Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
The zpa_policy_access_rule_v2 resource creates and manages policy access rule in the Zscaler Private Access cloud using a new v2 API endpoint.
⚠️ NOTE: This resource is recommended if your configuration requires the association of more than 1000 resource criteria per rule.
⚠️ WARNING:: The attribute <span pulumi-lang-nodejs="ruleOrder" pulumi-lang-dotnet="RuleOrder" pulumi-lang-go="ruleOrder" pulumi-lang-python="rule_order" pulumi-lang-yaml="ruleOrder" pulumi-lang-java="ruleOrder">rule_order</span> is now deprecated in favor of the new resource <span pulumi-lang-nodejs="policyAccessRuleReorder" pulumi-lang-dotnet="PolicyAccessRuleReorder" pulumi-lang-go="policyAccessRuleReorder" pulumi-lang-python="policy_access_rule_reorder" pulumi-lang-yaml="policyAccessRuleReorder" pulumi-lang-java="policyAccessRuleReorder">policy_access_rule_reorder</span>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
// Retrieve Policy Types
// Retrieve Identity Provider ID
const _this = zpa.getIdPController({
name: "Idp_Name",
});
// Retrieve SAML Attribute ID
const emailUserSso = zpa.getSAMLAttribute({
name: "Email_Users",
idpName: "Idp_Name",
});
// Retrieve SAML Attribute ID
const groupUser = zpa.getSAMLAttribute({
name: "GroupName_Users",
idpName: "Idp_Name",
});
// Retrieve SCIM Group ID
const a000 = zpa.getSCIMGroups({
name: "A000",
idpName: "Idp_Name",
});
// Retrieve SCIM Group ID
const b000 = zpa.getSCIMGroups({
name: "B000",
idpName: "Idp_Name",
});
// Create Segment Group
const thisSegmentGroup = new zpa.SegmentGroup("this", {
name: "Example",
description: "Example",
enabled: true,
});
// Create Policy Access Rule V2
const thisPolicyAccessRuleV2 = new zpa.PolicyAccessRuleV2("this", {
name: "Example",
description: "Example",
action: "ALLOW",
conditions: [
{
operator: "OR",
operands: [{
objectType: "APP_GROUP",
values: [thisSegmentGroup.id],
}],
},
{
operator: "OR",
operands: [
{
objectType: "SAML",
entryValues: [
{
rhs: "user1@acme.com",
lhs: emailUserSso.then(emailUserSso => emailUserSso.id),
},
{
rhs: "A000",
lhs: groupUser.then(groupUser => groupUser.id),
},
],
},
{
objectType: "SCIM_GROUP",
entryValues: [
{
rhs: a000.then(a000 => a000.id),
lhs: _this.then(_this => _this.id),
},
{
rhs: b000.then(b000 => b000.id),
lhs: _this.then(_this => _this.id),
},
],
},
],
},
{
operator: "OR",
operands: [{
objectType: "PLATFORM",
entryValues: [
{
rhs: "true",
lhs: "linux",
},
{
rhs: "true",
lhs: "android",
},
],
}],
},
{
operator: "OR",
operands: [{
objectType: "COUNTRY_CODE",
entryValues: [
{
lhs: "CA",
rhs: "true",
},
{
lhs: "US",
rhs: "true",
},
],
}],
},
{
operator: "OR",
operands: [{
objectType: "RISK_FACTOR_TYPE",
entryValues: [
{
lhs: "ZIA",
rhs: "UNKNOWN",
},
{
lhs: "ZIA",
rhs: "LOW",
},
{
lhs: "ZIA",
rhs: "MEDIUM",
},
{
lhs: "ZIA",
rhs: "HIGH",
},
{
lhs: "ZIA",
rhs: "CRITICAL",
},
],
}],
},
{
operator: "OR",
operands: [{
objectType: "CHROME_ENTERPRISE",
entryValues: [
{
lhs: "managed",
rhs: "true",
},
{
lhs: "managed",
rhs: "false",
},
],
}],
},
],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
# Retrieve Policy Types
# Retrieve Identity Provider ID
this = zpa.get_id_p_controller(name="Idp_Name")
# Retrieve SAML Attribute ID
email_user_sso = zpa.get_saml_attribute(name="Email_Users",
idp_name="Idp_Name")
# Retrieve SAML Attribute ID
group_user = zpa.get_saml_attribute(name="GroupName_Users",
idp_name="Idp_Name")
# Retrieve SCIM Group ID
a000 = zpa.get_scim_groups(name="A000",
idp_name="Idp_Name")
# Retrieve SCIM Group ID
b000 = zpa.get_scim_groups(name="B000",
idp_name="Idp_Name")
# Create Segment Group
this_segment_group = zpa.SegmentGroup("this",
name="Example",
description="Example",
enabled=True)
# Create Policy Access Rule V2
this_policy_access_rule_v2 = zpa.PolicyAccessRuleV2("this",
name="Example",
description="Example",
action="ALLOW",
conditions=[
{
"operator": "OR",
"operands": [{
"object_type": "APP_GROUP",
"values": [this_segment_group.id],
}],
},
{
"operator": "OR",
"operands": [
{
"object_type": "SAML",
"entry_values": [
{
"rhs": "user1@acme.com",
"lhs": email_user_sso.id,
},
{
"rhs": "A000",
"lhs": group_user.id,
},
],
},
{
"object_type": "SCIM_GROUP",
"entry_values": [
{
"rhs": a000.id,
"lhs": this.id,
},
{
"rhs": b000.id,
"lhs": this.id,
},
],
},
],
},
{
"operator": "OR",
"operands": [{
"object_type": "PLATFORM",
"entry_values": [
{
"rhs": "true",
"lhs": "linux",
},
{
"rhs": "true",
"lhs": "android",
},
],
}],
},
{
"operator": "OR",
"operands": [{
"object_type": "COUNTRY_CODE",
"entry_values": [
{
"lhs": "CA",
"rhs": "true",
},
{
"lhs": "US",
"rhs": "true",
},
],
}],
},
{
"operator": "OR",
"operands": [{
"object_type": "RISK_FACTOR_TYPE",
"entry_values": [
{
"lhs": "ZIA",
"rhs": "UNKNOWN",
},
{
"lhs": "ZIA",
"rhs": "LOW",
},
{
"lhs": "ZIA",
"rhs": "MEDIUM",
},
{
"lhs": "ZIA",
"rhs": "HIGH",
},
{
"lhs": "ZIA",
"rhs": "CRITICAL",
},
],
}],
},
{
"operator": "OR",
"operands": [{
"object_type": "CHROME_ENTERPRISE",
"entry_values": [
{
"lhs": "managed",
"rhs": "true",
},
{
"lhs": "managed",
"rhs": "false",
},
],
}],
},
])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Retrieve Policy Types
// Retrieve Identity Provider ID
this, err := zpa.GetIdPController(ctx, &zpa.GetIdPControllerArgs{
Name: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SAML Attribute ID
emailUserSso, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
Name: pulumi.StringRef("Email_Users"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SAML Attribute ID
groupUser, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
Name: pulumi.StringRef("GroupName_Users"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SCIM Group ID
a000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
Name: pulumi.StringRef("A000"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Retrieve SCIM Group ID
b000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
Name: pulumi.StringRef("B000"),
IdpName: pulumi.StringRef("Idp_Name"),
}, nil)
if err != nil {
return err
}
// Create Segment Group
thisSegmentGroup, err := zpa.NewSegmentGroup(ctx, "this", &zpa.SegmentGroupArgs{
Name: pulumi.String("Example"),
Description: pulumi.String("Example"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
// Create Policy Access Rule V2
_, err = zpa.NewPolicyAccessRuleV2(ctx, "this", &zpa.PolicyAccessRuleV2Args{
Name: pulumi.String("Example"),
Description: pulumi.String("Example"),
Action: pulumi.String("ALLOW"),
Conditions: zpa.PolicyAccessRuleV2ConditionArray{
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("APP_GROUP"),
Values: pulumi.StringArray{
thisSegmentGroup.ID(),
},
},
},
},
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("SAML"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("user1@acme.com"),
Lhs: pulumi.String(emailUserSso.Id),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("A000"),
Lhs: pulumi.String(groupUser.Id),
},
},
},
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("SCIM_GROUP"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String(a000.Id),
Lhs: pulumi.String(this.Id),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String(b000.Id),
Lhs: pulumi.String(this.Id),
},
},
},
},
},
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("PLATFORM"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("true"),
Lhs: pulumi.String("linux"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Rhs: pulumi.String("true"),
Lhs: pulumi.String("android"),
},
},
},
},
},
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("COUNTRY_CODE"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("CA"),
Rhs: pulumi.String("true"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("US"),
Rhs: pulumi.String("true"),
},
},
},
},
},
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("RISK_FACTOR_TYPE"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("ZIA"),
Rhs: pulumi.String("UNKNOWN"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("ZIA"),
Rhs: pulumi.String("LOW"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("ZIA"),
Rhs: pulumi.String("MEDIUM"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("ZIA"),
Rhs: pulumi.String("HIGH"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("ZIA"),
Rhs: pulumi.String("CRITICAL"),
},
},
},
},
},
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("CHROME_ENTERPRISE"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("managed"),
Rhs: pulumi.String("true"),
},
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("managed"),
Rhs: pulumi.String("false"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
// Retrieve Policy Types
// Retrieve Identity Provider ID
var @this = Zpa.GetIdPController.Invoke(new()
{
Name = "Idp_Name",
});
// Retrieve SAML Attribute ID
var emailUserSso = Zpa.GetSAMLAttribute.Invoke(new()
{
Name = "Email_Users",
IdpName = "Idp_Name",
});
// Retrieve SAML Attribute ID
var groupUser = Zpa.GetSAMLAttribute.Invoke(new()
{
Name = "GroupName_Users",
IdpName = "Idp_Name",
});
// Retrieve SCIM Group ID
var a000 = Zpa.GetSCIMGroups.Invoke(new()
{
Name = "A000",
IdpName = "Idp_Name",
});
// Retrieve SCIM Group ID
var b000 = Zpa.GetSCIMGroups.Invoke(new()
{
Name = "B000",
IdpName = "Idp_Name",
});
// Create Segment Group
var thisSegmentGroup = new Zpa.SegmentGroup("this", new()
{
Name = "Example",
Description = "Example",
Enabled = true,
});
// Create Policy Access Rule V2
var thisPolicyAccessRuleV2 = new Zpa.PolicyAccessRuleV2("this", new()
{
Name = "Example",
Description = "Example",
Action = "ALLOW",
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "APP_GROUP",
Values = new[]
{
thisSegmentGroup.Id,
},
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "SAML",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = "user1@acme.com",
Lhs = emailUserSso.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = "A000",
Lhs = groupUser.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "SCIM_GROUP",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = a000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = @this.Apply(@this => @this.Apply(getIdPControllerResult => getIdPControllerResult.Id)),
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = b000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = @this.Apply(@this => @this.Apply(getIdPControllerResult => getIdPControllerResult.Id)),
},
},
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "PLATFORM",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = "true",
Lhs = "linux",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Rhs = "true",
Lhs = "android",
},
},
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "COUNTRY_CODE",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "CA",
Rhs = "true",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "US",
Rhs = "true",
},
},
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "RISK_FACTOR_TYPE",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "ZIA",
Rhs = "UNKNOWN",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "ZIA",
Rhs = "LOW",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "ZIA",
Rhs = "MEDIUM",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "ZIA",
Rhs = "HIGH",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "ZIA",
Rhs = "CRITICAL",
},
},
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "CHROME_ENTERPRISE",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "managed",
Rhs = "true",
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "managed",
Rhs = "false",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetIdPControllerArgs;
import com.pulumi.zpa.inputs.GetSAMLAttributeArgs;
import com.pulumi.zpa.inputs.GetSCIMGroupsArgs;
import com.pulumi.zpa.SegmentGroup;
import com.pulumi.zpa.SegmentGroupArgs;
import com.pulumi.zpa.PolicyAccessRuleV2;
import com.pulumi.zpa.PolicyAccessRuleV2Args;
import com.pulumi.zpa.inputs.PolicyAccessRuleV2ConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Retrieve Policy Types
// Retrieve Identity Provider ID
final var this = ZpaFunctions.getIdPController(GetIdPControllerArgs.builder()
.name("Idp_Name")
.build());
// Retrieve SAML Attribute ID
final var emailUserSso = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
.name("Email_Users")
.idpName("Idp_Name")
.build());
// Retrieve SAML Attribute ID
final var groupUser = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
.name("GroupName_Users")
.idpName("Idp_Name")
.build());
// Retrieve SCIM Group ID
final var a000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.name("A000")
.idpName("Idp_Name")
.build());
// Retrieve SCIM Group ID
final var b000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.name("B000")
.idpName("Idp_Name")
.build());
// Create Segment Group
var thisSegmentGroup = new SegmentGroup("thisSegmentGroup", SegmentGroupArgs.builder()
.name("Example")
.description("Example")
.enabled(true)
.build());
// Create Policy Access Rule V2
var thisPolicyAccessRuleV2 = new PolicyAccessRuleV2("thisPolicyAccessRuleV2", PolicyAccessRuleV2Args.builder()
.name("Example")
.description("Example")
.action("ALLOW")
.conditions(
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("APP_GROUP")
.values(thisSegmentGroup.id())
.build())
.build(),
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(
PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("SAML")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("user1@acme.com")
.lhs(emailUserSso.id())
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("A000")
.lhs(groupUser.id())
.build())
.build(),
PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("SCIM_GROUP")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs(a000.id())
.lhs(this_.id())
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs(b000.id())
.lhs(this_.id())
.build())
.build())
.build(),
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("PLATFORM")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("true")
.lhs("linux")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.rhs("true")
.lhs("android")
.build())
.build())
.build(),
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("COUNTRY_CODE")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("CA")
.rhs("true")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("US")
.rhs("true")
.build())
.build())
.build(),
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("RISK_FACTOR_TYPE")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("ZIA")
.rhs("UNKNOWN")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("ZIA")
.rhs("LOW")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("ZIA")
.rhs("MEDIUM")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("ZIA")
.rhs("HIGH")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("ZIA")
.rhs("CRITICAL")
.build())
.build())
.build(),
PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("CHROME_ENTERPRISE")
.entryValues(
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("managed")
.rhs("true")
.build(),
PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("managed")
.rhs("false")
.build())
.build())
.build())
.build());
}
}
resources:
# Create Segment Group
thisSegmentGroup:
type: zpa:SegmentGroup
name: this
properties:
name: Example
description: Example
enabled: true
# Create Policy Access Rule V2
thisPolicyAccessRuleV2:
type: zpa:PolicyAccessRuleV2
name: this
properties:
name: Example
description: Example
action: ALLOW
conditions:
- operator: OR
operands:
- objectType: APP_GROUP
values:
- ${thisSegmentGroup.id}
- operator: OR
operands:
- objectType: SAML
entryValues:
- rhs: user1@acme.com
lhs: ${emailUserSso.id}
- rhs: A000
lhs: ${groupUser.id}
- objectType: SCIM_GROUP
entryValues:
- rhs: ${a000.id}
lhs: ${this.id}
- rhs: ${b000.id}
lhs: ${this.id}
- operator: OR
operands:
- objectType: PLATFORM
entryValues:
- rhs: 'true'
lhs: linux
- rhs: 'true'
lhs: android
- operator: OR
operands:
- objectType: COUNTRY_CODE
entryValues:
- lhs: CA
rhs: 'true'
- lhs: US
rhs: 'true'
- operator: OR
operands:
- objectType: RISK_FACTOR_TYPE
entryValues:
- lhs: ZIA
rhs: UNKNOWN
- lhs: ZIA
rhs: LOW
- lhs: ZIA
rhs: MEDIUM
- lhs: ZIA
rhs: HIGH
- lhs: ZIA
rhs: CRITICAL
- operator: OR
operands:
- objectType: CHROME_ENTERPRISE
entryValues:
- lhs: managed
rhs: 'true'
- lhs: managed
rhs: 'false'
variables:
# Retrieve Policy Types
# Retrieve Identity Provider ID
this:
fn::invoke:
function: zpa:getIdPController
arguments:
name: Idp_Name
# Retrieve SAML Attribute ID
emailUserSso:
fn::invoke:
function: zpa:getSAMLAttribute
arguments:
name: Email_Users
idpName: Idp_Name
# Retrieve SAML Attribute ID
groupUser:
fn::invoke:
function: zpa:getSAMLAttribute
arguments:
name: GroupName_Users
idpName: Idp_Name
# Retrieve SCIM Group ID
a000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
name: A000
idpName: Idp_Name
# Retrieve SCIM Group ID
b000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
name: B000
idpName: Idp_Name
Configure Extranet Access Rule
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
const _this = zpa.getLocationController({
name: "ExtranetLocation01 | zscalerbeta.net",
ziaErName: "NewExtranet 8432",
});
const thisGetLocationGroupController = zpa.getLocationGroupController({
locationName: "ExtranetLocation01",
ziaErName: "NewExtranet 8432",
});
const thisGetExtranetResourcePartner = zpa.getExtranetResourcePartner({
name: "NewExtranet 8432",
});
const thisPolicyAccessRuleV2 = new zpa.PolicyAccessRuleV2("this", {
name: "Extranet_Rule01",
description: "Extranet_Rule01",
action: "ALLOW",
customMsg: "Test",
operator: "AND",
extranetEnabled: true,
extranetDtos: [{
zpnErId: thisGetExtranetResourcePartner.then(thisGetExtranetResourcePartner => thisGetExtranetResourcePartner.id),
locationDtos: [{
id: _this.then(_this => _this.id),
}],
locationGroupDtos: [{
id: thisGetLocationGroupController.then(thisGetLocationGroupController => thisGetLocationGroupController.id),
}],
}],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
this = zpa.get_location_controller(name="ExtranetLocation01 | zscalerbeta.net",
zia_er_name="NewExtranet 8432")
this_get_location_group_controller = zpa.get_location_group_controller(location_name="ExtranetLocation01",
zia_er_name="NewExtranet 8432")
this_get_extranet_resource_partner = zpa.get_extranet_resource_partner(name="NewExtranet 8432")
this_policy_access_rule_v2 = zpa.PolicyAccessRuleV2("this",
name="Extranet_Rule01",
description="Extranet_Rule01",
action="ALLOW",
custom_msg="Test",
operator="AND",
extranet_enabled=True,
extranet_dtos=[{
"zpn_er_id": this_get_extranet_resource_partner.id,
"location_dtos": [{
"id": this.id,
}],
"location_group_dtos": [{
"id": this_get_location_group_controller.id,
}],
}])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := zpa.GetLocationController(ctx, &zpa.GetLocationControllerArgs{
Name: "ExtranetLocation01 | zscalerbeta.net",
ZiaErName: "NewExtranet 8432",
}, nil)
if err != nil {
return err
}
thisGetLocationGroupController, err := zpa.GetLocationGroupController(ctx, &zpa.GetLocationGroupControllerArgs{
LocationName: "ExtranetLocation01",
ZiaErName: "NewExtranet 8432",
}, nil)
if err != nil {
return err
}
thisGetExtranetResourcePartner, err := zpa.GetExtranetResourcePartner(ctx, &zpa.GetExtranetResourcePartnerArgs{
Name: pulumi.StringRef("NewExtranet 8432"),
}, nil)
if err != nil {
return err
}
_, err = zpa.NewPolicyAccessRuleV2(ctx, "this", &zpa.PolicyAccessRuleV2Args{
Name: pulumi.String("Extranet_Rule01"),
Description: pulumi.String("Extranet_Rule01"),
Action: pulumi.String("ALLOW"),
CustomMsg: pulumi.String("Test"),
Operator: pulumi.String("AND"),
ExtranetEnabled: pulumi.Bool(true),
ExtranetDtos: zpa.PolicyAccessRuleV2ExtranetDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoArgs{
ZpnErId: pulumi.String(thisGetExtranetResourcePartner.Id),
LocationDtos: zpa.PolicyAccessRuleV2ExtranetDtoLocationDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoLocationDtoArgs{
Id: pulumi.String(this.Id),
},
},
LocationGroupDtos: zpa.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs{
Id: pulumi.String(thisGetLocationGroupController.Id),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
var @this = Zpa.GetLocationController.Invoke(new()
{
Name = "ExtranetLocation01 | zscalerbeta.net",
ZiaErName = "NewExtranet 8432",
});
var thisGetLocationGroupController = Zpa.GetLocationGroupController.Invoke(new()
{
LocationName = "ExtranetLocation01",
ZiaErName = "NewExtranet 8432",
});
var thisGetExtranetResourcePartner = Zpa.GetExtranetResourcePartner.Invoke(new()
{
Name = "NewExtranet 8432",
});
var thisPolicyAccessRuleV2 = new Zpa.PolicyAccessRuleV2("this", new()
{
Name = "Extranet_Rule01",
Description = "Extranet_Rule01",
Action = "ALLOW",
CustomMsg = "Test",
Operator = "AND",
ExtranetEnabled = true,
ExtranetDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoArgs
{
ZpnErId = thisGetExtranetResourcePartner.Apply(getExtranetResourcePartnerResult => getExtranetResourcePartnerResult.Id),
LocationDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoLocationDtoArgs
{
Id = @this.Apply(@this => @this.Apply(getLocationControllerResult => getLocationControllerResult.Id)),
},
},
LocationGroupDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs
{
Id = thisGetLocationGroupController.Apply(getLocationGroupControllerResult => getLocationGroupControllerResult.Id),
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetLocationControllerArgs;
import com.pulumi.zpa.inputs.GetLocationGroupControllerArgs;
import com.pulumi.zpa.inputs.GetExtranetResourcePartnerArgs;
import com.pulumi.zpa.PolicyAccessRuleV2;
import com.pulumi.zpa.PolicyAccessRuleV2Args;
import com.pulumi.zpa.inputs.PolicyAccessRuleV2ExtranetDtoArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = ZpaFunctions.getLocationController(GetLocationControllerArgs.builder()
.name("ExtranetLocation01 | zscalerbeta.net")
.ziaErName("NewExtranet 8432")
.build());
final var thisGetLocationGroupController = ZpaFunctions.getLocationGroupController(GetLocationGroupControllerArgs.builder()
.locationName("ExtranetLocation01")
.ziaErName("NewExtranet 8432")
.build());
final var thisGetExtranetResourcePartner = ZpaFunctions.getExtranetResourcePartner(GetExtranetResourcePartnerArgs.builder()
.name("NewExtranet 8432")
.build());
var thisPolicyAccessRuleV2 = new PolicyAccessRuleV2("thisPolicyAccessRuleV2", PolicyAccessRuleV2Args.builder()
.name("Extranet_Rule01")
.description("Extranet_Rule01")
.action("ALLOW")
.customMsg("Test")
.operator("AND")
.extranetEnabled(true)
.extranetDtos(PolicyAccessRuleV2ExtranetDtoArgs.builder()
.zpnErId(thisGetExtranetResourcePartner.id())
.locationDtos(PolicyAccessRuleV2ExtranetDtoLocationDtoArgs.builder()
.id(this_.id())
.build())
.locationGroupDtos(PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs.builder()
.id(thisGetLocationGroupController.id())
.build())
.build())
.build());
}
}
resources:
thisPolicyAccessRuleV2:
type: zpa:PolicyAccessRuleV2
name: this
properties:
name: Extranet_Rule01
description: Extranet_Rule01
action: ALLOW
customMsg: Test
operator: AND
extranetEnabled: true
extranetDtos:
- zpnErId: ${thisGetExtranetResourcePartner.id}
locationDtos:
- id: ${this.id}
locationGroupDtos:
- id: ${thisGetLocationGroupController.id}
variables:
this:
fn::invoke:
function: zpa:getLocationController
arguments:
name: ExtranetLocation01 | zscalerbeta.net
ziaErName: NewExtranet 8432
thisGetLocationGroupController:
fn::invoke:
function: zpa:getLocationGroupController
arguments:
locationName: ExtranetLocation01
ziaErName: NewExtranet 8432
thisGetExtranetResourcePartner:
fn::invoke:
function: zpa:getExtranetResourcePartner
arguments:
name: NewExtranet 8432
Configuration Location Rule
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
const _this = zpa.getLocationControllerSummary({
name: "BD_CC01_US | NONE | zscalerbeta.net",
});
const thisPolicyAccessRuleV2 = new zpa.PolicyAccessRuleV2("this", {
name: "ExampleLocationRule",
description: "ExampleLocationRule",
action: "ALLOW",
conditions: [{
operator: "OR",
operands: [{
objectType: "LOCATION",
values: [_this.then(_this => _this.id)],
}],
}],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
this = zpa.get_location_controller_summary(name="BD_CC01_US | NONE | zscalerbeta.net")
this_policy_access_rule_v2 = zpa.PolicyAccessRuleV2("this",
name="ExampleLocationRule",
description="ExampleLocationRule",
action="ALLOW",
conditions=[{
"operator": "OR",
"operands": [{
"object_type": "LOCATION",
"values": [this.id],
}],
}])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := zpa.GetLocationControllerSummary(ctx, &zpa.GetLocationControllerSummaryArgs{
Name: pulumi.StringRef("BD_CC01_US | NONE | zscalerbeta.net"),
}, nil)
if err != nil {
return err
}
_, err = zpa.NewPolicyAccessRuleV2(ctx, "this", &zpa.PolicyAccessRuleV2Args{
Name: pulumi.String("ExampleLocationRule"),
Description: pulumi.String("ExampleLocationRule"),
Action: pulumi.String("ALLOW"),
Conditions: zpa.PolicyAccessRuleV2ConditionArray{
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("LOCATION"),
Values: pulumi.StringArray{
pulumi.String(this.Id),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
var @this = Zpa.GetLocationControllerSummary.Invoke(new()
{
Name = "BD_CC01_US | NONE | zscalerbeta.net",
});
var thisPolicyAccessRuleV2 = new Zpa.PolicyAccessRuleV2("this", new()
{
Name = "ExampleLocationRule",
Description = "ExampleLocationRule",
Action = "ALLOW",
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "LOCATION",
Values = new[]
{
@this.Apply(@this => @this.Apply(getLocationControllerSummaryResult => getLocationControllerSummaryResult.Id)),
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetLocationControllerSummaryArgs;
import com.pulumi.zpa.PolicyAccessRuleV2;
import com.pulumi.zpa.PolicyAccessRuleV2Args;
import com.pulumi.zpa.inputs.PolicyAccessRuleV2ConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = ZpaFunctions.getLocationControllerSummary(GetLocationControllerSummaryArgs.builder()
.name("BD_CC01_US | NONE | zscalerbeta.net")
.build());
var thisPolicyAccessRuleV2 = new PolicyAccessRuleV2("thisPolicyAccessRuleV2", PolicyAccessRuleV2Args.builder()
.name("ExampleLocationRule")
.description("ExampleLocationRule")
.action("ALLOW")
.conditions(PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("LOCATION")
.values(this_.id())
.build())
.build())
.build());
}
}
resources:
thisPolicyAccessRuleV2:
type: zpa:PolicyAccessRuleV2
name: this
properties:
name: ExampleLocationRule
description: ExampleLocationRule
action: ALLOW
conditions:
- operator: OR
operands:
- objectType: LOCATION
values:
- ${this.id}
variables:
this:
fn::invoke:
function: zpa:getLocationControllerSummary
arguments:
name: BD_CC01_US | NONE | zscalerbeta.net
Chrome Enterprise And Chrome Posture Profile
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
const _this = zpa.getManagedBrowserProfile({
name: "Profile01",
});
const thisPolicyAccessRuleV2 = new zpa.PolicyAccessRuleV2("this", {
name: "Example_v2_100_test",
description: "Example_v2_100_test",
action: "ALLOW",
customMsg: "Test",
operator: "AND",
conditions: [{
operator: "OR",
operands: [
{
objectType: "CHROME_ENTERPRISE",
entryValues: [{
lhs: "managed",
rhs: "true",
}],
},
{
objectType: "CHROME_POSTURE_PROFILE",
values: [_this.then(_this => _this.id)],
},
],
}],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
this = zpa.get_managed_browser_profile(name="Profile01")
this_policy_access_rule_v2 = zpa.PolicyAccessRuleV2("this",
name="Example_v2_100_test",
description="Example_v2_100_test",
action="ALLOW",
custom_msg="Test",
operator="AND",
conditions=[{
"operator": "OR",
"operands": [
{
"object_type": "CHROME_ENTERPRISE",
"entry_values": [{
"lhs": "managed",
"rhs": "true",
}],
},
{
"object_type": "CHROME_POSTURE_PROFILE",
"values": [this.id],
},
],
}])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := zpa.GetManagedBrowserProfile(ctx, &zpa.GetManagedBrowserProfileArgs{
Name: pulumi.StringRef("Profile01"),
}, nil)
if err != nil {
return err
}
_, err = zpa.NewPolicyAccessRuleV2(ctx, "this", &zpa.PolicyAccessRuleV2Args{
Name: pulumi.String("Example_v2_100_test"),
Description: pulumi.String("Example_v2_100_test"),
Action: pulumi.String("ALLOW"),
CustomMsg: pulumi.String("Test"),
Operator: pulumi.String("AND"),
Conditions: zpa.PolicyAccessRuleV2ConditionArray{
&zpa.PolicyAccessRuleV2ConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("CHROME_ENTERPRISE"),
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("managed"),
Rhs: pulumi.String("true"),
},
},
},
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
ObjectType: pulumi.String("CHROME_POSTURE_PROFILE"),
Values: pulumi.StringArray{
pulumi.String(this.Id),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
var @this = Zpa.GetManagedBrowserProfile.Invoke(new()
{
Name = "Profile01",
});
var thisPolicyAccessRuleV2 = new Zpa.PolicyAccessRuleV2("this", new()
{
Name = "Example_v2_100_test",
Description = "Example_v2_100_test",
Action = "ALLOW",
CustomMsg = "Test",
Operator = "AND",
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "CHROME_ENTERPRISE",
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "managed",
Rhs = "true",
},
},
},
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
ObjectType = "CHROME_POSTURE_PROFILE",
Values = new[]
{
@this.Apply(@this => @this.Apply(getManagedBrowserProfileResult => getManagedBrowserProfileResult.Id)),
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetManagedBrowserProfileArgs;
import com.pulumi.zpa.PolicyAccessRuleV2;
import com.pulumi.zpa.PolicyAccessRuleV2Args;
import com.pulumi.zpa.inputs.PolicyAccessRuleV2ConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = ZpaFunctions.getManagedBrowserProfile(GetManagedBrowserProfileArgs.builder()
.name("Profile01")
.build());
var thisPolicyAccessRuleV2 = new PolicyAccessRuleV2("thisPolicyAccessRuleV2", PolicyAccessRuleV2Args.builder()
.name("Example_v2_100_test")
.description("Example_v2_100_test")
.action("ALLOW")
.customMsg("Test")
.operator("AND")
.conditions(PolicyAccessRuleV2ConditionArgs.builder()
.operator("OR")
.operands(
PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("CHROME_ENTERPRISE")
.entryValues(PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("managed")
.rhs("true")
.build())
.build(),
PolicyAccessRuleV2ConditionOperandArgs.builder()
.objectType("CHROME_POSTURE_PROFILE")
.values(this_.id())
.build())
.build())
.build());
}
}
resources:
thisPolicyAccessRuleV2:
type: zpa:PolicyAccessRuleV2
name: this
properties:
name: Example_v2_100_test
description: Example_v2_100_test
action: ALLOW
customMsg: Test
operator: AND
conditions:
- operator: OR
operands:
- objectType: CHROME_ENTERPRISE
entryValues:
- lhs: managed
rhs: 'true'
- objectType: CHROME_POSTURE_PROFILE
values:
- ${this.id}
variables:
this:
fn::invoke:
function: zpa:getManagedBrowserProfile
arguments:
name: Profile01
LHS and RHS Values
| Object Type | LHS | RHS | VALUES |
|---|---|---|---|
| APP | NA | NA | <span pulumi-lang-nodejs="applicationSegmentId" pulumi-lang-dotnet="ApplicationSegmentId" pulumi-lang-go="applicationSegmentId" pulumi-lang-python="application_segment_id" pulumi-lang-yaml="applicationSegmentId" pulumi-lang-java="applicationSegmentId">application_segment_id</span> |
| APP_GROUP | NA | NA | <span pulumi-lang-nodejs="segmentGroupId" pulumi-lang-dotnet="SegmentGroupId" pulumi-lang-go="segmentGroupId" pulumi-lang-python="segment_group_id" pulumi-lang-yaml="segmentGroupId" pulumi-lang-java="segmentGroupId">segment_group_id</span> |
| CLIENT_TYPE | NA | NA | <span pulumi-lang-nodejs="zpnClientTypeExporter" pulumi-lang-dotnet="ZpnClientTypeExporter" pulumi-lang-go="zpnClientTypeExporter" pulumi-lang-python="zpn_client_type_exporter" pulumi-lang-yaml="zpnClientTypeExporter" pulumi-lang-java="zpnClientTypeExporter">zpn_client_type_exporter</span>, <span pulumi-lang-nodejs="zpnClientTypeExporterNoauth" pulumi-lang-dotnet="ZpnClientTypeExporterNoauth" pulumi-lang-go="zpnClientTypeExporterNoauth" pulumi-lang-python="zpn_client_type_exporter_noauth" pulumi-lang-yaml="zpnClientTypeExporterNoauth" pulumi-lang-java="zpnClientTypeExporterNoauth">zpn_client_type_exporter_noauth</span>, <span pulumi-lang-nodejs="zpnClientTypeMachineTunnel" pulumi-lang-dotnet="ZpnClientTypeMachineTunnel" pulumi-lang-go="zpnClientTypeMachineTunnel" pulumi-lang-python="zpn_client_type_machine_tunnel" pulumi-lang-yaml="zpnClientTypeMachineTunnel" pulumi-lang-java="zpnClientTypeMachineTunnel">zpn_client_type_machine_tunnel</span>, <span pulumi-lang-nodejs="zpnClientTypeEdgeConnector" pulumi-lang-dotnet="ZpnClientTypeEdgeConnector" pulumi-lang-go="zpnClientTypeEdgeConnector" pulumi-lang-python="zpn_client_type_edge_connector" pulumi-lang-yaml="zpnClientTypeEdgeConnector" pulumi-lang-java="zpnClientTypeEdgeConnector">zpn_client_type_edge_connector</span>, <span pulumi-lang-nodejs="zpnClientTypeZiaInspection" pulumi-lang-dotnet="ZpnClientTypeZiaInspection" pulumi-lang-go="zpnClientTypeZiaInspection" pulumi-lang-python="zpn_client_type_zia_inspection" pulumi-lang-yaml="zpnClientTypeZiaInspection" pulumi-lang-java="zpnClientTypeZiaInspection">zpn_client_type_zia_inspection</span>, <span pulumi-lang-nodejs="zpnClientTypeVdi" pulumi-lang-dotnet="ZpnClientTypeVdi" pulumi-lang-go="zpnClientTypeVdi" pulumi-lang-python="zpn_client_type_vdi" pulumi-lang-yaml="zpnClientTypeVdi" pulumi-lang-java="zpnClientTypeVdi">zpn_client_type_vdi</span>, <span pulumi-lang-nodejs="zpnClientTypeZapp" pulumi-lang-dotnet="ZpnClientTypeZapp" pulumi-lang-go="zpnClientTypeZapp" pulumi-lang-python="zpn_client_type_zapp" pulumi-lang-yaml="zpnClientTypeZapp" pulumi-lang-java="zpnClientTypeZapp">zpn_client_type_zapp</span>, <span pulumi-lang-nodejs="zpnClientTypeSlogger" pulumi-lang-dotnet="ZpnClientTypeSlogger" pulumi-lang-go="zpnClientTypeSlogger" pulumi-lang-python="zpn_client_type_slogger" pulumi-lang-yaml="zpnClientTypeSlogger" pulumi-lang-java="zpnClientTypeSlogger">zpn_client_type_slogger</span>, <span pulumi-lang-nodejs="zpnClientTypeZappPartner" pulumi-lang-dotnet="ZpnClientTypeZappPartner" pulumi-lang-go="zpnClientTypeZappPartner" pulumi-lang-python="zpn_client_type_zapp_partner" pulumi-lang-yaml="zpnClientTypeZappPartner" pulumi-lang-java="zpnClientTypeZappPartner">zpn_client_type_zapp_partner</span>, <span pulumi-lang-nodejs="zpnClientTypeBrowserIsolation" pulumi-lang-dotnet="ZpnClientTypeBrowserIsolation" pulumi-lang-go="zpnClientTypeBrowserIsolation" pulumi-lang-python="zpn_client_type_browser_isolation" pulumi-lang-yaml="zpnClientTypeBrowserIsolation" pulumi-lang-java="zpnClientTypeBrowserIsolation">zpn_client_type_browser_isolation</span>, <span pulumi-lang-nodejs="zpnClientTypeIpAnchoring" pulumi-lang-dotnet="ZpnClientTypeIpAnchoring" pulumi-lang-go="zpnClientTypeIpAnchoring" pulumi-lang-python="zpn_client_type_ip_anchoring" pulumi-lang-yaml="zpnClientTypeIpAnchoring" pulumi-lang-java="zpnClientTypeIpAnchoring">zpn_client_type_ip_anchoring</span>, <span pulumi-lang-nodejs="zpnClientTypeBranchConnector" pulumi-lang-dotnet="ZpnClientTypeBranchConnector" pulumi-lang-go="zpnClientTypeBranchConnector" pulumi-lang-python="zpn_client_type_branch_connector" pulumi-lang-yaml="zpnClientTypeBranchConnector" pulumi-lang-java="zpnClientTypeBranchConnector">zpn_client_type_branch_connector</span> |
| EDGE_CONNECTOR_GROUP | NA | NA | <edge_connector_id> |
| BRANCH_CONNECTOR_GROUP | NA | NA | <branch_connector_id> |
| LOCATION | NA | NA | <span pulumi-lang-nodejs="locationId" pulumi-lang-dotnet="LocationId" pulumi-lang-go="locationId" pulumi-lang-python="location_id" pulumi-lang-yaml="locationId" pulumi-lang-java="locationId">location_id</span> |
| MACHINE_GRP | NA | NA | <span pulumi-lang-nodejs="machineGroupId" pulumi-lang-dotnet="MachineGroupId" pulumi-lang-go="machineGroupId" pulumi-lang-python="machine_group_id" pulumi-lang-yaml="machineGroupId" pulumi-lang-java="machineGroupId">machine_group_id</span> |
| SAML | <span pulumi-lang-nodejs="samlAttributeId" pulumi-lang-dotnet="SamlAttributeId" pulumi-lang-go="samlAttributeId" pulumi-lang-python="saml_attribute_id" pulumi-lang-yaml="samlAttributeId" pulumi-lang-java="samlAttributeId">saml_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM | <span pulumi-lang-nodejs="scimAttributeId" pulumi-lang-dotnet="ScimAttributeId" pulumi-lang-go="scimAttributeId" pulumi-lang-python="scim_attribute_id" pulumi-lang-yaml="scimAttributeId" pulumi-lang-java="scimAttributeId">scim_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM_GROUP | <span pulumi-lang-nodejs="scimGroupAttributeId" pulumi-lang-dotnet="ScimGroupAttributeId" pulumi-lang-go="scimGroupAttributeId" pulumi-lang-python="scim_group_attribute_id" pulumi-lang-yaml="scimGroupAttributeId" pulumi-lang-java="scimGroupAttributeId">scim_group_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| PLATFORM | <span pulumi-lang-nodejs="mac" pulumi-lang-dotnet="Mac" pulumi-lang-go="mac" pulumi-lang-python="mac" pulumi-lang-yaml="mac" pulumi-lang-java="mac">mac</span>, <span pulumi-lang-nodejs="ios" pulumi-lang-dotnet="Ios" pulumi-lang-go="ios" pulumi-lang-python="ios" pulumi-lang-yaml="ios" pulumi-lang-java="ios">ios</span>, <span pulumi-lang-nodejs="windows" pulumi-lang-dotnet="Windows" pulumi-lang-go="windows" pulumi-lang-python="windows" pulumi-lang-yaml="windows" pulumi-lang-java="windows">windows</span>, <span pulumi-lang-nodejs="android" pulumi-lang-dotnet="Android" pulumi-lang-go="android" pulumi-lang-python="android" pulumi-lang-yaml="android" pulumi-lang-java="android">android</span>, <span pulumi-lang-nodejs="linux" pulumi-lang-dotnet="Linux" pulumi-lang-go="linux" pulumi-lang-python="linux" pulumi-lang-yaml="linux" pulumi-lang-java="linux">linux</span> | "true" | |
| POSTURE | <span pulumi-lang-nodejs="postureUdid" pulumi-lang-dotnet="PostureUdid" pulumi-lang-go="postureUdid" pulumi-lang-python="posture_udid" pulumi-lang-yaml="postureUdid" pulumi-lang-java="postureUdid">posture_udid</span> | "true" / "false" | |
| TRUSTED_NETWORK | <span pulumi-lang-nodejs="networkId" pulumi-lang-dotnet="NetworkId" pulumi-lang-go="networkId" pulumi-lang-python="network_id" pulumi-lang-yaml="networkId" pulumi-lang-java="networkId">network_id</span> | "true" | |
| COUNTRY_CODE | 2 Letter ISO3166 Alpha2 | "true" | |
| RISK_FACTOR_TYPE | ZIA | "UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL" | |
| CHROME_ENTERPRISE | <span pulumi-lang-nodejs="managed" pulumi-lang-dotnet="Managed" pulumi-lang-go="managed" pulumi-lang-python="managed" pulumi-lang-yaml="managed" pulumi-lang-java="managed">managed</span> | "true" / "false" |
Create PolicyAccessRuleV2 Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PolicyAccessRuleV2(name: string, args?: PolicyAccessRuleV2Args, opts?: CustomResourceOptions);@overload
def PolicyAccessRuleV2(resource_name: str,
args: Optional[PolicyAccessRuleV2Args] = None,
opts: Optional[ResourceOptions] = None)
@overload
def PolicyAccessRuleV2(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
app_connector_groups: Optional[Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]] = None,
app_server_groups: Optional[Sequence[PolicyAccessRuleV2AppServerGroupArgs]] = None,
conditions: Optional[Sequence[PolicyAccessRuleV2ConditionArgs]] = None,
custom_msg: Optional[str] = None,
description: Optional[str] = None,
extranet_dtos: Optional[Sequence[PolicyAccessRuleV2ExtranetDtoArgs]] = None,
extranet_enabled: Optional[bool] = None,
name: Optional[str] = None,
operator: Optional[str] = None)func NewPolicyAccessRuleV2(ctx *Context, name string, args *PolicyAccessRuleV2Args, opts ...ResourceOption) (*PolicyAccessRuleV2, error)public PolicyAccessRuleV2(string name, PolicyAccessRuleV2Args? args = null, CustomResourceOptions? opts = null)
public PolicyAccessRuleV2(String name, PolicyAccessRuleV2Args args)
public PolicyAccessRuleV2(String name, PolicyAccessRuleV2Args args, CustomResourceOptions options)
type: zpa:PolicyAccessRuleV2
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyAccessRuleV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyAccessRuleV2Args
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyAccessRuleV2Args
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyAccessRuleV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyAccessRuleV2Args
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyAccessRuleV2Resource = new Zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource", new()
{
Action = "string",
AppConnectorGroups = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2AppConnectorGroupArgs
{
Ids = new[]
{
"string",
},
},
},
AppServerGroups = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2AppServerGroupArgs
{
Ids = new[]
{
"string",
},
},
},
Conditions = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
{
Id = "string",
Operands = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
{
EntryValues = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
{
Lhs = "string",
Rhs = "string",
},
},
ObjectType = "string",
Values = new[]
{
"string",
},
},
},
Operator = "string",
},
},
CustomMsg = "string",
Description = "string",
ExtranetDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoArgs
{
LocationDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoLocationDtoArgs
{
Id = "string",
},
},
LocationGroupDtos = new[]
{
new Zpa.Inputs.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs
{
Id = "string",
},
},
ZpnErId = "string",
},
},
ExtranetEnabled = false,
Name = "string",
Operator = "string",
});
example, err := zpa.NewPolicyAccessRuleV2(ctx, "policyAccessRuleV2Resource", &zpa.PolicyAccessRuleV2Args{
Action: pulumi.String("string"),
AppConnectorGroups: zpa.PolicyAccessRuleV2AppConnectorGroupArray{
&zpa.PolicyAccessRuleV2AppConnectorGroupArgs{
Ids: pulumi.StringArray{
pulumi.String("string"),
},
},
},
AppServerGroups: zpa.PolicyAccessRuleV2AppServerGroupArray{
&zpa.PolicyAccessRuleV2AppServerGroupArgs{
Ids: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Conditions: zpa.PolicyAccessRuleV2ConditionArray{
&zpa.PolicyAccessRuleV2ConditionArgs{
Id: pulumi.String("string"),
Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
&zpa.PolicyAccessRuleV2ConditionOperandArgs{
EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
Lhs: pulumi.String("string"),
Rhs: pulumi.String("string"),
},
},
ObjectType: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Operator: pulumi.String("string"),
},
},
CustomMsg: pulumi.String("string"),
Description: pulumi.String("string"),
ExtranetDtos: zpa.PolicyAccessRuleV2ExtranetDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoArgs{
LocationDtos: zpa.PolicyAccessRuleV2ExtranetDtoLocationDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoLocationDtoArgs{
Id: pulumi.String("string"),
},
},
LocationGroupDtos: zpa.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArray{
&zpa.PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs{
Id: pulumi.String("string"),
},
},
ZpnErId: pulumi.String("string"),
},
},
ExtranetEnabled: pulumi.Bool(false),
Name: pulumi.String("string"),
Operator: pulumi.String("string"),
})
var policyAccessRuleV2Resource = new PolicyAccessRuleV2("policyAccessRuleV2Resource", PolicyAccessRuleV2Args.builder()
.action("string")
.appConnectorGroups(PolicyAccessRuleV2AppConnectorGroupArgs.builder()
.ids("string")
.build())
.appServerGroups(PolicyAccessRuleV2AppServerGroupArgs.builder()
.ids("string")
.build())
.conditions(PolicyAccessRuleV2ConditionArgs.builder()
.id("string")
.operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
.entryValues(PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
.lhs("string")
.rhs("string")
.build())
.objectType("string")
.values("string")
.build())
.operator("string")
.build())
.customMsg("string")
.description("string")
.extranetDtos(PolicyAccessRuleV2ExtranetDtoArgs.builder()
.locationDtos(PolicyAccessRuleV2ExtranetDtoLocationDtoArgs.builder()
.id("string")
.build())
.locationGroupDtos(PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs.builder()
.id("string")
.build())
.zpnErId("string")
.build())
.extranetEnabled(false)
.name("string")
.operator("string")
.build());
policy_access_rule_v2_resource = zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource",
action="string",
app_connector_groups=[{
"ids": ["string"],
}],
app_server_groups=[{
"ids": ["string"],
}],
conditions=[{
"id": "string",
"operands": [{
"entry_values": [{
"lhs": "string",
"rhs": "string",
}],
"object_type": "string",
"values": ["string"],
}],
"operator": "string",
}],
custom_msg="string",
description="string",
extranet_dtos=[{
"location_dtos": [{
"id": "string",
}],
"location_group_dtos": [{
"id": "string",
}],
"zpn_er_id": "string",
}],
extranet_enabled=False,
name="string",
operator="string")
const policyAccessRuleV2Resource = new zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource", {
action: "string",
appConnectorGroups: [{
ids: ["string"],
}],
appServerGroups: [{
ids: ["string"],
}],
conditions: [{
id: "string",
operands: [{
entryValues: [{
lhs: "string",
rhs: "string",
}],
objectType: "string",
values: ["string"],
}],
operator: "string",
}],
customMsg: "string",
description: "string",
extranetDtos: [{
locationDtos: [{
id: "string",
}],
locationGroupDtos: [{
id: "string",
}],
zpnErId: "string",
}],
extranetEnabled: false,
name: "string",
operator: "string",
});
type: zpa:PolicyAccessRuleV2
properties:
action: string
appConnectorGroups:
- ids:
- string
appServerGroups:
- ids:
- string
conditions:
- id: string
operands:
- entryValues:
- lhs: string
rhs: string
objectType: string
values:
- string
operator: string
customMsg: string
description: string
extranetDtos:
- locationDtos:
- id: string
locationGroupDtos:
- id: string
zpnErId: string
extranetEnabled: false
name: string
operator: string
PolicyAccessRuleV2 Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PolicyAccessRuleV2 resource accepts the following input properties:
- Action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - App
Connector List<zscaler.Groups Pulumi Package. Zpa. Inputs. Policy Access Rule V2App Connector Group> - App
Server List<zscaler.Groups Pulumi Package. Zpa. Inputs. Policy Access Rule V2App Server Group> - List of the server group IDs.
- Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- Custom
Msg string - This is for providing a customer message for the user.
- Description string
- This is the description of the access policy rule.
- Extranet
Dtos List<zscaler.Pulumi Package. Zpa. Inputs. Policy Access Rule V2Extranet Dto> - Extranet configuration for the policy rule.
- Extranet
Enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- Name string
- This is the name of the policy rule.
- Operator string
- Action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - App
Connector []PolicyGroups Access Rule V2App Connector Group Args - App
Server []PolicyGroups Access Rule V2App Server Group Args - List of the server group IDs.
- Conditions
[]Policy
Access Rule V2Condition Args - This is for proviidng the set of conditions for the policy.
- Custom
Msg string - This is for providing a customer message for the user.
- Description string
- This is the description of the access policy rule.
- Extranet
Dtos []PolicyAccess Rule V2Extranet Dto Args - Extranet configuration for the policy rule.
- Extranet
Enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- Name string
- This is the name of the policy rule.
- Operator string
- action String
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector List<PolicyGroups Access Rule V2App Connector Group> - app
Server List<PolicyGroups Access Rule V2App Server Group> - List of the server group IDs.
- conditions
List<Policy
Access Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- custom
Msg String - This is for providing a customer message for the user.
- description String
- This is the description of the access policy rule.
- extranet
Dtos List<PolicyAccess Rule V2Extranet Dto> - Extranet configuration for the policy rule.
- extranet
Enabled Boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name String
- This is the name of the policy rule.
- operator String
- action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector PolicyGroups Access Rule V2App Connector Group[] - app
Server PolicyGroups Access Rule V2App Server Group[] - List of the server group IDs.
- conditions
Policy
Access Rule V2Condition[] - This is for proviidng the set of conditions for the policy.
- custom
Msg string - This is for providing a customer message for the user.
- description string
- This is the description of the access policy rule.
- extranet
Dtos PolicyAccess Rule V2Extranet Dto[] - Extranet configuration for the policy rule.
- extranet
Enabled boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name string
- This is the name of the policy rule.
- operator string
- action str
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app_
connector_ Sequence[Policygroups Access Rule V2App Connector Group Args] - app_
server_ Sequence[Policygroups Access Rule V2App Server Group Args] - List of the server group IDs.
- conditions
Sequence[Policy
Access Rule V2Condition Args] - This is for proviidng the set of conditions for the policy.
- custom_
msg str - This is for providing a customer message for the user.
- description str
- This is the description of the access policy rule.
- extranet_
dtos Sequence[PolicyAccess Rule V2Extranet Dto Args] - Extranet configuration for the policy rule.
- extranet_
enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name str
- This is the name of the policy rule.
- operator str
- action String
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector List<Property Map>Groups - app
Server List<Property Map>Groups - List of the server group IDs.
- conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- custom
Msg String - This is for providing a customer message for the user.
- description String
- This is the description of the access policy rule.
- extranet
Dtos List<Property Map> - Extranet configuration for the policy rule.
- extranet
Enabled Boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name String
- This is the name of the policy rule.
- operator String
Outputs
All input properties are implicitly available as output properties. Additionally, the PolicyAccessRuleV2 resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Set stringId
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
set_ strid
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
Look up Existing PolicyAccessRuleV2 Resource
Get an existing PolicyAccessRuleV2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyAccessRuleV2State, opts?: CustomResourceOptions): PolicyAccessRuleV2@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
app_connector_groups: Optional[Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]] = None,
app_server_groups: Optional[Sequence[PolicyAccessRuleV2AppServerGroupArgs]] = None,
conditions: Optional[Sequence[PolicyAccessRuleV2ConditionArgs]] = None,
custom_msg: Optional[str] = None,
description: Optional[str] = None,
extranet_dtos: Optional[Sequence[PolicyAccessRuleV2ExtranetDtoArgs]] = None,
extranet_enabled: Optional[bool] = None,
name: Optional[str] = None,
operator: Optional[str] = None,
policy_set_id: Optional[str] = None) -> PolicyAccessRuleV2func GetPolicyAccessRuleV2(ctx *Context, name string, id IDInput, state *PolicyAccessRuleV2State, opts ...ResourceOption) (*PolicyAccessRuleV2, error)public static PolicyAccessRuleV2 Get(string name, Input<string> id, PolicyAccessRuleV2State? state, CustomResourceOptions? opts = null)public static PolicyAccessRuleV2 get(String name, Output<String> id, PolicyAccessRuleV2State state, CustomResourceOptions options)resources: _: type: zpa:PolicyAccessRuleV2 get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - App
Connector List<zscaler.Groups Pulumi Package. Zpa. Inputs. Policy Access Rule V2App Connector Group> - App
Server List<zscaler.Groups Pulumi Package. Zpa. Inputs. Policy Access Rule V2App Server Group> - List of the server group IDs.
- Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- Custom
Msg string - This is for providing a customer message for the user.
- Description string
- This is the description of the access policy rule.
- Extranet
Dtos List<zscaler.Pulumi Package. Zpa. Inputs. Policy Access Rule V2Extranet Dto> - Extranet configuration for the policy rule.
- Extranet
Enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- Name string
- This is the name of the policy rule.
- Operator string
- Policy
Set stringId
- Action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - App
Connector []PolicyGroups Access Rule V2App Connector Group Args - App
Server []PolicyGroups Access Rule V2App Server Group Args - List of the server group IDs.
- Conditions
[]Policy
Access Rule V2Condition Args - This is for proviidng the set of conditions for the policy.
- Custom
Msg string - This is for providing a customer message for the user.
- Description string
- This is the description of the access policy rule.
- Extranet
Dtos []PolicyAccess Rule V2Extranet Dto Args - Extranet configuration for the policy rule.
- Extranet
Enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- Name string
- This is the name of the policy rule.
- Operator string
- Policy
Set stringId
- action String
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector List<PolicyGroups Access Rule V2App Connector Group> - app
Server List<PolicyGroups Access Rule V2App Server Group> - List of the server group IDs.
- conditions
List<Policy
Access Rule V2Condition> - This is for proviidng the set of conditions for the policy.
- custom
Msg String - This is for providing a customer message for the user.
- description String
- This is the description of the access policy rule.
- extranet
Dtos List<PolicyAccess Rule V2Extranet Dto> - Extranet configuration for the policy rule.
- extranet
Enabled Boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name String
- This is the name of the policy rule.
- operator String
- policy
Set StringId
- action string
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector PolicyGroups Access Rule V2App Connector Group[] - app
Server PolicyGroups Access Rule V2App Server Group[] - List of the server group IDs.
- conditions
Policy
Access Rule V2Condition[] - This is for proviidng the set of conditions for the policy.
- custom
Msg string - This is for providing a customer message for the user.
- description string
- This is the description of the access policy rule.
- extranet
Dtos PolicyAccess Rule V2Extranet Dto[] - Extranet configuration for the policy rule.
- extranet
Enabled boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name string
- This is the name of the policy rule.
- operator string
- policy
Set stringId
- action str
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app_
connector_ Sequence[Policygroups Access Rule V2App Connector Group Args] - app_
server_ Sequence[Policygroups Access Rule V2App Server Group Args] - List of the server group IDs.
- conditions
Sequence[Policy
Access Rule V2Condition Args] - This is for proviidng the set of conditions for the policy.
- custom_
msg str - This is for providing a customer message for the user.
- description str
- This is the description of the access policy rule.
- extranet_
dtos Sequence[PolicyAccess Rule V2Extranet Dto Args] - Extranet configuration for the policy rule.
- extranet_
enabled bool - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name str
- This is the name of the policy rule.
- operator str
- policy_
set_ strid
- action String
- This is for providing the rule action. Supported values:
ALLOW,DENY, andREQUIRE_APPROVAL - app
Connector List<Property Map>Groups - app
Server List<Property Map>Groups - List of the server group IDs.
- conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- custom
Msg String - This is for providing a customer message for the user.
- description String
- This is the description of the access policy rule.
- extranet
Dtos List<Property Map> - Extranet configuration for the policy rule.
- extranet
Enabled Boolean - Indiciates if the application is designated for Extranet Application Support (true) or not (false). Extranet applications connect to a partner site or offshore development center that is not directly available on your organization’s network.
- name String
- This is the name of the policy rule.
- operator String
- policy
Set StringId
Supporting Types
PolicyAccessRuleV2AppConnectorGroup, PolicyAccessRuleV2AppConnectorGroupArgs
- Ids List<string>
- Ids []string
- ids List<String>
- ids string[]
- ids Sequence[str]
- ids List<String>
PolicyAccessRuleV2AppServerGroup, PolicyAccessRuleV2AppServerGroupArgs
- Ids List<string>
- Ids []string
- ids List<String>
- ids string[]
- ids Sequence[str]
- ids List<String>
PolicyAccessRuleV2Condition, PolicyAccessRuleV2ConditionArgs
- Id string
- Operands
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Access Rule V2Condition Operand> - This signifies the various policy criteria.
- Operator string
- Id string
- Operands
[]Policy
Access Rule V2Condition Operand - This signifies the various policy criteria.
- Operator string
- id String
- operands
List<Policy
Access Rule V2Condition Operand> - This signifies the various policy criteria.
- operator String
- id string
- operands
Policy
Access Rule V2Condition Operand[] - This signifies the various policy criteria.
- operator string
- id str
- operands
Sequence[Policy
Access Rule V2Condition Operand] - This signifies the various policy criteria.
- operator str
- id String
- operands List<Property Map>
- This signifies the various policy criteria.
- operator String
PolicyAccessRuleV2ConditionOperand, PolicyAccessRuleV2ConditionOperandArgs
- Entry
Values List<zscaler.Pulumi Package. Zpa. Inputs. Policy Access Rule V2Condition Operand Entry Value> - Object
Type string - This is for specifying the policy critiera.
- Values List<string>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- Entry
Values []PolicyAccess Rule V2Condition Operand Entry Value - Object
Type string - This is for specifying the policy critiera.
- Values []string
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<PolicyAccess Rule V2Condition Operand Entry Value> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values PolicyAccess Rule V2Condition Operand Entry Value[] - object
Type string - This is for specifying the policy critiera.
- values string[]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry_
values Sequence[PolicyAccess Rule V2Condition Operand Entry Value] - object_
type str - This is for specifying the policy critiera.
- values Sequence[str]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<Property Map> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
PolicyAccessRuleV2ConditionOperandEntryValue, PolicyAccessRuleV2ConditionOperandEntryValueArgs
PolicyAccessRuleV2ExtranetDto, PolicyAccessRuleV2ExtranetDtoArgs
- Location
Dtos List<zscaler.Pulumi Package. Zpa. Inputs. Policy Access Rule V2Extranet Dto Location Dto> - List of location DTOs.
- Location
Group List<zscaler.Dtos Pulumi Package. Zpa. Inputs. Policy Access Rule V2Extranet Dto Location Group Dto> - List of location group DTOs.
- Zpn
Er stringId - ZPN Extranet Resource ID.
- Location
Dtos []PolicyAccess Rule V2Extranet Dto Location Dto - List of location DTOs.
- Location
Group []PolicyDtos Access Rule V2Extranet Dto Location Group Dto - List of location group DTOs.
- Zpn
Er stringId - ZPN Extranet Resource ID.
- location
Dtos List<PolicyAccess Rule V2Extranet Dto Location Dto> - List of location DTOs.
- location
Group List<PolicyDtos Access Rule V2Extranet Dto Location Group Dto> - List of location group DTOs.
- zpn
Er StringId - ZPN Extranet Resource ID.
- location
Dtos PolicyAccess Rule V2Extranet Dto Location Dto[] - List of location DTOs.
- location
Group PolicyDtos Access Rule V2Extranet Dto Location Group Dto[] - List of location group DTOs.
- zpn
Er stringId - ZPN Extranet Resource ID.
- location_
dtos Sequence[PolicyAccess Rule V2Extranet Dto Location Dto] - List of location DTOs.
- location_
group_ Sequence[Policydtos Access Rule V2Extranet Dto Location Group Dto] - List of location group DTOs.
- zpn_
er_ strid - ZPN Extranet Resource ID.
- location
Dtos List<Property Map> - List of location DTOs.
- location
Group List<Property Map>Dtos - List of location group DTOs.
- zpn
Er StringId - ZPN Extranet Resource ID.
PolicyAccessRuleV2ExtranetDtoLocationDto, PolicyAccessRuleV2ExtranetDtoLocationDtoArgs
- Id string
- Location ID.
- Id string
- Location ID.
- id String
- Location ID.
- id string
- Location ID.
- id str
- Location ID.
- id String
- Location ID.
PolicyAccessRuleV2ExtranetDtoLocationGroupDto, PolicyAccessRuleV2ExtranetDtoLocationGroupDtoArgs
- Id string
- Location Group ID.
- Id string
- Location Group ID.
- id String
- Location Group ID.
- id string
- Location Group ID.
- id str
- Location Group ID.
- id String
- Location Group ID.
Import
Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.
Visit
Policy access rule can be imported by using <RULE ID> as the import ID.
For example:
$ pulumi import zpa:index/policyAccessRuleV2:PolicyAccessRuleV2 example <rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- zpa zscaler/pulumi-zpa
- License
- MIT
- Notes
- This Pulumi package is based on the
zpaTerraform Provider.
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
