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
