[VIDEO] ZPA Terraform provider Video Series Ep.6 - ZPA Segment Group

You must place each application segment you configure into a segment group. This allows you to configure user access policies based on segment groups. For example, if you have a set of defined applications that you want only users from the “Sales” department to access, you can create a segment group called “Sales Applications” and apply to it all sales-related applications. You can then create an access policy using that segment group.

However, you cannot assign an application segment to multiple segment groups. For example, if you place Salesforce in the “Sales Applications Group”, you cannot add Salesforce to another group.

Terraform Registry Example: Terraform Registry

In this video, we’ll explore

0:00:04;18 – 0:00:15;04 – Introduction
0:00:15;00 – 0:00:59;00 – Introduction to Segment Group
0:01:00;00 – 0:01:15;00 – Terraform Segment Group API Workflow
0:01:30;00 - 0:01:45;00 – Terraform Registry Documentation
0:01:46;00 – 0:02:38;00 – Configuring Segment Group
0:02:38;01 – 0:03:09;00 – Summary

Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll go through how to create a segment group using the ZPA Terraform provider.

Part 1
A segment group is one of the many constructs available in the ZPA platform. This object is required when creating other constructs such as application segments.

Part 2
Optionally you can assign a segment group to an access policy for further segmentation and control of user access to internal applications.

This is possible by adding a new access policy, clicking in the Add criteria option, and selecting the Applications option.

You will then be presented with 2 additional options: Application Segments and Segment Groups. Click in the Segment Group Dropdown menu and select the segment group you’d like to associate with this access policy.

Part 3
To create a segment group, Terraform will use your desired state configuration parameters, to call the ZPA Segment Group endpoint, and provision the segment group resource in the ZPA portal.

The only required parameter when creating a segment group is the Name, while all other parameters are considered optional.

You can then create an application segment or an access policy using that same segment group in order to control access to a specific application.

Part 4

To see an example of how to configure a segment group using Terraform, navigate to the Terraform registry, and type ZPA in the search bar.

Navigate to the documentation tab, and scroll down to the Segment Group section on the left-hand side.

Click in the zpa_segment_group resource and copy and paste this example into your configuration file.

Part 5
To configure a segment group, open your preferred code editor. Make sure you have the Terraform provider block configuration properly set.

Paste the example from the terraform registry documentation to create the ZPA segment group resource block and change the parameters according to your needs.

As previously mentioned, the only required parameter in this configuration is the “Name”, while all other parameters are considered optional.

Part 6
Finally, we can run the command terraform apply to provision the segment group resource in the ZPA cloud.

Notice that in this example, I am using the optional flag called — auto-approve, which will prevent Terraform from asking for confirmation.

Finally, we have a single segment group resource created in the ZPA Cloud.

In summary:
In a segment Group, the only required parameter is the “Name”, while all other parameters are considered optional.
A segment group does not depend on any other ZPA construct in order to be created.
A Segment Group is required when creating an application segment
It can optionally be associated with all other policy types in the ZPA platform
for further segmentation such as Access Policies, Timeout Policies,
Forwarding Policies, Isolation Policies, and Inspection Policies[/details]

1 Like