zscaler.ziacloud.zia_location_management module – Adds new locations and sub-locations.

Note

This module is part of the zscaler.ziacloud collection (version 1.0.18).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_location_management.

New in zscaler.ziacloud 1.0.0

Synopsis

  • Adds new locations and sub-locations.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

api_key

string

A string that contains the obfuscated API key.

aup_block_internet_until_accepted

boolean

For First Time AUP Behavior, Block Internet Access.

When set, all internet access (including non-HTTP traffic) is disabled until the user accepts the AUP.

Choices:

  • false

  • true

aup_enabled

boolean

Enable AUP. When set to true, AUP is enabled for the location.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/zia/about-end-user-notifications

Choices:

  • false

  • true

aup_force_ssl_inspection

boolean

For First Time AUP Behavior, Force SSL Inspection.

When set, Zscaler forces SSL Inspection in order to enforce AUP for HTTPS traffic.

Choices:

  • false

  • true

aup_timeout_in_days

integer

Custom AUP Frequency. Refresh time (in days) to re-validate the AUP.

auth_required

boolean

Enforce Authentication. Required when ports are enabled, IP Surrogate is enabled, or Kerberos Authentication is enabled.

Choices:

  • false

  • true

caution_enabled

boolean

Enable Caution. When set to true, a caution notifcation is enabled for the location.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/zia/configuring-caution-notification#caution-interval

Choices:

  • false

  • true

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

country

string

Country Name

description

string

Additional notes or information regarding the location or sub-location. The description cannot exceed 1024 characters.

display_time_unit

string

Display Time Unit. The time unit to display for IP Surrogate idle time to disassociation.

Choices:

  • "MINUTE"

  • "HOUR"

  • "DAY"

dn_bandwidth

integer

Download bandwidth in kbps. The value 0 implies no Bandwidth Control enforcement.

id

integer

Location ID

idle_time_in_minutes

integer

Idle Time to Disassociation. The user mapping idle time (in minutes) is required if a Surrogate IP is enabled.

iot_discovery_enabled

boolean

If this field is set to true, IoT discovery is enabled for this location.

Choices:

  • false

  • true

ip_addresses

list / elements=string

For locations: IP addresses of the egress points that are provisioned in the Zscaler Cloud.

Each entry is a single IP address (e.g., 238.10.33.9).

For sublocations: Egress, internal, or GRE tunnel IP addresses.

Each entry is either a single IP address, CIDR (e.g., 10.10.33.0/24), or range (e.g., 10.10.33.1-10.10.33.10)).

ips_control

boolean

Enable IPS Control. When set to true, IPS Control is enabled for the location if Firewall is enabled.

Choices:

  • false

  • true

name

string / required

Location Name

ofw_enabled

boolean

Enable Firewall. When set to true, Firewall is enabled for the location.

Choices:

  • false

  • true

parent_id

integer

Parent Location ID.

If this ID does not exist or is 0, it is implied that it is a parent location.

Otherwise it is a sub-location whose parent has this ID. x-applicableTo: SUB

password

string

A string that contains the password for the API admin.

ports

list / elements=integer

IP ports that are associated with the location.

profile

string

(Optional) Profile tag that specifies the location traffic type.

The criteria used for setting best possible value is as follows:

When invoked with a partner API key, it automatically sets the profile attribute to CORPORATE.

When invoked using public API, it automatically sets the profile attribute based on the following criteria:

If the location has authentication enabled, then it sets profile to CORPORATE.

If the location has authentication disabled and name contains guest, then it sets profile to GUESTWIFI.

For all other locations with authentication disabled, it sets profile to SERVER.

Choices:

  • "NONE" ← (default)

  • "CORPORATE"

  • "SERVER"

  • "GUESTWIFI"

  • "IOT"

provider

dictionary

A dict object containing connection details. This is optional; credentials can also be provided directly at the top level.

api_key

string

A string that contains the obfuscated API key.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

password

string

A string that contains the password for the API admin.

sandbox_token

string

A string that contains the Sandbox API Key.

username

string

A string that contains the email ID of the API admin.

sandbox_token

string

A string that contains the Sandbox API Key.

ssl_scan_enabled

boolean

This parameter was deprecated and no longer has an effect on SSL policy.

It remains supported in the API payload in order to maintain backwards compatibility with existing scripts, but it will be removed in future.

Enable SSL Inspection.

Set to true in order to apply your SSL Inspection policy to HTTPS traffic.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/zia/deploying-ssl-inspection

Choices:

  • false

  • true

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

surrogate_ip

boolean

Enable Surrogate IP. When set to true, users are mapped to internal device IP addresses.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/zia/about-surrogate-ip

Choices:

  • false

  • true

surrogate_ip_enforced_for_known_browsers

boolean

Enforce Surrogate IP for Known Browsers. When set to true, IP Surrogate is enforced for all known browsers.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/zia/about-surrogate-ip

Choices:

  • false

  • true

surrogate_refresh_time_in_minutes

integer

Refresh Time for re-validation of Surrogacy.

The surrogate refresh time (in minutes) to re-validate the IP surrogates.

surrogate_refresh_time_unit

string

Display Refresh Time Unit.

The time unit to display for refresh time for re-validation of surrogacy.

Choices:

  • "MINUTE"

  • "HOUR"

  • "DAY"

tz

string

Timezone of the location. If not specified, it defaults to GMT.

up_bandwidth

integer

Upload bandwidth in kbps. The value 0 implies no Bandwidth Control enforcement.

username

string

A string that contains the email ID of the API admin.

vpn_credentials

list / elements=dictionary

VPN User Credentials that are associated with the location.

fqdn

string

Fully Qualified Domain Name. Applicable only to UFQDN (or HOSTED_MOBILE_USERS) auth type.

id

integer

VPN credential id

ip_address

string

Static IP address for VPN that is self-provisioned or provisioned by Zscaler.

This is a required field for IP auth type and is not applicable to other auth types.

Note: If you want Zscaler to provision static IP addresses for your organization, contact Zscaler Support.

type

string

VPN authentication type (i.e., how the VPN credential is sent to the server).

It is not modifiable after VpnCredential is created.”

Choices:

  • "UFQDN" ← (default)

  • "IP"

xff_forward_enabled

boolean

Enable XFF Forwarding for a location.

When set to true, traffic is passed to Zscaler Cloud via the X-Forwarded-For (XFF) header.

Note: For sublocations, this attribute is a read-only field as the value is inherited from the parent location.

Choices:

  • false

  • true

zapp_ssl_scan_enabled

boolean

This parameter was deprecated and no longer has an effect on SSL policy.

It remains supported in the API payload in order to maintain backwards compatibility with existing scripts, but it will be removed in future.

Enable Zscaler App SSL Setting.

When set to true, the Zscaler App SSL Scan Setting takes effect, irrespective of the SSL policy that is configured for the location.

To Learn More, see Deploying SSL Inspection https://help.zscaler.com/z-app/configuring-ssl-inspection-zscaler-app#configure-SSL-Zscaler-App

Choices:

  • false

  • true

Examples

- name: Create UFQDN VPN Credential.
  zscaler.ziacloud.zia_traffic_forwarding_vpn_credentials:
    type: "UFQDN"
    fqdn: "usa_sjc37@acme.com"
    comments: "Created via Ansible"
    pre_shared_key: "************!"
  register: vpn_credential_ufqdn

- name: Create Location Management with UFQDN VPN Type
  zscaler.ziacloud.zia_location_management:
    name: "USA_SJC_37"
    description: "Created with Ansible"
    country: "UNITED_STATES"
    tz: "UNITED_STATES_AMERICA_LOS_ANGELES"
    auth_required: true
    idle_time_in_minutes: 720
    display_time_unit: "HOUR"
    surrogate_ip: true
    xff_forward_enabled: true
    ofw_enabled: true
    ips_control: true
    vpn_credentials:
      - id: "{{ vpn_credential_ufqdn.data.id }}"
        type: "{{ vpn_credential_ufqdn.data.type }}"

# Create Location Management with VPN IP Type
- name: Create/Update/Delete a Static IP.
  zscaler.ziacloud.zia_traffic_forwarding_static_ip:
    provider: '{{ provider }}'
    ip_address: "1.1.1.1"
    routable_ip: true
    comment: "Created with Ansible"
    geo_override: true
    latitude: "-36.848461"
    longitude: "174.763336"
  register: static_ip

- name: Create/Update/Delete VPN Credentials Type IP.
  zscaler.ziacloud.zia_location_management:
    type: "IP"
    ip_address: "static_ip.data.ip_address"
    comments: "Created via Ansible"
    pre_shared_key: "*************"
  register: vpn_credential_ip

- name: Create Location Management with IP VPN Type
  zscaler.ziacloud.zia_location_management:
    name: "USA_SJC_37"
    description: "Created with Ansible"
    country: "UNITED_STATES"
    tz: "UNITED_STATES_AMERICA_LOS_ANGELES"
    auth_required: true
    idle_time_in_minutes: 720
    display_time_unit: "HOUR"
    surrogate_ip: true
    xff_forward_enabled: true
    ofw_enabled: true
    ips_control: true
    ip_addresses: "static_ip.data.ip_address"
    vpn_credentials:
      - id: "{{ vpn_credential_ip.data.id }}"
        type: "{{ vpn_credential_ip.data.type }}"
        ip_address: "{{ vpn_credential_ip.data.ip_address }}"

Authors

  • William Guilherme (@willguibr)