weave
module · Networking

Zscaler

Zscaler ZIA — URL policies, firewall rules, users, app segments

Namespace: weave zscaler Env: ZSCALER_CLIENT_ID
6
Commands
1
State kinds
Networking
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
ZSCALER_CLIENT_IDRequired for authentication.required
ZSCALER_CLIENT_SECRETRequired for authentication.required
ZSCALER_CLOUDRequired for authentication.required

Sanity-check the wiring:

weave secrets check
weave zscaler --help
weave doctor   # reports ZSCALER_CLIENT_ID status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
policies····
policy···
user······

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (1)

find policy

read

Find a firewall rule by id or name.

weave zscaler find policy <identifier>

list (2)

list policies

read

List firewall rules (URL filtering policies).

weave zscaler list policies <arg>

list users

read

List ZIA users.

weave zscaler list users <arg>

show (1)

show policy

read

Show a firewall rule by id.

weave zscaler show policy <policy-id>

do (2)

do disable

write

Disable a firewall rule.

weave zscaler do disable <policy-id>

do enable

write

Enable a firewall rule.

weave zscaler do enable <policy-id>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/zscaler/.

policies

snapshot diff apply

Zscaler firewall rules — name and state via PUT /firewallRules/:id.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: zscaler
kind: policies
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Firewall policy audit

weave zscaler snapshot policies
weave zscaler diff policies
weave zscaler apply policies

List policies

weave zscaler list policies

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
zscaler_firewall_ruleweave zscaler snapshot/diff/apply policies

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including ZSCALER_CLIENT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave zscaler diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/zscaler. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.