Manage Border0 Resources with Terraform

This guide walks you through getting started with the Border0 Terraform Provider. This provider allows you to manage Border0 resources such as sockets, policies, connectors, and connector tokens.


  • Install Terraform v0.14 or above.
  • A Border0 account and access token.
    • Generate an access token by going to Border0 Admin Portal -> Organization Settings -> Access Tokens, create a token in Member permission groups.
  • Install Border CLI
    • If you already have it installed on your computer, run border0 version upgrade
    • Alternatively, perform a fresh install by following this guide.


Add the Border0 provider to your existing Terraform configuration, or create a new file with the following code:

terraform {
  required_providers {
    border0 = {
      source = "borderzero/border0"


In your file, configure the Border0 provider with the access token:

provider "border0" {
  // You can generate a Border0 access token one by going to:
  // -> Organization Settings -> Access Tokens
  // and then create a token in Member permission groups.
  token = "_my_access_token_"

Now let's initialize your working directory and download the Border0 provider:

terraform init

Managing Resources

In this section, you will create some Border0 resources:

  • A connector with a connector token
  • An HTTP socket
  • A minimal policy and attach the policy to the HTTP socket

Connectors (border0_connector and border0_connector_token)

First, let's add a Border0 connector:


If you've already created a connector and a connector token through the Border0 Admin Portal, and you have it running, you can skip this section and proceed to Sockets.

resource "border0_connector" "terraform_connector" {
  name                         = "terraform-connector"
  description                  = "A connector created by terraform"
  built_in_ssh_service_enabled = true

And then add a token for the connector:

resource "border0_connector_token" "terraform_connector_token" {
  connector_id =
  name         = "terraform-connector-token"

  // write the connector token to a local `border0.yml` file for the Border0 connector
  provisioner "local-exec" {
    command = "echo 'token: ${self.token}' > ./border0.yaml"


You can also create an expirable connector token using Terraform. See the example here.

This configuration will create a connector token and write it to a local border0.yml file for the Border0 connector. You can use this config file to start the connector.

Let's create the connector and connector token using Terraform. Run the following command in your terminal:

terraform apply

Sockets (border0_socket)

Now let's add an HTTP socket using as upstream URL:


This HTTP socket will be linked to the connector added in the previous step with:

connector_id =

If you have a connector that's not managed by Terraform, you can link to that connector with its id by:

connector_id = "_your_connector_id_"

resource "border0_socket" "terraform_http_socket" {
  name         = "terraform-http-socket"
  description  = "An HTTP socket created by terraform"
  socket_type  = "http"
  connector_id =

  http_configuration {
    upstream_url = ""

  tags = {
    "tag_1" = "value_1"
    "tag_2" = "value_2"

Run the following command in your terminal to create the HTTP socket:

terraform apply

Policies (border0_policy and border0_policy_attachment)

Add a Border0 policy that allows anyone with an email address to log in to sockets that are attached to this policy:

resource "border0_policy" "terraform_policy" {
  name        = "terraform-policy"
  description = "A policy created by terraform"
  policy_data = jsonencode({
    "version" : "v1",
    "action" : ["database", "ssh", "http", "tls"],
    "condition" : {
      "who" : {
        "domain" : [""]
      "when" : {
        "after" : "2023-09-13T00:00:00Z",
        "time_of_day_after" : "00:00 UTC",
        "time_of_day_before" : "23:59 UTC"

Next, attach this policy to your Terraform managed HTTP socket:

resource "border0_policy_attachment" "terraform_policy_attachment" {
  policy_id =
  socket_id =

Finally, run the following command in your terminal to create the policy and attach it to the HTTP socket:

terraform apply

Bring up your Border0 connector

At this point, all your Border0 resources should be set up according to your Terraform configuration. If your connector is managed by the Terraform setup in this quickstart guide, you can start your Border0 connector with the following command:

border0 connector start --config ./border0.yaml


The connector configuration file, ./border0.yaml, was created by Terraform along with the connector token in the Connectors section.

Visit the Border0 Admin Portal to view your Terraform managed resources.

Further Reading