๐งญ Overview
This guide explains how to deploy Zscaler Internet Access (ZIA) security policies using Make.com, a Flask-powered API backend, and HubSpot as the source of configuration. It supports multiple policy types and logs results in Google Sheets for visibility and auditing.
โ๏ธ Architecture Summary
|
Component |
Function |
|---|---|
| HubSpot CRM (Company Object) | Stores configuration JSON and API credentials |
| Make.com | Orchestrates the flow: fetches file, parses policies, and routes calls |
Flask API (/deploy-baseline) |
Deploys policies to Zscaler via SDK and API |
Flask API (/flatten-for-sheet) |
Normalizes failed/skipped rules for reporting |
| Google Sheets + Drive | Saves structured results for each run |
๐๏ธ Trigger Conditions
The automation runs only when:
-
A JSON configuration file is uploaded to the HubSpot Company objectโs
โคAPI/SDK Configuration Uploadfield. -
The Company has the following required fields:
-
zia_api_username -
zia_api_password -
zia_api_key -
zia_cloud_name
-
โ These credentials are used to authenticate with the Zscaler tenant.
๐ฆ Workflow: Step-by-Step
1. ๐ฉ Webhook Trigger (Make.com)
-
Triggered by HubSpot Company object update.
-
Validates presence of:
-
Configuration file link
-
Required ZIA credentials
-
2. ๐ฅ Download & Parse Config
-
Fetches the uploaded config file via HubSpot File API.
-
Parses the JSON into separate categories:
-
url_filtering,ssl_inspection,firewall_rules, etc.
-
3. ๐ Deploy Each Policy Set
Each policy set is:
-
POSTed to
/deploy-baseline -
Authenticated using Zscaler API credentials
-
Deployed via SDK (with fallback to HTTP if needed)
The backend:
-
Matches rule by name
-
Updates existing rules or creates new ones
-
Returns result per rule:
CREATED,UPDATED,FAILED, orSKIPPED
4. ๐ Flatten & Format Result
-
Results are POSTed to
/flatten-for-sheet -
Extracts only failed or skipped rules
-
Returns structured rows like:
| Type | Name | Status | Error |
|---|---|---|---|
| Firewall Rules | Block SSH | FAILED | Invalid port range |
| SSL Inspection | Default Rule | SKIPPED | Predefined rule โ not editable |
5. ๐งพ Save to Sheet
-
Rows are written to a Google Sheet titled:
php-templateCopyEdit<CompanyName>-<timestamp> -
Sheet is stored in:
-
Zscaler New Tenant Setup Statusfolder (Google Drive) -
Shared drive:
GPT Automation
-
๐ API Output โ /deploy-baseline
{
"message": "Policy deployment completed using uploaded JSON",
"status": "SUCCESS",
"results": {
"url_filtering": [
{
"type": "URL Filtering",
"name": "Block Facebook",
"status": "UPDATED",
"error": null
}
]
}
}
๐ API Output โ /flatten-for-sheet
Input: JSON
{ "array": [ { "url_filtering": [...], "firewall_rules": [...] } ] }
Output (filtered rows only): JSON
{
"rows": [
{
"values": ["Type", "Name", "Status", "Error"]
},
{
"values": ["URL Filtering", "Block Facebook", "FAILED", "Invalid domain"]
}
]
}
๐งฏ Troubleshooting
|
Problem |
Likely Cause / Fix |
|---|---|
|
Webhook not triggering |
File not uploaded in correct field |
|
"Missing fields" error in response |
One of the ZIA credentials is missing in HubSpot |
|
Empty spreadsheet |
All rules succeeded โ this is expected |
|
"SKIPPED: Predefined rule" |
System-managed rule cannot be updated |
|
Auth failed |
Invalid ZIA username/password/API key |
|
500 error with traceback |
Payload malformed or ZIA API temporarily down |
๐ Tips
-
โ Always validate the config file format before uploading.
-
โ Use unique rule
namefields to ensure proper match/update. -
โ Avoid editing predefined Zscaler rules via this automation.
-
โ Review the generated sheet after every deployment for QA.
โ Summary
| Step | Action |
|---|---|
| 1 | Upload JSON to HubSpot Company object |
| 2 | Ensure all ZIA credentials are present |
| 3 |
Make.com fetches, parses, and dispatches each rule set |
| 4 | Flask API deploys rules to ZIA |
| 5 | Errors are flattened and logged in Google Sheets |
| 6 | Result is copied to Google Drive folder for historical tracking |