Manage Border0 Resources with Terraform
This guide walks you through getting started with the Border0 Terraform Provider. This provider allows you to manage Border0 resources such as sockets, policies, connectors, and connector tokens.
Prerequisites
- Install Terraform v0.14 or above.
- A Border0 account and access token.
- Generate an access token by going to Border0 Admin Portal ->
Organization Settings
->Access Tokens
, create a token inMember
permission groups.
- Generate an access token by going to Border0 Admin Portal ->
- Install Border CLI
- If you already have it installed on your computer, run
border0 version upgrade
- Alternatively, perform a fresh install by following this guide.
- If you already have it installed on your computer, run
Installation
Add the Border0 provider to your existing Terraform configuration, or create a new main.tf file with the following code:
terraform {
required_providers {
border0 = {
source = "borderzero/border0"
}
}
}
Configuration
In your main.tf
file, configure the Border0 provider with the access token:
provider "border0" {
// You can generate a Border0 access token one by going to:
// portal.border0.com -> Organization Settings -> Access Tokens
// and then create a token in Member permission groups.
token = "_my_access_token_"
}
Now let's initialize your working directory and download the Border0 provider:
terraform init
Managing Resources
In this section, you will create some Border0 resources:
- A connector with a connector token
- An HTTP socket
- A minimal policy and attach the policy to the HTTP socket
Connectors (border0_connector
and border0_connector_token
)
border0_connector
and border0_connector_token
)First, let's add a Border0 connector:
If you've already created a connector and a connector token through the Border0 Admin Portal, and you have it running, you can skip this section and proceed to Sockets.
resource "border0_connector" "terraform_connector" {
name = "terraform-connector"
description = "A connector created by terraform"
built_in_ssh_service_enabled = true
}
And then add a token for the connector:
resource "border0_connector_token" "terraform_connector_token" {
connector_id = border0_connector.terraform_connector.id
name = "terraform-connector-token"
// write the connector token to a local `border0.yml` file for the Border0 connector
provisioner "local-exec" {
command = "echo 'token: ${self.token}' > ./border0.yaml"
}
}
You can also create an expirable connector token using Terraform. See the example here.
This configuration will create a connector token and write it to a local border0.yml
file for the Border0 connector. You can use this config file to start the connector.
Let's create the connector and connector token using Terraform. Run the following command in your terminal:
terraform apply
Sockets (border0_socket
)
border0_socket
)Now let's add an HTTP socket using www.example.com as upstream URL:
This HTTP socket will be linked to the connector added in the previous step with:
connector_id = border0_connector.terraform_connector.id
If you have a connector that's not managed by Terraform, you can link to that connector with its id by:
connector_id = "_your_connector_id_"
resource "border0_socket" "terraform_http_socket" {
name = "terraform-http-socket"
description = "An HTTP socket created by terraform"
socket_type = "http"
connector_id = border0_connector.terraform_connector.id
http_configuration {
upstream_url = "https://www.example.com"
}
tags = {
"tag_1" = "value_1"
"tag_2" = "value_2"
}
}
Run the following command in your terminal to create the HTTP socket:
terraform apply
Policies (border0_policy
and border0_policy_attachment
)
border0_policy
and border0_policy_attachment
)Add a Border0 policy that allows anyone with an @gmail.com
email address to log in to sockets that are attached to this policy:
resource "border0_policy" "terraform_policy" {
name = "terraform-policy"
description = "A policy created by terraform"
policy_data = jsonencode({
"version" : "v1",
"action" : ["database", "ssh", "http", "tls"],
"condition" : {
"who" : {
"domain" : ["gmail.com"]
},
"when" : {
"after" : "2023-09-13T00:00:00Z",
"time_of_day_after" : "00:00 UTC",
"time_of_day_before" : "23:59 UTC"
}
}
})
}
Next, attach this policy to your Terraform managed HTTP socket:
resource "border0_policy_attachment" "terraform_policy_attachment" {
policy_id = border0_policy.terraform_policy.id
socket_id = border0_socket.terraform_http_socket.id
}
Finally, run the following command in your terminal to create the policy and attach it to the HTTP socket:
terraform apply
Bring up your Border0 connector
At this point, all your Border0 resources should be set up according to your Terraform configuration. If your connector is managed by the Terraform setup in this quickstart guide, you can start your Border0 connector with the following command:
border0 connector start --config ./border0.yaml
The connector configuration file,
./border0.yaml
, was created by Terraform along with the connector token in the Connectors section.
Visit the Border0 Admin Portal to view your Terraform managed resources.
Further Reading
Updated about 1 year ago