Heroku cli /AWScli /terraform cli issues w/ new security features where ip of browser and CLI need to match

Problem: Current customers end users leverage heroku cli, terraform cli, and awscli to do their automation jobs. As Zscaler was rolled out we tackled the SSL piece but now these cli’s are enforcing the matching of IPs from the cli and the browser. Browser is getting a Zscaler address and the cli seems to be getting a direct IP. We aren’t skipping these domains via a PAC file but the mismatch is happening. The customer is still using Tunnel 1.0 and an all ZCC setup (no tunnels and no locations)

As an example the documentation for Heroku say you just need to set the HTTPS_PROXY variable and this resolves the issue but I’m not clear on how to do that w/ ZS. https://devcenter.heroku.com/changelog-items/1873. Is this a DPP setup? But documentation seems to point to locations as a key.

Anyone shed some light on these tools and how you’ve solved it outside of just sending this traffic DIRECT via a PAC file?

HTTPS_PROXY is an environment variable of the OS. You can route using gateway.zscalertwo.net and your dedicated port if you own one or likely using a VIP and 443.

I was looking for the URL for the env variable. Thanks for that. I couldn’t find actual docs on it. I don’t have a DPP so I’ll test w that hostname and 443 to see if it works.