Border0 Terraform Provider
Terraform has become an essential tool for many developers who manage infrastructure and applications running in the cloud. Border0 customers build on cloud providers such as AWS, so it makes sense we added official support for Terraform and make sure you can easily create Border0 Sockets for all your AWS resources using Terraform.
The Border0 Terraform provider further enhances how users interact with the Border0 API and is built on top of the Border0 Go SDK we released just a few weeks ago. As a Border0 customer, you can now use the Portal, the CLI, Terraform, our SDK, and the APIs to interact with Border0.
This new Terraform provider allows you to manage and keep track of all your Border0 resources, such as Connectors, Sockets, Policies, and tokens, all using Terraform. In this blog, we will showcase some examples.
What is Terraform
Terraform is a popular infrastructure as code tool developed by HashiCorp. Thousands of developers and infrastructure engineers use it to manage their cloud resources. Like many of our customers, we ourselves use it extensively for our AWS environments. Having a declarative way to manage your infrastructure makes deploying and tracking changes easy using typical GitOps best practices.
Getting started with the Border0 Terraform provider
To make it easy to get started with the Border0 Terraform provider, we published a GitHub repository with a Getting Started example. The terraform code has a few modules, and at a highlevel does the following:
- The first module that’s executed is called infrastructure and creates a new AWS VPC with two EC2 instances, an ECS cluster, and an RDS instance. All of this will be running in a private Subnet, so isolated from direct Internet access for security purposes and closely mimicking a real-world scenario. Only outbound network access is allowed through the NAT gateway.
- In the module called connector, we’ll use Terraform to start a Border0 connector for this environment. It’s running on an EC2 instance in the private Subnet.
- Lastly, in the third module called sockets, we’ll use Terraform to create Border0 services (sockets) for the EC2, ECS, and RDS resources and link these to the Border0 connector. After completing this, you can now access these private AWS resources through Border0 using just your SSO credentials. Best of all, bringing up this terraform stack will take just a few minutes!
At a high level, this diagram demonstrates what we’re deploying.
Running the example
Okay, it’s time to build! To follow along, check out our example repository like this:
git clone https://github.com/borderzero/terraform-examples.git
Now that we have the example on our machine, we need to take care of a few prerequisites.
AWS credentials
If you have your AWS default credentials set up in your local environment and want to use these, you’re good to go. Otherwise, you can configure AWS credentials in one of the following ways.
export AWS_ACCESS_KEY_ID="access-key"
export AWS_SECRET_ACCESS_KEY="secret-access"
export AWS_REGION="us-west-2"
export AWS_DEFAULT_REGION="us-west-2"
Alternatively, you can update the variables.tf file, and add the AWS credentials there.
Border0 API key
Next, we’ll need to make sure Terraform has a Border0 API key to interact with the Border0 API. You can create an API key in the Border0 portal under Organization Setting > Access Token. We recommend you use a token with the ‘member’ role.
The Border0 API token can be configured in the variables.tf file. Alternatively, you can set the Border0 API key as an environment variable, like this.
export BORDER0_TOKEN=YOUR_TOKEN
Running Terraform
Before creating a plan file and applying the changes, we need to run the terraform init command to initialize our Terraform working directory.
terraform init
Now that we’ve populated the various variables and initialized the terraform provider, we’re ready for the next steps. Good practice is to first run terraform plan; this will create a plan of execution and show you exactly what will be created, changed, or deleted. After that, we can apply the plan with terraform apply.
terraform plan && terraform apply
Bringing up various AWS resources will take a few minutes, so this is a good time to refill your coffee. Once finished, you’ll see three EC2 instances; two are example instance targets you can connect to, and one acts as the Border0 connector. You’ll also see an RDS Mysql server and an ECS cluster with two containers, finally there’s an HTTP socket that makes the NGINX containers available.
You’ll now be able to connect to these resources from the Border0 client portal.
Security as Code
In the example repository, you’ll find a file called policy.tf, which contains an example policy. This policy is attached to the newly created Border0 Sockets and together with any organization-wide policies, controls who will be able to access your Services.
Managing access to your EC2, ECS, and RDS instances through Border0 is also a great example use-case for GitOps. GitOps is a set of practices that uses Git as a single source of truth for declarative infrastructure and applications. By using Git as the cornerstone for managing your Border0 policies, you have one place to manage and track who has access to your infrastructure. Many of the good things that come for free with GitOps are also important security best practices. Examples include: Version control, Declarative policies, and infrastructure; if you hook it up to your CI/CD, you get Automated delivery, peer review, and audit trails.
Wrap up
Anyone managing infrastructure at scale will likely use some infrastructure as code service. Terraform is the most popular option, so having an official Border0 Terraform provider is valuable to any security or infrastructure operator. You now have everything you need to manage your Border0 resources using Terraform and can even manage your policies as code. To learn more about the Border0 Terraform provider, check out the official Terraform Registry for Border0, it comes with plenty of documentation and examples.
To try out Border0 with Terraform, sign up for our free fully featured community edition and run the example for yourself! Alternatively schedule a demo and let us walk you through a custom demo; let’s geek out together 🤓