1. Packages
  2. Zscaler Private Access (ZPA)
  3. API Docs
  4. PolicyAccessRuleV2
Zscaler Private Access v0.0.12 published on Tuesday, Jul 30, 2024 by Zscaler

zpa.PolicyAccessRuleV2

Explore with Pulumi AI

zpa logo
Zscaler Private Access v0.0.12 published on Tuesday, Jul 30, 2024 by Zscaler

    The zpa_policy_access_rule_v2 resource creates and manages policy access rule in the Zscaler Private Access cloud using a new v2 API endpoint.

    ⚠️ NOTE: This resource is recommended if your configuration requires the association of more than 1000 resource criteria per rule.

    ⚠️ WARNING:: The attribute rule_order is now deprecated in favor of the new resource policy_access_rule_reorder

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as zpa from "@bdzscaler/pulumi-zpa";
    import * as zpa from "@pulumi/zpa";
    
    const thisIdPController = zpa.getIdPController({
        name: "Idp_Name",
    });
    const emailUserSso = zpa.getSAMLAttribute({
        name: "Email_Users",
        idpName: "Idp_Name",
    });
    const groupUser = zpa.getSAMLAttribute({
        name: "GroupName_Users",
        idpName: "Idp_Name",
    });
    const a000 = zpa.getSCIMGroups({
        name: "A000",
        idpName: "Idp_Name",
    });
    const b000 = zpa.getSCIMGroups({
        name: "B000",
        idpName: "Idp_Name",
    });
    // Create Segment Group
    const thisSegmentGroup = new zpa.SegmentGroup("thisSegmentGroup", {
        description: "Example",
        enabled: true,
    });
    // Create Policy Access Rule V2
    const thisPolicyAccessRuleV2 = new zpa.PolicyAccessRuleV2("thisPolicyAccessRuleV2", {
        description: "Example",
        action: "ALLOW",
        conditions: [
            {
                operator: "OR",
                operands: [{
                    objectType: "APP_GROUP",
                    values: [thisSegmentGroup.id],
                }],
            },
            {
                operator: "OR",
                operands: [
                    {
                        objectType: "SAML",
                        entryValues: [
                            {
                                rhs: "user1@acme.com",
                                lhs: emailUserSso.then(emailUserSso => emailUserSso.id),
                            },
                            {
                                rhs: "A000",
                                lhs: groupUser.then(groupUser => groupUser.id),
                            },
                        ],
                    },
                    {
                        objectType: "SCIM_GROUP",
                        entryValues: [
                            {
                                rhs: a000.then(a000 => a000.id),
                                lhs: thisIdPController.then(thisIdPController => thisIdPController.id),
                            },
                            {
                                rhs: b000.then(b000 => b000.id),
                                lhs: thisIdPController.then(thisIdPController => thisIdPController.id),
                            },
                        ],
                    },
                ],
            },
            {
                operator: "OR",
                operands: [{
                    objectType: "PLATFORM",
                    entryValues: [
                        {
                            rhs: "true",
                            lhs: "linux",
                        },
                        {
                            rhs: "true",
                            lhs: "android",
                        },
                    ],
                }],
            },
            {
                operator: "OR",
                operands: [{
                    objectType: "COUNTRY_CODE",
                    entryValues: [
                        {
                            lhs: "CA",
                            rhs: "true",
                        },
                        {
                            lhs: "US",
                            rhs: "true",
                        },
                    ],
                }],
            },
        ],
    });
    
    import pulumi
    import pulumi_zpa as zpa
    import zscaler_pulumi_zpa as zpa
    
    this_id_p_controller = zpa.get_id_p_controller(name="Idp_Name")
    email_user_sso = zpa.get_saml_attribute(name="Email_Users",
        idp_name="Idp_Name")
    group_user = zpa.get_saml_attribute(name="GroupName_Users",
        idp_name="Idp_Name")
    a000 = zpa.get_scim_groups(name="A000",
        idp_name="Idp_Name")
    b000 = zpa.get_scim_groups(name="B000",
        idp_name="Idp_Name")
    # Create Segment Group
    this_segment_group = zpa.SegmentGroup("thisSegmentGroup",
        description="Example",
        enabled=True)
    # Create Policy Access Rule V2
    this_policy_access_rule_v2 = zpa.PolicyAccessRuleV2("thisPolicyAccessRuleV2",
        description="Example",
        action="ALLOW",
        conditions=[
            zpa.PolicyAccessRuleV2ConditionArgs(
                operator="OR",
                operands=[zpa.PolicyAccessRuleV2ConditionOperandArgs(
                    object_type="APP_GROUP",
                    values=[this_segment_group.id],
                )],
            ),
            zpa.PolicyAccessRuleV2ConditionArgs(
                operator="OR",
                operands=[
                    zpa.PolicyAccessRuleV2ConditionOperandArgs(
                        object_type="SAML",
                        entry_values=[
                            zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                                rhs="user1@acme.com",
                                lhs=email_user_sso.id,
                            ),
                            zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                                rhs="A000",
                                lhs=group_user.id,
                            ),
                        ],
                    ),
                    zpa.PolicyAccessRuleV2ConditionOperandArgs(
                        object_type="SCIM_GROUP",
                        entry_values=[
                            zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                                rhs=a000.id,
                                lhs=this_id_p_controller.id,
                            ),
                            zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                                rhs=b000.id,
                                lhs=this_id_p_controller.id,
                            ),
                        ],
                    ),
                ],
            ),
            zpa.PolicyAccessRuleV2ConditionArgs(
                operator="OR",
                operands=[zpa.PolicyAccessRuleV2ConditionOperandArgs(
                    object_type="PLATFORM",
                    entry_values=[
                        zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                            rhs="true",
                            lhs="linux",
                        ),
                        zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                            rhs="true",
                            lhs="android",
                        ),
                    ],
                )],
            ),
            zpa.PolicyAccessRuleV2ConditionArgs(
                operator="OR",
                operands=[zpa.PolicyAccessRuleV2ConditionOperandArgs(
                    object_type="COUNTRY_CODE",
                    entry_values=[
                        zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                            lhs="CA",
                            rhs="true",
                        ),
                        zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs(
                            lhs="US",
                            rhs="true",
                        ),
                    ],
                )],
            ),
        ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		thisIdPController, err := zpa.GetIdPController(ctx, &zpa.GetIdPControllerArgs{
    			Name: pulumi.StringRef("Idp_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		emailUserSso, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
    			Name:    pulumi.StringRef("Email_Users"),
    			IdpName: pulumi.StringRef("Idp_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		groupUser, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
    			Name:    pulumi.StringRef("GroupName_Users"),
    			IdpName: pulumi.StringRef("Idp_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		a000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
    			Name:    pulumi.StringRef("A000"),
    			IdpName: pulumi.StringRef("Idp_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		b000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
    			Name:    pulumi.StringRef("B000"),
    			IdpName: pulumi.StringRef("Idp_Name"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		// Create Segment Group
    		thisSegmentGroup, err := zpa.NewSegmentGroup(ctx, "thisSegmentGroup", &zpa.SegmentGroupArgs{
    			Description: pulumi.String("Example"),
    			Enabled:     pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		// Create Policy Access Rule V2
    		_, err = zpa.NewPolicyAccessRuleV2(ctx, "thisPolicyAccessRuleV2", &zpa.PolicyAccessRuleV2Args{
    			Description: pulumi.String("Example"),
    			Action:      pulumi.String("ALLOW"),
    			Conditions: zpa.PolicyAccessRuleV2ConditionArray{
    				&zpa.PolicyAccessRuleV2ConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
    						&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    							ObjectType: pulumi.String("APP_GROUP"),
    							Values: pulumi.StringArray{
    								thisSegmentGroup.ID(),
    							},
    						},
    					},
    				},
    				&zpa.PolicyAccessRuleV2ConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
    						&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    							ObjectType: pulumi.String("SAML"),
    							EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String("user1@acme.com"),
    									Lhs: pulumi.String(emailUserSso.Id),
    								},
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String("A000"),
    									Lhs: pulumi.String(groupUser.Id),
    								},
    							},
    						},
    						&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    							ObjectType: pulumi.String("SCIM_GROUP"),
    							EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String(a000.Id),
    									Lhs: pulumi.String(thisIdPController.Id),
    								},
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String(b000.Id),
    									Lhs: pulumi.String(thisIdPController.Id),
    								},
    							},
    						},
    					},
    				},
    				&zpa.PolicyAccessRuleV2ConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
    						&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    							ObjectType: pulumi.String("PLATFORM"),
    							EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String("true"),
    									Lhs: pulumi.String("linux"),
    								},
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Rhs: pulumi.String("true"),
    									Lhs: pulumi.String("android"),
    								},
    							},
    						},
    					},
    				},
    				&zpa.PolicyAccessRuleV2ConditionArgs{
    					Operator: pulumi.String("OR"),
    					Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
    						&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    							ObjectType: pulumi.String("COUNTRY_CODE"),
    							EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Lhs: pulumi.String("CA"),
    									Rhs: pulumi.String("true"),
    								},
    								&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    									Lhs: pulumi.String("US"),
    									Rhs: pulumi.String("true"),
    								},
    							},
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Zpa = Pulumi.Zpa;
    using Zpa = Zscaler.Zpa;
    
    return await Deployment.RunAsync(() => 
    {
        var thisIdPController = Zpa.GetIdPController.Invoke(new()
        {
            Name = "Idp_Name",
        });
    
        var emailUserSso = Zpa.GetSAMLAttribute.Invoke(new()
        {
            Name = "Email_Users",
            IdpName = "Idp_Name",
        });
    
        var groupUser = Zpa.GetSAMLAttribute.Invoke(new()
        {
            Name = "GroupName_Users",
            IdpName = "Idp_Name",
        });
    
        var a000 = Zpa.GetSCIMGroups.Invoke(new()
        {
            Name = "A000",
            IdpName = "Idp_Name",
        });
    
        var b000 = Zpa.GetSCIMGroups.Invoke(new()
        {
            Name = "B000",
            IdpName = "Idp_Name",
        });
    
        // Create Segment Group
        var thisSegmentGroup = new Zpa.SegmentGroup("thisSegmentGroup", new()
        {
            Description = "Example",
            Enabled = true,
        });
    
        // Create Policy Access Rule V2
        var thisPolicyAccessRuleV2 = new Zpa.PolicyAccessRuleV2("thisPolicyAccessRuleV2", new()
        {
            Description = "Example",
            Action = "ALLOW",
            Conditions = new[]
            {
                new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                        {
                            ObjectType = "APP_GROUP",
                            Values = new[]
                            {
                                thisSegmentGroup.Id,
                            },
                        },
                    },
                },
                new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                        {
                            ObjectType = "SAML",
                            EntryValues = new[]
                            {
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = "user1@acme.com",
                                    Lhs = emailUserSso.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
                                },
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = "A000",
                                    Lhs = groupUser.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
                                },
                            },
                        },
                        new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                        {
                            ObjectType = "SCIM_GROUP",
                            EntryValues = new[]
                            {
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = a000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
                                    Lhs = thisIdPController.Apply(getIdPControllerResult => getIdPControllerResult.Id),
                                },
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = b000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
                                    Lhs = thisIdPController.Apply(getIdPControllerResult => getIdPControllerResult.Id),
                                },
                            },
                        },
                    },
                },
                new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                        {
                            ObjectType = "PLATFORM",
                            EntryValues = new[]
                            {
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = "true",
                                    Lhs = "linux",
                                },
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Rhs = "true",
                                    Lhs = "android",
                                },
                            },
                        },
                    },
                },
                new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
                {
                    Operator = "OR",
                    Operands = new[]
                    {
                        new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                        {
                            ObjectType = "COUNTRY_CODE",
                            EntryValues = new[]
                            {
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Lhs = "CA",
                                    Rhs = "true",
                                },
                                new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                                {
                                    Lhs = "US",
                                    Rhs = "true",
                                },
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.zpa.ZpaFunctions;
    import com.pulumi.zpa.inputs.GetIdPControllerArgs;
    import com.pulumi.zpa.inputs.GetSAMLAttributeArgs;
    import com.pulumi.zpa.inputs.GetSCIMGroupsArgs;
    import com.pulumi.zpa.SegmentGroup;
    import com.pulumi.zpa.SegmentGroupArgs;
    import com.pulumi.zpa.PolicyAccessRuleV2;
    import com.pulumi.zpa.PolicyAccessRuleV2Args;
    import com.pulumi.zpa.inputs.PolicyAccessRuleV2ConditionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var thisIdPController = ZpaFunctions.getIdPController(GetIdPControllerArgs.builder()
                .name("Idp_Name")
                .build());
    
            final var emailUserSso = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
                .name("Email_Users")
                .idpName("Idp_Name")
                .build());
    
            final var groupUser = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
                .name("GroupName_Users")
                .idpName("Idp_Name")
                .build());
    
            final var a000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
                .name("A000")
                .idpName("Idp_Name")
                .build());
    
            final var b000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
                .name("B000")
                .idpName("Idp_Name")
                .build());
    
            // Create Segment Group
            var thisSegmentGroup = new SegmentGroup("thisSegmentGroup", SegmentGroupArgs.builder()
                .description("Example")
                .enabled(true)
                .build());
    
            // Create Policy Access Rule V2
            var thisPolicyAccessRuleV2 = new PolicyAccessRuleV2("thisPolicyAccessRuleV2", PolicyAccessRuleV2Args.builder()
                .description("Example")
                .action("ALLOW")
                .conditions(            
                    PolicyAccessRuleV2ConditionArgs.builder()
                        .operator("OR")
                        .operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
                            .objectType("APP_GROUP")
                            .values(thisSegmentGroup.id())
                            .build())
                        .build(),
                    PolicyAccessRuleV2ConditionArgs.builder()
                        .operator("OR")
                        .operands(                    
                            PolicyAccessRuleV2ConditionOperandArgs.builder()
                                .objectType("SAML")
                                .entryValues(                            
                                    PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                        .rhs("user1@acme.com")
                                        .lhs(emailUserSso.applyValue(getSAMLAttributeResult -> getSAMLAttributeResult.id()))
                                        .build(),
                                    PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                        .rhs("A000")
                                        .lhs(groupUser.applyValue(getSAMLAttributeResult -> getSAMLAttributeResult.id()))
                                        .build())
                                .build(),
                            PolicyAccessRuleV2ConditionOperandArgs.builder()
                                .objectType("SCIM_GROUP")
                                .entryValues(                            
                                    PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                        .rhs(a000.applyValue(getSCIMGroupsResult -> getSCIMGroupsResult.id()))
                                        .lhs(thisIdPController.applyValue(getIdPControllerResult -> getIdPControllerResult.id()))
                                        .build(),
                                    PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                        .rhs(b000.applyValue(getSCIMGroupsResult -> getSCIMGroupsResult.id()))
                                        .lhs(thisIdPController.applyValue(getIdPControllerResult -> getIdPControllerResult.id()))
                                        .build())
                                .build())
                        .build(),
                    PolicyAccessRuleV2ConditionArgs.builder()
                        .operator("OR")
                        .operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
                            .objectType("PLATFORM")
                            .entryValues(                        
                                PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                    .rhs("true")
                                    .lhs("linux")
                                    .build(),
                                PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                    .rhs("true")
                                    .lhs("android")
                                    .build())
                            .build())
                        .build(),
                    PolicyAccessRuleV2ConditionArgs.builder()
                        .operator("OR")
                        .operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
                            .objectType("COUNTRY_CODE")
                            .entryValues(                        
                                PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                    .lhs("CA")
                                    .rhs("true")
                                    .build(),
                                PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                                    .lhs("US")
                                    .rhs("true")
                                    .build())
                            .build())
                        .build())
                .build());
    
        }
    }
    
    resources:
      # Create Segment Group
      thisSegmentGroup:
        type: zpa:SegmentGroup
        properties:
          description: Example
          enabled: true
      # Create Policy Access Rule V2
      thisPolicyAccessRuleV2:
        type: zpa:PolicyAccessRuleV2
        properties:
          description: Example
          action: ALLOW
          conditions:
            - operator: OR
              operands:
                - objectType: APP_GROUP
                  values:
                    - ${thisSegmentGroup.id}
            - operator: OR
              operands:
                - objectType: SAML
                  entryValues:
                    - rhs: user1@acme.com
                      lhs: ${emailUserSso.id}
                    - rhs: A000
                      lhs: ${groupUser.id}
                - objectType: SCIM_GROUP
                  entryValues:
                    - rhs: ${a000.id}
                      lhs: ${thisIdPController.id}
                    - rhs: ${b000.id}
                      lhs: ${thisIdPController.id}
            - operator: OR
              operands:
                - objectType: PLATFORM
                  entryValues:
                    - rhs: 'true'
                      lhs: linux
                    - rhs: 'true'
                      lhs: android
            - operator: OR
              operands:
                - objectType: COUNTRY_CODE
                  entryValues:
                    - lhs: CA
                      rhs: 'true'
                    - lhs: US
                      rhs: 'true'
    variables:
      thisIdPController:
        fn::invoke:
          Function: zpa:getIdPController
          Arguments:
            name: Idp_Name
      emailUserSso:
        fn::invoke:
          Function: zpa:getSAMLAttribute
          Arguments:
            name: Email_Users
            idpName: Idp_Name
      groupUser:
        fn::invoke:
          Function: zpa:getSAMLAttribute
          Arguments:
            name: GroupName_Users
            idpName: Idp_Name
      a000:
        fn::invoke:
          Function: zpa:getSCIMGroups
          Arguments:
            name: A000
            idpName: Idp_Name
      b000:
        fn::invoke:
          Function: zpa:getSCIMGroups
          Arguments:
            name: B000
            idpName: Idp_Name
    

    LHS and RHS Values

    Object TypeLHSRHSVALUES
    APPapplication_segment_id
    APP_GROUPsegment_group_id
    CLIENT_TYPEzpn_client_type_zappl, zpn_client_type_exporter, zpn_client_type_browser_isolation, zpn_client_type_ip_anchoring, zpn_client_type_edge_connector, zpn_client_type_branch_connector, zpn_client_type_zapp_partner, zpn_client_type_zapp
    EDGE_CONNECTOR_GROUP<edge_connector_id>
    BRANCH_CONNECTOR_GROUP<branch_connector_id>
    LOCATIONlocation_id
    MACHINE_GRPmachine_group_id
    SAMLsaml_attribute_idattribute_value_to_match
    SCIMscim_attribute_idattribute_value_to_match
    SCIM_GROUPscim_group_attribute_idattribute_value_to_match
    PLATFORMmac, ios, windows, android, linux"true" / "false"
    POSTUREposture_udid"true" / "false"
    TRUSTED_NETWORKnetwork_id"true"
    COUNTRY_CODE2 Letter ISO3166 Alpha2"true" / "false"

    Create PolicyAccessRuleV2 Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new PolicyAccessRuleV2(name: string, args?: PolicyAccessRuleV2Args, opts?: CustomResourceOptions);
    @overload
    def PolicyAccessRuleV2(resource_name: str,
                           args: Optional[PolicyAccessRuleV2Args] = None,
                           opts: Optional[ResourceOptions] = None)
    
    @overload
    def PolicyAccessRuleV2(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           action: Optional[str] = None,
                           app_connector_groups: Optional[Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]] = None,
                           app_server_groups: Optional[Sequence[PolicyAccessRuleV2AppServerGroupArgs]] = None,
                           conditions: Optional[Sequence[PolicyAccessRuleV2ConditionArgs]] = None,
                           custom_msg: Optional[str] = None,
                           description: Optional[str] = None,
                           name: Optional[str] = None,
                           operator: Optional[str] = None)
    func NewPolicyAccessRuleV2(ctx *Context, name string, args *PolicyAccessRuleV2Args, opts ...ResourceOption) (*PolicyAccessRuleV2, error)
    public PolicyAccessRuleV2(string name, PolicyAccessRuleV2Args? args = null, CustomResourceOptions? opts = null)
    public PolicyAccessRuleV2(String name, PolicyAccessRuleV2Args args)
    public PolicyAccessRuleV2(String name, PolicyAccessRuleV2Args args, CustomResourceOptions options)
    
    type: zpa:PolicyAccessRuleV2
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyAccessRuleV2Args
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyAccessRuleV2Args
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyAccessRuleV2Args
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyAccessRuleV2Args
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyAccessRuleV2Args
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var policyAccessRuleV2Resource = new Zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource", new()
    {
        Action = "string",
        AppConnectorGroups = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleV2AppConnectorGroupArgs
            {
                Ids = new[]
                {
                    "string",
                },
            },
        },
        AppServerGroups = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleV2AppServerGroupArgs
            {
                Ids = new[]
                {
                    "string",
                },
            },
        },
        Conditions = new[]
        {
            new Zpa.Inputs.PolicyAccessRuleV2ConditionArgs
            {
                Id = "string",
                Operands = new[]
                {
                    new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandArgs
                    {
                        EntryValues = new[]
                        {
                            new Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValueArgs
                            {
                                Lhs = "string",
                                Rhs = "string",
                            },
                        },
                        ObjectType = "string",
                        Values = new[]
                        {
                            "string",
                        },
                    },
                },
                Operator = "string",
            },
        },
        CustomMsg = "string",
        Description = "string",
        Name = "string",
        Operator = "string",
    });
    
    example, err := zpa.NewPolicyAccessRuleV2(ctx, "policyAccessRuleV2Resource", &zpa.PolicyAccessRuleV2Args{
    	Action: pulumi.String("string"),
    	AppConnectorGroups: zpa.PolicyAccessRuleV2AppConnectorGroupArray{
    		&zpa.PolicyAccessRuleV2AppConnectorGroupArgs{
    			Ids: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	AppServerGroups: zpa.PolicyAccessRuleV2AppServerGroupArray{
    		&zpa.PolicyAccessRuleV2AppServerGroupArgs{
    			Ids: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Conditions: zpa.PolicyAccessRuleV2ConditionArray{
    		&zpa.PolicyAccessRuleV2ConditionArgs{
    			Id: pulumi.String("string"),
    			Operands: zpa.PolicyAccessRuleV2ConditionOperandArray{
    				&zpa.PolicyAccessRuleV2ConditionOperandArgs{
    					EntryValues: zpa.PolicyAccessRuleV2ConditionOperandEntryValueArray{
    						&zpa.PolicyAccessRuleV2ConditionOperandEntryValueArgs{
    							Lhs: pulumi.String("string"),
    							Rhs: pulumi.String("string"),
    						},
    					},
    					ObjectType: pulumi.String("string"),
    					Values: pulumi.StringArray{
    						pulumi.String("string"),
    					},
    				},
    			},
    			Operator: pulumi.String("string"),
    		},
    	},
    	CustomMsg:   pulumi.String("string"),
    	Description: pulumi.String("string"),
    	Name:        pulumi.String("string"),
    	Operator:    pulumi.String("string"),
    })
    
    var policyAccessRuleV2Resource = new PolicyAccessRuleV2("policyAccessRuleV2Resource", PolicyAccessRuleV2Args.builder()
        .action("string")
        .appConnectorGroups(PolicyAccessRuleV2AppConnectorGroupArgs.builder()
            .ids("string")
            .build())
        .appServerGroups(PolicyAccessRuleV2AppServerGroupArgs.builder()
            .ids("string")
            .build())
        .conditions(PolicyAccessRuleV2ConditionArgs.builder()
            .id("string")
            .operands(PolicyAccessRuleV2ConditionOperandArgs.builder()
                .entryValues(PolicyAccessRuleV2ConditionOperandEntryValueArgs.builder()
                    .lhs("string")
                    .rhs("string")
                    .build())
                .objectType("string")
                .values("string")
                .build())
            .operator("string")
            .build())
        .customMsg("string")
        .description("string")
        .name("string")
        .operator("string")
        .build());
    
    policy_access_rule_v2_resource = zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource",
        action="string",
        app_connector_groups=[{
            "ids": ["string"],
        }],
        app_server_groups=[{
            "ids": ["string"],
        }],
        conditions=[{
            "id": "string",
            "operands": [{
                "entry_values": [{
                    "lhs": "string",
                    "rhs": "string",
                }],
                "object_type": "string",
                "values": ["string"],
            }],
            "operator": "string",
        }],
        custom_msg="string",
        description="string",
        name="string",
        operator="string")
    
    const policyAccessRuleV2Resource = new zpa.PolicyAccessRuleV2("policyAccessRuleV2Resource", {
        action: "string",
        appConnectorGroups: [{
            ids: ["string"],
        }],
        appServerGroups: [{
            ids: ["string"],
        }],
        conditions: [{
            id: "string",
            operands: [{
                entryValues: [{
                    lhs: "string",
                    rhs: "string",
                }],
                objectType: "string",
                values: ["string"],
            }],
            operator: "string",
        }],
        customMsg: "string",
        description: "string",
        name: "string",
        operator: "string",
    });
    
    type: zpa:PolicyAccessRuleV2
    properties:
        action: string
        appConnectorGroups:
            - ids:
                - string
        appServerGroups:
            - ids:
                - string
        conditions:
            - id: string
              operands:
                - entryValues:
                    - lhs: string
                      rhs: string
                  objectType: string
                  values:
                    - string
              operator: string
        customMsg: string
        description: string
        name: string
        operator: string
    

    PolicyAccessRuleV2 Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The PolicyAccessRuleV2 resource accepts the following input properties:

    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    AppConnectorGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2AppConnectorGroup>
    List of app-connector IDs.
    AppServerGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2AppServerGroup>
    List of the server group IDs.
    Conditions List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2Condition>
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    Name string
    This is the name of the policy rule.
    Operator string
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    AppConnectorGroups []PolicyAccessRuleV2AppConnectorGroupArgs
    List of app-connector IDs.
    AppServerGroups []PolicyAccessRuleV2AppServerGroupArgs
    List of the server group IDs.
    Conditions []PolicyAccessRuleV2ConditionArgs
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    Name string
    This is the name of the policy rule.
    Operator string
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups List<PolicyAccessRuleV2AppConnectorGroup>
    List of app-connector IDs.
    appServerGroups List<PolicyAccessRuleV2AppServerGroup>
    List of the server group IDs.
    conditions List<PolicyAccessRuleV2Condition>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    name String
    This is the name of the policy rule.
    operator String
    action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups PolicyAccessRuleV2AppConnectorGroup[]
    List of app-connector IDs.
    appServerGroups PolicyAccessRuleV2AppServerGroup[]
    List of the server group IDs.
    conditions PolicyAccessRuleV2Condition[]
    This is for proviidng the set of conditions for the policy.
    customMsg string
    This is for providing a customer message for the user.
    description string
    This is the description of the access policy rule.
    name string
    This is the name of the policy rule.
    operator string
    action str
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    app_connector_groups Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]
    List of app-connector IDs.
    app_server_groups Sequence[PolicyAccessRuleV2AppServerGroupArgs]
    List of the server group IDs.
    conditions Sequence[PolicyAccessRuleV2ConditionArgs]
    This is for proviidng the set of conditions for the policy.
    custom_msg str
    This is for providing a customer message for the user.
    description str
    This is the description of the access policy rule.
    name str
    This is the name of the policy rule.
    operator str
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups List<Property Map>
    List of app-connector IDs.
    appServerGroups List<Property Map>
    List of the server group IDs.
    conditions List<Property Map>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    name String
    This is the name of the policy rule.
    operator String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the PolicyAccessRuleV2 resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    PolicySetId string
    Id string
    The provider-assigned unique ID for this managed resource.
    PolicySetId string
    id String
    The provider-assigned unique ID for this managed resource.
    policySetId String
    id string
    The provider-assigned unique ID for this managed resource.
    policySetId string
    id str
    The provider-assigned unique ID for this managed resource.
    policy_set_id str
    id String
    The provider-assigned unique ID for this managed resource.
    policySetId String

    Look up Existing PolicyAccessRuleV2 Resource

    Get an existing PolicyAccessRuleV2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyAccessRuleV2State, opts?: CustomResourceOptions): PolicyAccessRuleV2
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            app_connector_groups: Optional[Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]] = None,
            app_server_groups: Optional[Sequence[PolicyAccessRuleV2AppServerGroupArgs]] = None,
            conditions: Optional[Sequence[PolicyAccessRuleV2ConditionArgs]] = None,
            custom_msg: Optional[str] = None,
            description: Optional[str] = None,
            name: Optional[str] = None,
            operator: Optional[str] = None,
            policy_set_id: Optional[str] = None) -> PolicyAccessRuleV2
    func GetPolicyAccessRuleV2(ctx *Context, name string, id IDInput, state *PolicyAccessRuleV2State, opts ...ResourceOption) (*PolicyAccessRuleV2, error)
    public static PolicyAccessRuleV2 Get(string name, Input<string> id, PolicyAccessRuleV2State? state, CustomResourceOptions? opts = null)
    public static PolicyAccessRuleV2 get(String name, Output<String> id, PolicyAccessRuleV2State state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    AppConnectorGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2AppConnectorGroup>
    List of app-connector IDs.
    AppServerGroups List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2AppServerGroup>
    List of the server group IDs.
    Conditions List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2Condition>
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    Name string
    This is the name of the policy rule.
    Operator string
    PolicySetId string
    Action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    AppConnectorGroups []PolicyAccessRuleV2AppConnectorGroupArgs
    List of app-connector IDs.
    AppServerGroups []PolicyAccessRuleV2AppServerGroupArgs
    List of the server group IDs.
    Conditions []PolicyAccessRuleV2ConditionArgs
    This is for proviidng the set of conditions for the policy.
    CustomMsg string
    This is for providing a customer message for the user.
    Description string
    This is the description of the access policy rule.
    Name string
    This is the name of the policy rule.
    Operator string
    PolicySetId string
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups List<PolicyAccessRuleV2AppConnectorGroup>
    List of app-connector IDs.
    appServerGroups List<PolicyAccessRuleV2AppServerGroup>
    List of the server group IDs.
    conditions List<PolicyAccessRuleV2Condition>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    name String
    This is the name of the policy rule.
    operator String
    policySetId String
    action string
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups PolicyAccessRuleV2AppConnectorGroup[]
    List of app-connector IDs.
    appServerGroups PolicyAccessRuleV2AppServerGroup[]
    List of the server group IDs.
    conditions PolicyAccessRuleV2Condition[]
    This is for proviidng the set of conditions for the policy.
    customMsg string
    This is for providing a customer message for the user.
    description string
    This is the description of the access policy rule.
    name string
    This is the name of the policy rule.
    operator string
    policySetId string
    action str
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    app_connector_groups Sequence[PolicyAccessRuleV2AppConnectorGroupArgs]
    List of app-connector IDs.
    app_server_groups Sequence[PolicyAccessRuleV2AppServerGroupArgs]
    List of the server group IDs.
    conditions Sequence[PolicyAccessRuleV2ConditionArgs]
    This is for proviidng the set of conditions for the policy.
    custom_msg str
    This is for providing a customer message for the user.
    description str
    This is the description of the access policy rule.
    name str
    This is the name of the policy rule.
    operator str
    policy_set_id str
    action String
    This is for providing the rule action. Supported values: ALLOW, DENY, and REQUIRE_APPROVAL
    appConnectorGroups List<Property Map>
    List of app-connector IDs.
    appServerGroups List<Property Map>
    List of the server group IDs.
    conditions List<Property Map>
    This is for proviidng the set of conditions for the policy.
    customMsg String
    This is for providing a customer message for the user.
    description String
    This is the description of the access policy rule.
    name String
    This is the name of the policy rule.
    operator String
    policySetId String

    Supporting Types

    PolicyAccessRuleV2AppConnectorGroup, PolicyAccessRuleV2AppConnectorGroupArgs

    Ids List<string>
    Ids []string
    ids List<String>
    ids string[]
    ids Sequence[str]
    ids List<String>

    PolicyAccessRuleV2AppServerGroup, PolicyAccessRuleV2AppServerGroupArgs

    Ids List<string>
    Ids []string
    ids List<String>
    ids string[]
    ids Sequence[str]
    ids List<String>

    PolicyAccessRuleV2Condition, PolicyAccessRuleV2ConditionArgs

    Id string
    Operands List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2ConditionOperand>
    This signifies the various policy criteria.
    Operator string
    Id string
    Operands []PolicyAccessRuleV2ConditionOperand
    This signifies the various policy criteria.
    Operator string
    id String
    operands List<PolicyAccessRuleV2ConditionOperand>
    This signifies the various policy criteria.
    operator String
    id string
    operands PolicyAccessRuleV2ConditionOperand[]
    This signifies the various policy criteria.
    operator string
    id str
    operands Sequence[PolicyAccessRuleV2ConditionOperand]
    This signifies the various policy criteria.
    operator str
    id String
    operands List<Property Map>
    This signifies the various policy criteria.
    operator String

    PolicyAccessRuleV2ConditionOperand, PolicyAccessRuleV2ConditionOperandArgs

    EntryValues List<Zscaler.Zpa.Inputs.PolicyAccessRuleV2ConditionOperandEntryValue>
    ObjectType string
    This is for specifying the policy critiera.
    Values List<string>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    EntryValues []PolicyAccessRuleV2ConditionOperandEntryValue
    ObjectType string
    This is for specifying the policy critiera.
    Values []string
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    entryValues List<PolicyAccessRuleV2ConditionOperandEntryValue>
    objectType String
    This is for specifying the policy critiera.
    values List<String>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    entryValues PolicyAccessRuleV2ConditionOperandEntryValue[]
    objectType string
    This is for specifying the policy critiera.
    values string[]
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    entry_values Sequence[PolicyAccessRuleV2ConditionOperandEntryValue]
    object_type str
    This is for specifying the policy critiera.
    values Sequence[str]
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
    entryValues List<Property Map>
    objectType String
    This is for specifying the policy critiera.
    values List<String>
    This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored

    PolicyAccessRuleV2ConditionOperandEntryValue, PolicyAccessRuleV2ConditionOperandEntryValueArgs

    Lhs string
    Rhs string
    Lhs string
    Rhs string
    lhs String
    rhs String
    lhs string
    rhs string
    lhs str
    rhs str
    lhs String
    rhs String

    Import

    Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.

    Visit

    Policy access rule can be imported by using <RULE ID> as the import ID.

    For example:

    $ pulumi import zpa:index/policyAccessRuleV2:PolicyAccessRuleV2 example <rule_id>
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    zpa zscaler/pulumi-zpa
    License
    MIT
    Notes
    This Pulumi package is based on the zpa Terraform Provider.
    zpa logo
    Zscaler Private Access v0.0.12 published on Tuesday, Jul 30, 2024 by Zscaler