zia.getCloudAppControlRuleActions

Zscaler Internet Access v1.2.0, Feb 20 26

Zscaler Internet Access v1.2.0 published on Friday, Feb 20, 2026 by Zscaler

Schema (JSON)

zscaler/pulumi-zia

Zscaler Internet Access v1.2.0 published on Friday, Feb 20, 2026 by Zscaler

Schema (JSON)

zscaler/pulumi-zia

NOTE: Note that some new actions may not be returned in the API response. This is a known issue, and is being investigated via the following issue ONEAPI-2421. Please contact Zscaler support for an update if the action you’re attempting ton configure isn’t supported or returned in the response.

The data source provides multiple output attributes for different use cases:

available_actions_without_isolate - Most common use case for standard rules
isolate_actions - For Cloud Browser Isolation (CBI) rules
filtered_actions - Custom filtering by action type (ALLOW, DENY, etc.)
available_actions - Complete list of all actions

Example Usage

Standard Rule (Most Common)

Use available_actions_without_isolate for standard rules that don’t require Cloud Browser Isolation:

data "zia_cloud_app_control_rule_actions" "chatgpt" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

resource "zia_cloud_app_control_rule" "standard" {
  name         = "ChatGPT Standard Rule"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # Use available_actions_without_isolate for standard rules
  actions = data.zia_cloud_app_control_rule_actions.chatgpt.available_actions_without_isolate
}

Isolation Rule (CBI)

Use isolate_actions for Cloud Browser Isolation rules:

data "zia_cloud_app_control_rule_actions" "chatgpt" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

data "zia_cloud_browser_isolation_profile" "profile" {
  name = "My-CBI-Profile"
}

resource "zia_cloud_app_control_rule" "isolate" {
  name         = "ChatGPT Isolation"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # Use isolate_actions for CBI rules
  actions = data.zia_cloud_app_control_rule_actions.chatgpt.isolate_actions

  # Required when using ISOLATE actions
  cbi_profile {
    id   = data.zia_cloud_browser_isolation_profile.profile.id
    name = data.zia_cloud_browser_isolation_profile.profile.name
    url  = data.zia_cloud_browser_isolation_profile.profile.url
  }
}

Multiple Applications (Intersection)

When multiple applications are specified, the API automatically returns only actions supported by ALL applications:

data "zia_cloud_app_control_rule_actions" "multi_ai" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI", "GOOGLE_GEMINI"]
}

resource "zia_cloud_app_control_rule" "multi_ai" {
  name         = "Multiple AI Apps"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI", "GOOGLE_GEMINI"]

  # Returns only actions supported by BOTH applications
  actions = data.zia_cloud_app_control_rule_actions.multi_ai.available_actions_without_isolate
}

# View the intersection
output "common_actions" {
  value = data.zia_cloud_app_control_rule_actions.multi_ai.available_actions_without_isolate
}

Filter By Action Type (ALLOW Only)

Use action_prefixes to filter actions by type:

data "zia_cloud_app_control_rule_actions" "allow_only" {
  type            = "AI_ML"
  cloud_apps      = ["CHATGPT_AI"]
  action_prefixes = ["ALLOW"]  # Filter for ALLOW actions only
}

resource "zia_cloud_app_control_rule" "allow_rule" {
  name         = "ChatGPT Allow Only"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # Only ALLOW_ actions
  actions = data.zia_cloud_app_control_rule_actions.allow_only.filtered_actions
}

Filter Multiple Action Types

Filter for multiple action types simultaneously:

data "zia_cloud_app_control_rule_actions" "allow_deny" {
  type            = "AI_ML"
  cloud_apps      = ["CHATGPT_AI"]
  action_prefixes = ["ALLOW", "DENY"]  # Get both ALLOW and DENY actions
}

resource "zia_cloud_app_control_rule" "mixed_rule" {
  name         = "ChatGPT Mixed Actions"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # ALLOW_ and DENY_ actions only (excludes CAUTION, ISOLATE, ESC)
  actions = data.zia_cloud_app_control_rule_actions.allow_deny.filtered_actions
}

data "zia_cloud_app_control_rule_actions" "onedrive" {
  type       = "FILE_SHARE"
  cloud_apps = ["ONEDRIVE"]
}

resource "zia_cloud_app_control_rule" "onedrive_rule" {
  name         = "OneDrive Controls"
  type         = "FILE_SHARE"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["ONEDRIVE"]

  # Get all file sharing actions except ISOLATE
  actions = data.zia_cloud_app_control_rule_actions.onedrive.available_actions_without_isolate
}

Only DENY Actions

data "zia_cloud_app_control_rule_actions" "deny_only" {
  type            = "AI_ML"
  cloud_apps      = ["CHATGPT_AI"]
  action_prefixes = ["DENY"]
}

resource "zia_cloud_app_control_rule" "block_chatgpt" {
  name         = "Block ChatGPT Features"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # Only DENY_ actions (restrictive)
  actions = data.zia_cloud_app_control_rule_actions.deny_only.filtered_actions
}

Understanding Action Types

Action Prefixes

Cloud App Control rules support different action types based on the application and rule type:

Prefix	Description	Example	Can Mix With
`ALLOW`	Permit specific operations	ALLOW_AI_ML_CHAT	DENY, CAUTION, ESC
`DENY`	Block specific operations	DENY_AI_ML_UPLOAD	ALLOW, CAUTION, ESC
`BLOCK`	Block operations (some apps)	BLOCK_FILE_SHARE_DOWNLOAD	ALLOW, CAUTION
`CAUTION`	Warn before allowing	CAUTION_AI_ML_WEB_USE	ALLOW, DENY, BLOCK
`ISOLATE`	Cloud Browser Isolation	ISOLATE_AI_ML_WEB_USE	Cannot mix
`ESC`	Conditional access	AI_ML_CONDITIONAL_ACCESS	ALLOW, DENY

Important Rules

ISOLATE Actions:
- Cannot be mixed with any other action type
- Require cbi_profile configuration in the resource
- Use isolate_actions attribute or filter with action_prefixes </span>= ["ISOLATE"]
Multiple Applications:
- The API automatically returns the intersection of actions
- Only actions supported by ALL specified applications are returned
- Always query the data source with the same applications you’ll use in the resource
Action Compatibility:
- Most actions can be mixed (ALLOW + DENY, ALLOW + CAUTION, etc.)
- ISOLATE actions are the exception - they must be used alone

Best Practices

1. Use Data Source Instead of Hardcoding

❌ Avoid hardcoding actions:

resource "zia_cloud_app_control_rule" "example" {
  actions = ["ALLOW_AI_ML_CHAT", "DENY_AI_ML_UPLOAD"]  # May become invalid
}

✅ Use data source:

data "zia_cloud_app_control_rule_actions" "actions" {
  type       = "AI_ML"
  cloud_apps = ["CHATGPT_AI"]
}

resource "zia_cloud_app_control_rule" "example" {
  actions = data.zia_cloud_app_control_rule_actions.actions.available_actions_without_isolate
}

2. Match Applications Between Data Source and Resource

❌ Mismatch (will cause validation errors):

data "zia_cloud_app_control_rule_actions" "actions" {
  cloud_apps = ["CHATGPT_AI"]  # Only one app
}

resource "zia_cloud_app_control_rule" "example" {
  applications = ["CHATGPT_AI", "GOOGLE_GEMINI"]  # Two apps
  actions      = data.zia_cloud_app_control_rule_actions.actions.available_actions_without_isolate
}

✅ Correct match:

data "zia_cloud_app_control_rule_actions" "actions" {
  cloud_apps = ["CHATGPT_AI", "GOOGLE_GEMINI"]  # Same apps
}

resource "zia_cloud_app_control_rule" "example" {
  applications = ["CHATGPT_AI", "GOOGLE_GEMINI"]  # Same apps
  actions      = data.zia_cloud_app_control_rule_actions.actions.available_actions_without_isolate
}

3. Choose the Right Output Attribute

Use Case	Attribute to Use	Example
Standard rule (no CBI)	`available_actions_without_isolate`	Most common
CBI/Isolation rule	`isolate_actions`	Requires cbi_profile
Only permissive actions	`filtered_actions` with `action_prefixes </span>= ["ALLOW"]`	Allow-only policy
Only restrictive actions	`filtered_actions` with `action_prefixes </span>= ["DENY"]`	Deny-only policy
Mixed ALLOW/DENY	`filtered_actions` with `action_prefixes </span>= ["ALLOW", "DENY"]`	Fine-grained control
Full list for custom logic	`available_actions`	Manual filtering

Complete Examples

Example 1: Standard Rule with Multiple Action Types

data "zia_cloud_app_control_rule_actions" "slack" {
  type       = "ENTERPRISE_COLLABORATION"
  cloud_apps = ["SLACK"]
}

resource "zia_cloud_app_control_rule" "slack_controls" {
  name                    = "Slack Controls"
  description             = "Control Slack usage"
  type                    = "ENTERPRISE_COLLABORATION"
  order                   = 1
  rank                    = 7
  state                   = "ENABLED"
  applications            = ["SLACK"]
  browser_eun_template_id = 5502

  # Returns all actions except ISOLATE
  actions = data.zia_cloud_app_control_rule_actions.slack.available_actions_without_isolate
}

Example 2: Permissive Rule (ALLOW Only)

data "zia_cloud_app_control_rule_actions" "dropbox_allow" {
  type            = "FILE_SHARE"
  cloud_apps      = ["DROPBOX"]
  action_prefixes = ["ALLOW"]
}

resource "zia_cloud_app_control_rule" "dropbox_allow" {
  name         = "Dropbox Allow Operations"
  type         = "FILE_SHARE"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["DROPBOX"]

  # Only permissive actions
  actions = data.zia_cloud_app_control_rule_actions.dropbox_allow.filtered_actions
}

Example 3: Restrictive Rule (DENY Only)

data "zia_cloud_app_control_rule_actions" "onedrive_deny" {
  type            = "FILE_SHARE"
  cloud_apps      = ["ONEDRIVE"]
  action_prefixes = ["DENY"]
}

resource "zia_cloud_app_control_rule" "onedrive_block_upload" {
  name         = "OneDrive Block Upload"
  type         = "FILE_SHARE"
  order        = 2
  rank         = 7
  state        = "ENABLED"
  applications = ["ONEDRIVE"]

  # Only restrictive DENY actions
  actions = data.zia_cloud_app_control_rule_actions.onedrive_deny.filtered_actions
}

Example 4: Multiple Applications with Intersection

# Query actions for two applications
data "zia_cloud_app_control_rule_actions" "multi_file_share" {
  type       = "FILE_SHARE"
  cloud_apps = ["ONEDRIVE", "DROPBOX"]
}

resource "zia_cloud_app_control_rule" "multi_file_share" {
  name         = "File Sharing Controls"
  type         = "FILE_SHARE"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["ONEDRIVE", "DROPBOX"]

  # Returns only actions supported by BOTH OneDrive AND Dropbox
  actions = data.zia_cloud_app_control_rule_actions.multi_file_share.available_actions_without_isolate
}

# Output shows the intersection
output "common_file_share_actions" {
  value = data.zia_cloud_app_control_rule_actions.multi_file_share.available_actions_without_isolate
  # Example output: Actions both apps support
}

Example 5: CAUTION Actions Only

data "zia_cloud_app_control_rule_actions" "caution_only" {
  type            = "AI_ML"
  cloud_apps      = ["CHATGPT_AI"]
  action_prefixes = ["CAUTION"]
}

resource "zia_cloud_app_control_rule" "caution_rule" {
  name         = "ChatGPT Caution"
  type         = "AI_ML"
  order        = 1
  rank         = 7
  state        = "ENABLED"
  applications = ["CHATGPT_AI"]

  # Only CAUTION actions (user warnings)
  actions = data.zia_cloud_app_control_rule_actions.caution_only.filtered_actions
}

Example 6: Viewing All Available Attributes

data "zia_cloud_app_control_rule_actions" "chatgpt" {
  type            = "AI_ML"
  cloud_apps      = ["CHATGPT_AI"]
  action_prefixes = ["ALLOW", "DENY"]  # Optional filtering
}

# View all output attributes
output "all_actions" {
  value = data.zia_cloud_app_control_rule_actions.chatgpt.available_actions
  # All actions including ISOLATE (17 actions for ChatGPT)
}

output "standard_actions" {
  value = data.zia_cloud_app_control_rule_actions.chatgpt.available_actions_without_isolate
  # All except ISOLATE (16 actions)
}

output "isolate_only" {
  value = data.zia_cloud_app_control_rule_actions.chatgpt.isolate_actions
  # Only ISOLATE actions (1 action)
}

output "custom_filtered" {
  value = data.zia_cloud_app_control_rule_actions.chatgpt.filtered_actions
  # Only ALLOW and DENY actions (based on action_prefixes)
}

Notes

Application Intersection Behavior

When querying multiple applications, the API returns only the intersection of actions:

Example:

CHATGPT_AI alone supports 12 actions (including ALLOW_AI_ML_RENAME)
GOOGLE_GEMINI alone supports 11 actions (does NOT support RENAME)
Query with both: ["CHATGPT_AI", "GOOGLE_GEMINI"] returns 9 actions (RENAME excluded)

This ensures that rules with multiple applications only use actions that work for all of them.

ISOLATE Actions Special Requirements

ISOLATE actions have unique requirements:

Cannot be mixed: ISOLATE actions must be used alone in a rule
Require CBI profile: Must configure cbi_profile block with a valid profile
No EUN template: Cannot set browser_eun_template_id when using ISOLATE
Separate rules: Create one rule for ISOLATE actions, separate rules for other actions

Validation

The zia.CloudAppControlRule resource automatically validates actions during pulumi preview:

Ensures actions are valid for the specified applications
Validates ISOLATE action requirements
Provides helpful error messages with valid action lists
Suggests using the data source if manual actions are invalid

Using getCloudAppControlRuleActions

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getCloudAppControlRuleActions(args: GetCloudAppControlRuleActionsArgs, opts?: InvokeOptions): Promise<GetCloudAppControlRuleActionsResult>
function getCloudAppControlRuleActionsOutput(args: GetCloudAppControlRuleActionsOutputArgs, opts?: InvokeOptions): Output<GetCloudAppControlRuleActionsResult>

def get_cloud_app_control_rule_actions(action_prefixes: Optional[Sequence[str]] = None,
                                       cloud_apps: Optional[Sequence[str]] = None,
                                       type: Optional[str] = None,
                                       opts: Optional[InvokeOptions] = None) -> GetCloudAppControlRuleActionsResult
def get_cloud_app_control_rule_actions_output(action_prefixes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                                       cloud_apps: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                                       type: Optional[pulumi.Input[str]] = None,
                                       opts: Optional[InvokeOptions] = None) -> Output[GetCloudAppControlRuleActionsResult]

func GetCloudAppControlRuleActions(ctx *Context, args *GetCloudAppControlRuleActionsArgs, opts ...InvokeOption) (*GetCloudAppControlRuleActionsResult, error)
func GetCloudAppControlRuleActionsOutput(ctx *Context, args *GetCloudAppControlRuleActionsOutputArgs, opts ...InvokeOption) GetCloudAppControlRuleActionsResultOutput

> Note: This function is named GetCloudAppControlRuleActions in the Go SDK.

public static class GetCloudAppControlRuleActions 
{
    public static Task<GetCloudAppControlRuleActionsResult> InvokeAsync(GetCloudAppControlRuleActionsArgs args, InvokeOptions? opts = null)
    public static Output<GetCloudAppControlRuleActionsResult> Invoke(GetCloudAppControlRuleActionsInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetCloudAppControlRuleActionsResult> getCloudAppControlRuleActions(GetCloudAppControlRuleActionsArgs args, InvokeOptions options)
public static Output<GetCloudAppControlRuleActionsResult> getCloudAppControlRuleActions(GetCloudAppControlRuleActionsArgs args, InvokeOptions options)

fn::invoke:
  function: zia:index/getCloudAppControlRuleActions:getCloudAppControlRuleActions
  arguments:
    # arguments dictionary

The following arguments are supported:

CloudApps List<string>
Type string
ActionPrefixes List<string>

CloudApps []string
Type string
ActionPrefixes []string

cloudApps List<String>
type String
actionPrefixes List<String>

cloudApps string[]
type string
actionPrefixes string[]

cloud_apps Sequence[str]
type str
action_prefixes Sequence[str]

cloudApps List<String>
type String
actionPrefixes List<String>

getCloudAppControlRuleActions Result

The following output properties are available:

AvailableActions List<string>

(List of Strings) Complete list of all available actions for the specified cloud applications and rule type, including ISOLATE actions. Use when you need the full list or want to apply custom Terraform filtering logic.

AvailableActionsWithoutIsolates List<string>

(List of Strings) Recommended for most use cases. List of available actions excluding ISOLATE actions. Use this for standard Cloud App Control rules. ISOLATE actions cannot be mixed with other action types and require separate rules.

CloudApps List<string>

FilteredActions List<string>

(List of Strings) List of actions filtered by the action_prefixes parameter. Only populated when action_prefixes is specified. Use this for custom filtering by specific action types (ALLOW only, DENY only, ALLOW+DENY, etc.).

Id string