CloudAppControlRule

Zscaler Internet Access v1.2.0, Feb 20 26

Zscaler Internet Access v1.2.0 published on Friday, Feb 20, 2026 by Zscaler

Schema (JSON)

zscaler/pulumi-zia

Zscaler Internet Access v1.2.0 published on Friday, Feb 20, 2026 by Zscaler

Schema (JSON)

zscaler/pulumi-zia

Example Usage

Using Data Source For Actions (Recommended)

# Get valid actions for the applications
data "zia_cloud_app_control_rule_actions" "webmail_actions" {
  type       = "WEBMAIL"
  cloud_apps = ["GOOGLE_WEBMAIL", "YAHOO_WEBMAIL"]
}

resource "zia_cloud_app_control_rule" "webmail_rule" {
  name                = "WebMail Control Rule"
  description         = "Control webmail access"
  order               = 1
  rank                = 7
  state               = "ENABLED"
  type                = "WEBMAIL"

  # Use data source to get valid actions
  actions             = data.zia_cloud_app_control_rule_actions.webmail_actions.available_actions_without_isolate

  applications        = ["GOOGLE_WEBMAIL", "YAHOO_WEBMAIL"]
  device_trust_levels = ["UNKNOWN_DEVICETRUSTLEVEL", "LOW_TRUST", "MEDIUM_TRUST", "HIGH_TRUST"]
  user_agent_types    = ["OPERA", "FIREFOX", "MSIE", "MSEDGE", "CHROME", "SAFARI", "MSCHREDGE"]
}

AI/ML Application Control

data "zia_cloud_app_control_rule_actions" "ai_actions" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

resource "zia_cloud_app_control_rule" "ai_control" {
  name         = "ChatGPT Controls"
  description  = "Control ChatGPT usage"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  type         = "AI_ML"

  # Automatically gets all valid actions except ISOLATE
  actions      = data.zia_cloud_app_control_rule_actions.ai_actions.available_actions_without_isolate

  applications = ["CHATGPT_AI"]
}

data "zia_cloud_app_control_rule_actions" "file_share_actions" {
  type       = "FILE_SHARE"
  cloud_apps = ["DROPBOX", "ONEDRIVE"]
}

resource "zia_cloud_app_control_rule" "file_sharing" {
  name         = "File Sharing Controls"
  description  = "Control file sharing operations"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  type         = "FILE_SHARE"

  # Returns only actions supported by both Dropbox and OneDrive
  actions      = data.zia_cloud_app_control_rule_actions.file_share_actions.available_actions_without_isolate

  applications = ["DROPBOX", "ONEDRIVE"]
}

Cloud Browser Isolation (ISOLATE Actions)

ISOLATE actions require Cloud Browser Isolation subscription and must be used alone (cannot mix with other actions):

data "zia_cloud_app_control_rule_actions" "chatgpt_isolate" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

data "zia_cloud_browser_isolation_profile" "cbi_profile" {
  name = "My-CBI-Profile"
}

resource "zia_cloud_app_control_rule" "isolate_chatgpt" {
  name         = "ChatGPT Isolation"
  description  = "Isolate ChatGPT using Cloud Browser Isolation"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  type         = "AI_ML"

  # Use isolate_actions for CBI rules
  actions      = data.zia_cloud_app_control_rule_actions.chatgpt_isolate.isolate_actions

  applications = ["CHATGPT_AI"]

  # Required for ISOLATE actions
  cbi_profile {
    id   = data.zia_cloud_browser_isolation_profile.cbi_profile.id
    name = data.zia_cloud_browser_isolation_profile.cbi_profile.name
    url  = data.zia_cloud_browser_isolation_profile.cbi_profile.url
  }
}

Filtered Actions (ALLOW Only)

data "zia_cloud_app_control_rule_actions" "slack_allow" {
  type            = "ENTERPRISE_COLLABORATION"
  cloud_apps      = ["SLACK"]
  action_prefixes = ["ALLOW"]  # Only permissive actions
}

resource "zia_cloud_app_control_rule" "slack_allow_only" {
  name         = "Slack Allow Only"
  description  = "Allow specific Slack operations"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  type         = "ENTERPRISE_COLLABORATION"

  # Only ALLOW_ actions
  actions      = data.zia_cloud_app_control_rule_actions.slack_allow.filtered_actions

  applications = ["SLACK"]
}

With Time Validity

data "zia_cloud_app_control_rule_actions" "social_media_actions" {
  type       = "SOCIAL_NETWORKING"
  cloud_apps = ["FACEBOOK"]
}

resource "zia_cloud_app_control_rule" "social_media_time_restricted" {
  name                  = "Social Media Time Restricted"
  description           = "Allow social media only during specified hours"
  order                 = 1
  rank                  = 7
  state                 = "ENABLED"
  type                  = "SOCIAL_NETWORKING"
  actions               = data.zia_cloud_app_control_rule_actions.social_media_actions.available_actions_without_isolate
  applications          = ["FACEBOOK"]

  enforce_time_validity = true
  validity_start_time   = "Mon, 17 Jun 2024 23:30:00 UTC"
  validity_end_time     = "Tue, 17 Jun 2025 23:00:00 UTC"
  validity_time_zone_id = "US/Pacific"

  time_quota            = 15
  size_quota            = 10
  device_trust_levels   = ["UNKNOWN_DEVICETRUSTLEVEL", "LOW_TRUST", "MEDIUM_TRUST", "HIGH_TRUST"]
}

Create CloudAppControlRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new CloudAppControlRule(name: string, args: CloudAppControlRuleArgs, opts?: CustomResourceOptions);

@overload
def CloudAppControlRule(resource_name: str,
                        args: CloudAppControlRuleArgs,
                        opts: Optional[ResourceOptions] = None)

@overload
def CloudAppControlRule(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        order: Optional[int] = None,
                        labels: Optional[CloudAppControlRuleLabelsArgs] = None,
                        locations: Optional[CloudAppControlRuleLocationsArgs] = None,
                        cascading_enabled: Optional[bool] = None,
                        cbi_profiles: Optional[Sequence[CloudAppControlRuleCbiProfileArgs]] = None,
                        cloud_app_instances: Optional[CloudAppControlRuleCloudAppInstancesArgs] = None,
                        cloud_app_risk_profiles: Optional[Sequence[CloudAppControlRuleCloudAppRiskProfileArgs]] = None,
                        departments: Optional[CloudAppControlRuleDepartmentsArgs] = None,
                        description: Optional[str] = None,
                        device_groups: Optional[CloudAppControlRuleDeviceGroupsArgs] = None,
                        device_trust_levels: Optional[Sequence[str]] = None,
                        devices: Optional[CloudAppControlRuleDevicesArgs] = None,
                        enforce_time_validity: Optional[bool] = None,
                        eun_enabled: Optional[bool] = None,
                        eun_template_id: Optional[int] = None,
                        groups: Optional[CloudAppControlRuleGroupsArgs] = None,
                        actions: Optional[Sequence[str]] = None,
                        browser_eun_template_id: Optional[int] = None,
                        name: Optional[str] = None,
                        location_groups: Optional[CloudAppControlRuleLocationGroupsArgs] = None,
                        applications: Optional[Sequence[str]] = None,
                        rank: Optional[int] = None,
                        size_quota: Optional[int] = None,
                        state: Optional[str] = None,
                        tenancy_profile_ids: Optional[CloudAppControlRuleTenancyProfileIdsArgs] = None,
                        time_quota: Optional[int] = None,
                        time_windows: Optional[CloudAppControlRuleTimeWindowsArgs] = None,
                        type: Optional[str] = None,
                        user_agent_types: Optional[Sequence[str]] = None,
                        user_risk_score_levels: Optional[Sequence[str]] = None,
                        users: Optional[CloudAppControlRuleUsersArgs] = None,
                        validity_end_time: Optional[str] = None,
                        validity_start_time: Optional[str] = None,
                        validity_time_zone_id: Optional[str] = None)

func NewCloudAppControlRule(ctx *Context, name string, args CloudAppControlRuleArgs, opts ...ResourceOption) (*CloudAppControlRule, error)

public CloudAppControlRule(string name, CloudAppControlRuleArgs args, CustomResourceOptions? opts = null)

public CloudAppControlRule(String name, CloudAppControlRuleArgs args)
public CloudAppControlRule(String name, CloudAppControlRuleArgs args, CustomResourceOptions options)

type: zia:CloudAppControlRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args CloudAppControlRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CloudAppControlRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CloudAppControlRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CloudAppControlRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CloudAppControlRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var cloudAppControlRuleResource = new Zia.CloudAppControlRule("cloudAppControlRuleResource", new()
{
    Order = 0,
    Labels = new Zia.Inputs.CloudAppControlRuleLabelsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    Locations = new Zia.Inputs.CloudAppControlRuleLocationsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    CascadingEnabled = false,
    CbiProfiles = new[]
    {
        new Zia.Inputs.CloudAppControlRuleCbiProfileArgs
        {
            Id = "string",
            Name = "string",
            Url = "string",
        },
    },
    CloudAppInstances = new Zia.Inputs.CloudAppControlRuleCloudAppInstancesArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    CloudAppRiskProfiles = new[]
    {
        new Zia.Inputs.CloudAppControlRuleCloudAppRiskProfileArgs
        {
            Id = 0,
        },
    },
    Departments = new Zia.Inputs.CloudAppControlRuleDepartmentsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    Description = "string",
    DeviceGroups = new Zia.Inputs.CloudAppControlRuleDeviceGroupsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    DeviceTrustLevels = new[]
    {
        "string",
    },
    Devices = new Zia.Inputs.CloudAppControlRuleDevicesArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    EnforceTimeValidity = false,
    EunEnabled = false,
    EunTemplateId = 0,
    Groups = new Zia.Inputs.CloudAppControlRuleGroupsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    Actions = new[]
    {
        "string",
    },
    BrowserEunTemplateId = 0,
    Name = "string",
    LocationGroups = new Zia.Inputs.CloudAppControlRuleLocationGroupsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    Applications = new[]
    {
        "string",
    },
    Rank = 0,
    SizeQuota = 0,
    State = "string",
    TenancyProfileIds = new Zia.Inputs.CloudAppControlRuleTenancyProfileIdsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    TimeQuota = 0,
    TimeWindows = new Zia.Inputs.CloudAppControlRuleTimeWindowsArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    Type = "string",
    UserAgentTypes = new[]
    {
        "string",
    },
    UserRiskScoreLevels = new[]
    {
        "string",
    },
    Users = new Zia.Inputs.CloudAppControlRuleUsersArgs
    {
        Ids = new[]
        {
            0,
        },
    },
    ValidityEndTime = "string",
    ValidityStartTime = "string",
    ValidityTimeZoneId = "string",
});

example, err := zia.NewCloudAppControlRule(ctx, "cloudAppControlRuleResource", &zia.CloudAppControlRuleArgs{
	Order: pulumi.Int(0),
	Labels: &zia.CloudAppControlRuleLabelsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	Locations: &zia.CloudAppControlRuleLocationsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	CascadingEnabled: pulumi.Bool(false),
	CbiProfiles: zia.CloudAppControlRuleCbiProfileArray{
		&zia.CloudAppControlRuleCbiProfileArgs{
			Id:   pulumi.String("string"),
			Name: pulumi.String("string"),
			Url:  pulumi.String("string"),
		},
	},
	CloudAppInstances: &zia.CloudAppControlRuleCloudAppInstancesArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	CloudAppRiskProfiles: zia.CloudAppControlRuleCloudAppRiskProfileArray{
		&zia.CloudAppControlRuleCloudAppRiskProfileArgs{
			Id: pulumi.Int(0),
		},
	},
	Departments: &zia.CloudAppControlRuleDepartmentsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	Description: pulumi.String("string"),
	DeviceGroups: &zia.CloudAppControlRuleDeviceGroupsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	DeviceTrustLevels: pulumi.StringArray{
		pulumi.String("string"),
	},
	Devices: &zia.CloudAppControlRuleDevicesArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	EnforceTimeValidity: pulumi.Bool(false),
	EunEnabled:          pulumi.Bool(false),
	EunTemplateId:       pulumi.Int(0),
	Groups: &zia.CloudAppControlRuleGroupsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	Actions: pulumi.StringArray{
		pulumi.String("string"),
	},
	BrowserEunTemplateId: pulumi.Int(0),
	Name:                 pulumi.String("string"),
	LocationGroups: &zia.CloudAppControlRuleLocationGroupsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	Applications: pulumi.StringArray{
		pulumi.String("string"),
	},
	Rank:      pulumi.Int(0),
	SizeQuota: pulumi.Int(0),
	State:     pulumi.String("string"),
	TenancyProfileIds: &zia.CloudAppControlRuleTenancyProfileIdsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	TimeQuota: pulumi.Int(0),
	TimeWindows: &zia.CloudAppControlRuleTimeWindowsArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	Type: pulumi.String("string"),
	UserAgentTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	UserRiskScoreLevels: pulumi.StringArray{
		pulumi.String("string"),
	},
	Users: &zia.CloudAppControlRuleUsersArgs{
		Ids: pulumi.IntArray{
			pulumi.Int(0),
		},
	},
	ValidityEndTime:    pulumi.String("string"),
	ValidityStartTime:  pulumi.String("string"),
	ValidityTimeZoneId: pulumi.String("string"),
})

var cloudAppControlRuleResource = new CloudAppControlRule("cloudAppControlRuleResource", CloudAppControlRuleArgs.builder()
    .order(0)
    .labels(CloudAppControlRuleLabelsArgs.builder()
        .ids(0)
        .build())
    .locations(CloudAppControlRuleLocationsArgs.builder()
        .ids(0)
        .build())
    .cascadingEnabled(false)
    .cbiProfiles(CloudAppControlRuleCbiProfileArgs.builder()
        .id("string")
        .name("string")
        .url("string")
        .build())
    .cloudAppInstances(CloudAppControlRuleCloudAppInstancesArgs.builder()
        .ids(0)
        .build())
    .cloudAppRiskProfiles(CloudAppControlRuleCloudAppRiskProfileArgs.builder()
        .id(0)
        .build())
    .departments(CloudAppControlRuleDepartmentsArgs.builder()
        .ids(0)
        .build())
    .description("string")
    .deviceGroups(CloudAppControlRuleDeviceGroupsArgs.builder()
        .ids(0)
        .build())
    .deviceTrustLevels("string")
    .devices(CloudAppControlRuleDevicesArgs.builder()
        .ids(0)
        .build())
    .enforceTimeValidity(false)
    .eunEnabled(false)
    .eunTemplateId(0)
    .groups(CloudAppControlRuleGroupsArgs.builder()
        .ids(0)
        .build())
    .actions("string")
    .browserEunTemplateId(0)
    .name("string")
    .locationGroups(CloudAppControlRuleLocationGroupsArgs.builder()
        .ids(0)
        .build())
    .applications("string")
    .rank(0)
    .sizeQuota(0)
    .state("string")
    .tenancyProfileIds(CloudAppControlRuleTenancyProfileIdsArgs.builder()
        .ids(0)
        .build())
    .timeQuota(0)
    .timeWindows(CloudAppControlRuleTimeWindowsArgs.builder()
        .ids(0)
        .build())
    .type("string")
    .userAgentTypes("string")
    .userRiskScoreLevels("string")
    .users(CloudAppControlRuleUsersArgs.builder()
        .ids(0)
        .build())
    .validityEndTime("string")
    .validityStartTime("string")
    .validityTimeZoneId("string")
    .build());

cloud_app_control_rule_resource = zia.CloudAppControlRule("cloudAppControlRuleResource",
    order=0,
    labels={
        "ids": [0],
    },
    locations={
        "ids": [0],
    },
    cascading_enabled=False,
    cbi_profiles=[{
        "id": "string",
        "name": "string",
        "url": "string",
    }],
    cloud_app_instances={
        "ids": [0],
    },
    cloud_app_risk_profiles=[{
        "id": 0,
    }],
    departments={
        "ids": [0],
    },
    description="string",
    device_groups={
        "ids": [0],
    },
    device_trust_levels=["string"],
    devices={
        "ids": [0],
    },
    enforce_time_validity=False,
    eun_enabled=False,
    eun_template_id=0,
    groups={
        "ids": [0],
    },
    actions=["string"],
    browser_eun_template_id=0,
    name="string",
    location_groups={
        "ids": [0],
    },
    applications=["string"],
    rank=0,
    size_quota=0,
    state="string",
    tenancy_profile_ids={
        "ids": [0],
    },
    time_quota=0,
    time_windows={
        "ids": [0],
    },
    type="string",
    user_agent_types=["string"],
    user_risk_score_levels=["string"],
    users={
        "ids": [0],
    },
    validity_end_time="string",
    validity_start_time="string",
    validity_time_zone_id="string")

const cloudAppControlRuleResource = new zia.CloudAppControlRule("cloudAppControlRuleResource", {
    order: 0,
    labels: {
        ids: [0],
    },
    locations: {
        ids: [0],
    },
    cascadingEnabled: false,
    cbiProfiles: [{
        id: "string",
        name: "string",
        url: "string",
    }],
    cloudAppInstances: {
        ids: [0],
    },
    cloudAppRiskProfiles: [{
        id: 0,
    }],
    departments: {
        ids: [0],
    },
    description: "string",
    deviceGroups: {
        ids: [0],
    },
    deviceTrustLevels: ["string"],
    devices: {
        ids: [0],
    },
    enforceTimeValidity: false,
    eunEnabled: false,
    eunTemplateId: 0,
    groups: {
        ids: [0],
    },
    actions: ["string"],
    browserEunTemplateId: 0,
    name: "string",
    locationGroups: {
        ids: [0],
    },
    applications: ["string"],
    rank: 0,
    sizeQuota: 0,
    state: "string",
    tenancyProfileIds: {
        ids: [0],
    },
    timeQuota: 0,
    timeWindows: {
        ids: [0],
    },
    type: "string",
    userAgentTypes: ["string"],
    userRiskScoreLevels: ["string"],
    users: {
        ids: [0],
    },
    validityEndTime: "string",
    validityStartTime: "string",
    validityTimeZoneId: "string",
});

type: zia:CloudAppControlRule
properties:
    actions:
        - string
    applications:
        - string
    browserEunTemplateId: 0
    cascadingEnabled: false
    cbiProfiles:
        - id: string
          name: string
          url: string
    cloudAppInstances:
        ids:
            - 0
    cloudAppRiskProfiles:
        - id: 0
    departments:
        ids:
            - 0
    description: string
    deviceGroups:
        ids:
            - 0
    deviceTrustLevels:
        - string
    devices:
        ids:
            - 0
    enforceTimeValidity: false
    eunEnabled: false
    eunTemplateId: 0
    groups:
        ids:
            - 0
    labels:
        ids:
            - 0
    locationGroups:
        ids:
            - 0
    locations:
        ids:
            - 0
    name: string
    order: 0
    rank: 0
    sizeQuota: 0
    state: string
    tenancyProfileIds:
        ids:
            - 0
    timeQuota: 0
    timeWindows:
        ids:
            - 0
    type: string
    userAgentTypes:
        - string
    userRiskScoreLevels:
        - string
    users:
        ids:
            - 0
    validityEndTime: string
    validityStartTime: string
    validityTimeZoneId: string

CloudAppControlRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The CloudAppControlRule resource accepts the following input properties:

Order int: The order of execution for the forwarding rule order
Actions List<string>: Actions allowed for the specified type.
Applications List<string>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
BrowserEunTemplateId int
CascadingEnabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
CbiProfiles List<zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCbiProfile>
CloudAppInstances zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
CloudAppRiskProfiles List<zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCloudAppRiskProfile>: The DLP server, using ICAP, to which the transaction content is forwarded.
Departments zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
Description string: Additional information about the forwarding rule
DeviceGroups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
DeviceTrustLevels List<string>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
Devices zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
EnforceTimeValidity bool: Enforce a set a validity time period for the URL Filtering rule.
EunEnabled bool
EunTemplateId int
Groups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
Labels zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLabels: The URL Filtering rule's label.
LocationGroups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
Locations zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
Name string: The name of the forwarding rule
Rank int: Admin rank assigned to the forwarding rule
SizeQuota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
State string: Determines whether the Firewall Filtering policy rule is enabled or disabled
TenancyProfileIds zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
TimeQuota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
TimeWindows zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
Type string: Supported App Control Types
UserAgentTypes List<string>: Supported User Agent Types
UserRiskScoreLevels List<string>
Users zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
ValidityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
ValidityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
ValidityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

Order int: The order of execution for the forwarding rule order
Actions []string: Actions allowed for the specified type.
Applications []string: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
BrowserEunTemplateId int
CascadingEnabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
CbiProfiles []CloudAppControlRuleCbiProfileArgs
CloudAppInstances CloudAppControlRuleCloudAppInstancesArgs: The cloud application instance ID.
CloudAppRiskProfiles []CloudAppControlRuleCloudAppRiskProfileArgs: The DLP server, using ICAP, to which the transaction content is forwarded.
Departments CloudAppControlRuleDepartmentsArgs: Name-ID pairs of departments for which rule must be applied
Description string: Additional information about the forwarding rule
DeviceGroups CloudAppControlRuleDeviceGroupsArgs: This field is applicable for devices that are managed using Zscaler Client Connector.
DeviceTrustLevels []string: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
Devices CloudAppControlRuleDevicesArgs: Name-ID pairs of devices for which rule must be applied.
EnforceTimeValidity bool: Enforce a set a validity time period for the URL Filtering rule.
EunEnabled bool
EunTemplateId int
Groups CloudAppControlRuleGroupsArgs: Name-ID pairs of groups for which rule must be applied
Labels CloudAppControlRuleLabelsArgs: The URL Filtering rule's label.
LocationGroups CloudAppControlRuleLocationGroupsArgs: Name-ID pairs of the location groups to which the rule must be applied.
Locations CloudAppControlRuleLocationsArgs: Name-ID pairs of locations for which rule must be applied
Name string: The name of the forwarding rule
Rank int: Admin rank assigned to the forwarding rule
SizeQuota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
State string: Determines whether the Firewall Filtering policy rule is enabled or disabled
TenancyProfileIds CloudAppControlRuleTenancyProfileIdsArgs: Name-ID pairs of groups for which rule must be applied
TimeQuota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
TimeWindows CloudAppControlRuleTimeWindowsArgs: Name-ID pairs of time interval during which rule must be enforced.
Type string: Supported App Control Types
UserAgentTypes []string: Supported User Agent Types
UserRiskScoreLevels []string
Users CloudAppControlRuleUsersArgs: Name-ID pairs of users for which rule must be applied
ValidityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
ValidityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
ValidityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

order Integer: The order of execution for the forwarding rule order
actions List<String>: Actions allowed for the specified type.
applications List<String>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId Integer
cascadingEnabled Boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles List<CloudAppControlRuleCbiProfile>
cloudAppInstances CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
cloudAppRiskProfiles List<CloudAppControlRuleCloudAppRiskProfile>: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
description String: Additional information about the forwarding rule
deviceGroups CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels List<String>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity Boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled Boolean
eunTemplateId Integer
groups CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabels: The URL Filtering rule's label.
locationGroups CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
name String: The name of the forwarding rule
rank Integer: Admin rank assigned to the forwarding rule
sizeQuota Integer: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state String: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
timeQuota Integer: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
type String: Supported App Control Types
userAgentTypes List<String>: Supported User Agent Types
userRiskScoreLevels List<String>
users CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
validityEndTime String: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime String: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId String: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

order number: The order of execution for the forwarding rule order
actions string[]: Actions allowed for the specified type.
applications string[]: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId number
cascadingEnabled boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles CloudAppControlRuleCbiProfile[]
cloudAppInstances CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
cloudAppRiskProfiles CloudAppControlRuleCloudAppRiskProfile[]: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
description string: Additional information about the forwarding rule
deviceGroups CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels string[]: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled boolean
eunTemplateId number
groups CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabels: The URL Filtering rule's label.
locationGroups CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
name string: The name of the forwarding rule
rank number: Admin rank assigned to the forwarding rule
sizeQuota number: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state string: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
timeQuota number: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
type string: Supported App Control Types
userAgentTypes string[]: Supported User Agent Types
userRiskScoreLevels string[]
users CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
validityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

order int: The order of execution for the forwarding rule order
actions Sequence[str]: Actions allowed for the specified type.
applications Sequence[str]: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browser_eun_template_id int
cascading_enabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbi_profiles Sequence[CloudAppControlRuleCbiProfileArgs]
cloud_app_instances CloudAppControlRuleCloudAppInstancesArgs: The cloud application instance ID.
cloud_app_risk_profiles Sequence[CloudAppControlRuleCloudAppRiskProfileArgs]: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartmentsArgs: Name-ID pairs of departments for which rule must be applied
description str: Additional information about the forwarding rule
device_groups CloudAppControlRuleDeviceGroupsArgs: This field is applicable for devices that are managed using Zscaler Client Connector.
device_trust_levels Sequence[str]: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevicesArgs: Name-ID pairs of devices for which rule must be applied.
enforce_time_validity bool: Enforce a set a validity time period for the URL Filtering rule.
eun_enabled bool
eun_template_id int
groups CloudAppControlRuleGroupsArgs: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabelsArgs: The URL Filtering rule's label.
location_groups CloudAppControlRuleLocationGroupsArgs: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocationsArgs: Name-ID pairs of locations for which rule must be applied
name str: The name of the forwarding rule
rank int: Admin rank assigned to the forwarding rule
size_quota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state str: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancy_profile_ids CloudAppControlRuleTenancyProfileIdsArgs: Name-ID pairs of groups for which rule must be applied
time_quota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
time_windows CloudAppControlRuleTimeWindowsArgs: Name-ID pairs of time interval during which rule must be enforced.
type str: Supported App Control Types
user_agent_types Sequence[str]: Supported User Agent Types
user_risk_score_levels Sequence[str]
users CloudAppControlRuleUsersArgs: Name-ID pairs of users for which rule must be applied
validity_end_time str: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validity_start_time str: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validity_time_zone_id str: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

order Number: The order of execution for the forwarding rule order
actions List<String>: Actions allowed for the specified type.
applications List<String>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId Number
cascadingEnabled Boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles List<Property Map>
cloudAppInstances Property Map: The cloud application instance ID.
cloudAppRiskProfiles List<Property Map>: The DLP server, using ICAP, to which the transaction content is forwarded.
departments Property Map: Name-ID pairs of departments for which rule must be applied
description String: Additional information about the forwarding rule
deviceGroups Property Map: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels List<String>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices Property Map: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity Boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled Boolean
eunTemplateId Number
groups Property Map: Name-ID pairs of groups for which rule must be applied
labels Property Map: The URL Filtering rule's label.
locationGroups Property Map: Name-ID pairs of the location groups to which the rule must be applied.
locations Property Map: Name-ID pairs of locations for which rule must be applied
name String: The name of the forwarding rule
rank Number: Admin rank assigned to the forwarding rule
sizeQuota Number: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state String: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds Property Map: Name-ID pairs of groups for which rule must be applied
timeQuota Number: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows Property Map: Name-ID pairs of time interval during which rule must be enforced.
type String: Supported App Control Types
userAgentTypes List<String>: Supported User Agent Types
userRiskScoreLevels List<String>
users Property Map: Name-ID pairs of users for which rule must be applied
validityEndTime String: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime String: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId String: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

Outputs

All input properties are implicitly available as output properties. Additionally, the CloudAppControlRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
RuleId int: A unique identifier assigned to the forwarding rule

Id string: The provider-assigned unique ID for this managed resource.
RuleId int: A unique identifier assigned to the forwarding rule

id String: The provider-assigned unique ID for this managed resource.
ruleId Integer: A unique identifier assigned to the forwarding rule

id string: The provider-assigned unique ID for this managed resource.
ruleId number: A unique identifier assigned to the forwarding rule

id str: The provider-assigned unique ID for this managed resource.
rule_id int: A unique identifier assigned to the forwarding rule

id String: The provider-assigned unique ID for this managed resource.
ruleId Number: A unique identifier assigned to the forwarding rule

Look up Existing CloudAppControlRule Resource

Get an existing CloudAppControlRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CloudAppControlRuleState, opts?: CustomResourceOptions): CloudAppControlRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        actions: Optional[Sequence[str]] = None,
        applications: Optional[Sequence[str]] = None,
        browser_eun_template_id: Optional[int] = None,
        cascading_enabled: Optional[bool] = None,
        cbi_profiles: Optional[Sequence[CloudAppControlRuleCbiProfileArgs]] = None,
        cloud_app_instances: Optional[CloudAppControlRuleCloudAppInstancesArgs] = None,
        cloud_app_risk_profiles: Optional[Sequence[CloudAppControlRuleCloudAppRiskProfileArgs]] = None,
        departments: Optional[CloudAppControlRuleDepartmentsArgs] = None,
        description: Optional[str] = None,
        device_groups: Optional[CloudAppControlRuleDeviceGroupsArgs] = None,
        device_trust_levels: Optional[Sequence[str]] = None,
        devices: Optional[CloudAppControlRuleDevicesArgs] = None,
        enforce_time_validity: Optional[bool] = None,
        eun_enabled: Optional[bool] = None,
        eun_template_id: Optional[int] = None,
        groups: Optional[CloudAppControlRuleGroupsArgs] = None,
        labels: Optional[CloudAppControlRuleLabelsArgs] = None,
        location_groups: Optional[CloudAppControlRuleLocationGroupsArgs] = None,
        locations: Optional[CloudAppControlRuleLocationsArgs] = None,
        name: Optional[str] = None,
        order: Optional[int] = None,
        rank: Optional[int] = None,
        rule_id: Optional[int] = None,
        size_quota: Optional[int] = None,
        state: Optional[str] = None,
        tenancy_profile_ids: Optional[CloudAppControlRuleTenancyProfileIdsArgs] = None,
        time_quota: Optional[int] = None,
        time_windows: Optional[CloudAppControlRuleTimeWindowsArgs] = None,
        type: Optional[str] = None,
        user_agent_types: Optional[Sequence[str]] = None,
        user_risk_score_levels: Optional[Sequence[str]] = None,
        users: Optional[CloudAppControlRuleUsersArgs] = None,
        validity_end_time: Optional[str] = None,
        validity_start_time: Optional[str] = None,
        validity_time_zone_id: Optional[str] = None) -> CloudAppControlRule

func GetCloudAppControlRule(ctx *Context, name string, id IDInput, state *CloudAppControlRuleState, opts ...ResourceOption) (*CloudAppControlRule, error)

public static CloudAppControlRule Get(string name, Input<string> id, CloudAppControlRuleState? state, CustomResourceOptions? opts = null)

public static CloudAppControlRule get(String name, Output<String> id, CloudAppControlRuleState state, CustomResourceOptions options)

resources:  _:    type: zia:CloudAppControlRule    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Actions List<string>: Actions allowed for the specified type.
Applications List<string>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
BrowserEunTemplateId int
CascadingEnabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
CbiProfiles List<zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCbiProfile>
CloudAppInstances zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
CloudAppRiskProfiles List<zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleCloudAppRiskProfile>: The DLP server, using ICAP, to which the transaction content is forwarded.
Departments zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
Description string: Additional information about the forwarding rule
DeviceGroups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
DeviceTrustLevels List<string>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
Devices zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
EnforceTimeValidity bool: Enforce a set a validity time period for the URL Filtering rule.
EunEnabled bool
EunTemplateId int
Groups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
Labels zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLabels: The URL Filtering rule's label.
LocationGroups zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
Locations zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
Name string: The name of the forwarding rule
Order int: The order of execution for the forwarding rule order
Rank int: Admin rank assigned to the forwarding rule
RuleId int: A unique identifier assigned to the forwarding rule
SizeQuota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
State string: Determines whether the Firewall Filtering policy rule is enabled or disabled
TenancyProfileIds zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
TimeQuota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
TimeWindows zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
Type string: Supported App Control Types
UserAgentTypes List<string>: Supported User Agent Types
UserRiskScoreLevels List<string>
Users zscaler.PulumiPackage.Zia.Inputs.CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
ValidityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
ValidityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
ValidityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

Actions []string: Actions allowed for the specified type.
Applications []string: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
BrowserEunTemplateId int
CascadingEnabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
CbiProfiles []CloudAppControlRuleCbiProfileArgs
CloudAppInstances CloudAppControlRuleCloudAppInstancesArgs: The cloud application instance ID.
CloudAppRiskProfiles []CloudAppControlRuleCloudAppRiskProfileArgs: The DLP server, using ICAP, to which the transaction content is forwarded.
Departments CloudAppControlRuleDepartmentsArgs: Name-ID pairs of departments for which rule must be applied
Description string: Additional information about the forwarding rule
DeviceGroups CloudAppControlRuleDeviceGroupsArgs: This field is applicable for devices that are managed using Zscaler Client Connector.
DeviceTrustLevels []string: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
Devices CloudAppControlRuleDevicesArgs: Name-ID pairs of devices for which rule must be applied.
EnforceTimeValidity bool: Enforce a set a validity time period for the URL Filtering rule.
EunEnabled bool
EunTemplateId int
Groups CloudAppControlRuleGroupsArgs: Name-ID pairs of groups for which rule must be applied
Labels CloudAppControlRuleLabelsArgs: The URL Filtering rule's label.
LocationGroups CloudAppControlRuleLocationGroupsArgs: Name-ID pairs of the location groups to which the rule must be applied.
Locations CloudAppControlRuleLocationsArgs: Name-ID pairs of locations for which rule must be applied
Name string: The name of the forwarding rule
Order int: The order of execution for the forwarding rule order
Rank int: Admin rank assigned to the forwarding rule
RuleId int: A unique identifier assigned to the forwarding rule
SizeQuota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
State string: Determines whether the Firewall Filtering policy rule is enabled or disabled
TenancyProfileIds CloudAppControlRuleTenancyProfileIdsArgs: Name-ID pairs of groups for which rule must be applied
TimeQuota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
TimeWindows CloudAppControlRuleTimeWindowsArgs: Name-ID pairs of time interval during which rule must be enforced.
Type string: Supported App Control Types
UserAgentTypes []string: Supported User Agent Types
UserRiskScoreLevels []string
Users CloudAppControlRuleUsersArgs: Name-ID pairs of users for which rule must be applied
ValidityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
ValidityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
ValidityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

actions List<String>: Actions allowed for the specified type.
applications List<String>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId Integer
cascadingEnabled Boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles List<CloudAppControlRuleCbiProfile>
cloudAppInstances CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
cloudAppRiskProfiles List<CloudAppControlRuleCloudAppRiskProfile>: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
description String: Additional information about the forwarding rule
deviceGroups CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels List<String>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity Boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled Boolean
eunTemplateId Integer
groups CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabels: The URL Filtering rule's label.
locationGroups CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
name String: The name of the forwarding rule
order Integer: The order of execution for the forwarding rule order
rank Integer: Admin rank assigned to the forwarding rule
ruleId Integer: A unique identifier assigned to the forwarding rule
sizeQuota Integer: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state String: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
timeQuota Integer: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
type String: Supported App Control Types
userAgentTypes List<String>: Supported User Agent Types
userRiskScoreLevels List<String>
users CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
validityEndTime String: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime String: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId String: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

actions string[]: Actions allowed for the specified type.
applications string[]: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId number
cascadingEnabled boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles CloudAppControlRuleCbiProfile[]
cloudAppInstances CloudAppControlRuleCloudAppInstances: The cloud application instance ID.
cloudAppRiskProfiles CloudAppControlRuleCloudAppRiskProfile[]: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartments: Name-ID pairs of departments for which rule must be applied
description string: Additional information about the forwarding rule
deviceGroups CloudAppControlRuleDeviceGroups: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels string[]: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevices: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled boolean
eunTemplateId number
groups CloudAppControlRuleGroups: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabels: The URL Filtering rule's label.
locationGroups CloudAppControlRuleLocationGroups: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocations: Name-ID pairs of locations for which rule must be applied
name string: The name of the forwarding rule
order number: The order of execution for the forwarding rule order
rank number: Admin rank assigned to the forwarding rule
ruleId number: A unique identifier assigned to the forwarding rule
sizeQuota number: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state string: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds CloudAppControlRuleTenancyProfileIds: Name-ID pairs of groups for which rule must be applied
timeQuota number: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows CloudAppControlRuleTimeWindows: Name-ID pairs of time interval during which rule must be enforced.
type string: Supported App Control Types
userAgentTypes string[]: Supported User Agent Types
userRiskScoreLevels string[]
users CloudAppControlRuleUsers: Name-ID pairs of users for which rule must be applied
validityEndTime string: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime string: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId string: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

actions Sequence[str]: Actions allowed for the specified type.
applications Sequence[str]: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browser_eun_template_id int
cascading_enabled bool: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbi_profiles Sequence[CloudAppControlRuleCbiProfileArgs]
cloud_app_instances CloudAppControlRuleCloudAppInstancesArgs: The cloud application instance ID.
cloud_app_risk_profiles Sequence[CloudAppControlRuleCloudAppRiskProfileArgs]: The DLP server, using ICAP, to which the transaction content is forwarded.
departments CloudAppControlRuleDepartmentsArgs: Name-ID pairs of departments for which rule must be applied
description str: Additional information about the forwarding rule
device_groups CloudAppControlRuleDeviceGroupsArgs: This field is applicable for devices that are managed using Zscaler Client Connector.
device_trust_levels Sequence[str]: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices CloudAppControlRuleDevicesArgs: Name-ID pairs of devices for which rule must be applied.
enforce_time_validity bool: Enforce a set a validity time period for the URL Filtering rule.
eun_enabled bool
eun_template_id int
groups CloudAppControlRuleGroupsArgs: Name-ID pairs of groups for which rule must be applied
labels CloudAppControlRuleLabelsArgs: The URL Filtering rule's label.
location_groups CloudAppControlRuleLocationGroupsArgs: Name-ID pairs of the location groups to which the rule must be applied.
locations CloudAppControlRuleLocationsArgs: Name-ID pairs of locations for which rule must be applied
name str: The name of the forwarding rule
order int: The order of execution for the forwarding rule order
rank int: Admin rank assigned to the forwarding rule
rule_id int: A unique identifier assigned to the forwarding rule
size_quota int: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state str: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancy_profile_ids CloudAppControlRuleTenancyProfileIdsArgs: Name-ID pairs of groups for which rule must be applied
time_quota int: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
time_windows CloudAppControlRuleTimeWindowsArgs: Name-ID pairs of time interval during which rule must be enforced.
type str: Supported App Control Types
user_agent_types Sequence[str]: Supported User Agent Types
user_risk_score_levels Sequence[str]
users CloudAppControlRuleUsersArgs: Name-ID pairs of users for which rule must be applied
validity_end_time str: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validity_start_time str: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validity_time_zone_id str: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

actions List<String>: Actions allowed for the specified type.
applications List<String>: The list of cloud applications to which the cloud app control rule must be applied Use the data source zia.getCloudApplications to get the list of available cloud applications: https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_cloud_applications
browserEunTemplateId Number
cascadingEnabled Boolean: Enforce the URL Filtering policy on a transaction, even after it is explicitly allowed by the Cloud App Control policy.
cbiProfiles List<Property Map>
cloudAppInstances Property Map: The cloud application instance ID.
cloudAppRiskProfiles List<Property Map>: The DLP server, using ICAP, to which the transaction content is forwarded.
departments Property Map: Name-ID pairs of departments for which rule must be applied
description String: Additional information about the forwarding rule
deviceGroups Property Map: This field is applicable for devices that are managed using Zscaler Client Connector.
deviceTrustLevels List<String>: List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation.
devices Property Map: Name-ID pairs of devices for which rule must be applied.
enforceTimeValidity Boolean: Enforce a set a validity time period for the URL Filtering rule.
eunEnabled Boolean
eunTemplateId Number
groups Property Map: Name-ID pairs of groups for which rule must be applied
labels Property Map: The URL Filtering rule's label.
locationGroups Property Map: Name-ID pairs of the location groups to which the rule must be applied.
locations Property Map: Name-ID pairs of locations for which rule must be applied
name String: The name of the forwarding rule
order Number: The order of execution for the forwarding rule order
rank Number: Admin rank assigned to the forwarding rule
ruleId Number: A unique identifier assigned to the forwarding rule
sizeQuota Number: Size quota in KB beyond which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
state String: Determines whether the Firewall Filtering policy rule is enabled or disabled
tenancyProfileIds Property Map: Name-ID pairs of groups for which rule must be applied
timeQuota Number: Time quota in minutes, after which the URL Filtering rule is applied. If not set, no quota is enforced. If a policy rule action is set to 'BLOCK', this field is not applicable.
timeWindows Property Map: Name-ID pairs of time interval during which rule must be enforced.
type String: Supported App Control Types
userAgentTypes List<String>: Supported User Agent Types
userRiskScoreLevels List<String>
users Property Map: Name-ID pairs of users for which rule must be applied
validityEndTime String: If enforceTimeValidity is set to true, the URL Filtering rule ceases to be valid on this end date and time.
validityStartTime String: If enforceTimeValidity is set to true, the URL Filtering rule is valid starting on this date and time.
validityTimeZoneId String: If enforceTimeValidity is set to true, the URL Filtering rule date and time is valid based on this time zone ID. Use IANA Format TimeZone.

Supporting Types

CloudAppControlRuleCbiProfile, CloudAppControlRuleCbiProfileArgs

Id string
Name string
Url string: The browser isolation profile URL

Id string
Name string
Url string: The browser isolation profile URL

id String
name String
url String: The browser isolation profile URL

id string
name string
url string: The browser isolation profile URL

id str
name str
url str: The browser isolation profile URL

id String
name String
url String: The browser isolation profile URL

CloudAppControlRuleCloudAppInstances, CloudAppControlRuleCloudAppInstancesArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleCloudAppRiskProfile, CloudAppControlRuleCloudAppRiskProfileArgs

Id int

Id int

id Integer

id number

id int

id Number

CloudAppControlRuleDepartments, CloudAppControlRuleDepartmentsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleDeviceGroups, CloudAppControlRuleDeviceGroupsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleDevices, CloudAppControlRuleDevicesArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleGroups, CloudAppControlRuleGroupsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleLabels, CloudAppControlRuleLabelsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleLocationGroups, CloudAppControlRuleLocationGroupsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleLocations, CloudAppControlRuleLocationsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleTenancyProfileIds, CloudAppControlRuleTenancyProfileIdsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleTimeWindows, CloudAppControlRuleTimeWindowsArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

CloudAppControlRuleUsers, CloudAppControlRuleUsersArgs

Ids List<int>

Ids []int

ids List<Integer>

ids number[]

ids Sequence[int]

ids List<Number>

Import

ant Notes

Using the Data Source for Actions

Best Practice: Always use the zia.getCloudAppControlRuleActions data source to retrieve valid actions for your applications. The data source automatically handles:

Application-specific action support
Action intersections when multiple applications are configured
Separation of ISOLATE actions from standard actions

data "zia_cloud_app_control_rule_actions" "my_actions" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

resource "zia_cloud_app_control_rule" "example" {
  actions = data.zia_cloud_app_control_rule_actions.my_actions.available_actions_without_isolate
}

ISOLATE Actions Requirements

When using ISOLATE actions:

ISOLATE actions cannot be mixed with other action types (ALLOW, DENY, BLOCK, CAUTION)
ISOLATE actions require cbi_profile block with a valid Cloud Browser Isolation profile
ISOLATE actions cannot have browser_eun_template_id set
Create separate rules for ISOLATE vs non-ISOLATE actions

Multiple Applications

When configuring multiple applications in a single rule, only actions supported by ALL applications are valid. The data source automatically computes this intersection when you specify multiple cloud_apps.

Action Validation

The resource validates actions during pulumi preview. If invalid actions are detected, an error message will show:

Which actions are invalid
List of valid actions for your configuration
Suggestion to use the data source

For more information, see the zia.getCloudAppControlRuleActions data source documentation.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: zia zscaler/pulumi-zia
License: MIT
Notes: This Pulumi package is based on the zia Terraform Provider.

Zscaler Internet Access v1.2.0 published on Friday, Feb 20, 2026 by Zscaler

Schema (JSON)

zscaler/pulumi-zia

zia.CloudAppControlRule

On this page

On this page

Example Usage

Using Data Source For Actions (Recommended)

AI/ML Application Control

Cloud Browser Isolation (ISOLATE Actions)

Filtered Actions (ALLOW Only)

With Time Validity

Create CloudAppControlRule Resource

Constructor syntax

Parameters

Constructor example

CloudAppControlRule Resource Properties

Inputs

Outputs

Look up Existing CloudAppControlRule Resource

Supporting Types

CloudAppControlRuleCbiProfile, CloudAppControlRuleCbiProfileArgs

CloudAppControlRuleCloudAppInstances, CloudAppControlRuleCloudAppInstancesArgs

CloudAppControlRuleCloudAppRiskProfile, CloudAppControlRuleCloudAppRiskProfileArgs

CloudAppControlRuleDepartments, CloudAppControlRuleDepartmentsArgs

CloudAppControlRuleDeviceGroups, CloudAppControlRuleDeviceGroupsArgs

CloudAppControlRuleDevices, CloudAppControlRuleDevicesArgs

CloudAppControlRuleGroups, CloudAppControlRuleGroupsArgs

CloudAppControlRuleLabels, CloudAppControlRuleLabelsArgs

CloudAppControlRuleLocationGroups, CloudAppControlRuleLocationGroupsArgs

CloudAppControlRuleLocations, CloudAppControlRuleLocationsArgs

CloudAppControlRuleTenancyProfileIds, CloudAppControlRuleTenancyProfileIdsArgs

CloudAppControlRuleTimeWindows, CloudAppControlRuleTimeWindowsArgs

CloudAppControlRuleUsers, CloudAppControlRuleUsersArgs

Import

Using the Data Source for Actions

ISOLATE Actions Requirements

Multiple Applications

Action Validation

Package Details

On this page

On this page