From 2b459f7e56b41e48681799c45c0e15bebfca27f1 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 13 Apr 2026 08:45:57 +0530 Subject: [PATCH 1/2] feat(boundary): add boundary module with installation and configuration scripts --- registry/coder/modules/boundary/README.md | 48 +++++++++ .../modules/boundary/boundary.tftest.hcl | 50 +++++++++ registry/coder/modules/boundary/main.tf | 59 ++++++++++ .../coder/modules/boundary/scripts/install.sh | 102 ++++++++++++++++++ 4 files changed, 259 insertions(+) create mode 100644 registry/coder/modules/boundary/README.md create mode 100644 registry/coder/modules/boundary/boundary.tftest.hcl create mode 100644 registry/coder/modules/boundary/main.tf create mode 100644 registry/coder/modules/boundary/scripts/install.sh diff --git a/registry/coder/modules/boundary/README.md b/registry/coder/modules/boundary/README.md new file mode 100644 index 000000000..fee40e8f7 --- /dev/null +++ b/registry/coder/modules/boundary/README.md @@ -0,0 +1,48 @@ +--- +display_name: Boundary +description: Configures boundary for network isolation in Coder workspaces +icon: ../../../../.icons/coder.svg +verified: true +tags: [boundary, coder, AI, agents] +--- + +# Boundary + +Configures boundary to enable network isolation for workspace processes in Coder. + +```tf +module "boundary" { + count = data.coder_workspace.me.start_count + source = "registry.coder.com/coder/boundary/coder" + version = "1.0.0" + agent_id = coder_agent.main.id +} +``` + +## Examples + +### Compile from source + +```tf +module "boundary" { + count = data.coder_workspace.me.start_count + source = "registry.coder.com/coder/boundary/coder" + version = "1.0.0" + agent_id = coder_agent.main.id + compile_boundary_from_source = true + boundary_version = "main" +} +``` + +### Use release binary + +```tf +module "boundary" { + count = data.coder_workspace.me.start_count + source = "registry.coder.com/coder/boundary/coder" + version = "1.0.0" + agent_id = coder_agent.main.id + use_boundary_directly = true + boundary_version = "latest" +} +``` diff --git a/registry/coder/modules/boundary/boundary.tftest.hcl b/registry/coder/modules/boundary/boundary.tftest.hcl new file mode 100644 index 000000000..f399f9e05 --- /dev/null +++ b/registry/coder/modules/boundary/boundary.tftest.hcl @@ -0,0 +1,50 @@ +# Test for boundary module + +run "plan_with_required_vars" { + command = plan + + variables { + agent_id = "test-agent-id" + } + + # Verify the coder_script resource is created with correct agent_id + assert { + condition = coder_script.boundary_script.agent_id == "test-agent-id" + error_message = "boundary_script agent_id should match the input variable" + } + + assert { + condition = coder_script.boundary_script.display_name == "Boundary Installation Script" + error_message = "display_name should be 'Boundary Installation Script'" + } +} + +run "plan_with_compile_from_source" { + command = plan + + variables { + agent_id = "test-agent-id" + compile_boundary_from_source = true + boundary_version = "main" + } + + assert { + condition = coder_script.boundary_script.agent_id == "test-agent-id" + error_message = "boundary_script agent_id should match the input variable" + } +} + +run "plan_with_use_directly" { + command = plan + + variables { + agent_id = "test-agent-id" + use_boundary_directly = true + boundary_version = "latest" + } + + assert { + condition = coder_script.boundary_script.agent_id == "test-agent-id" + error_message = "boundary_script agent_id should match the input variable" + } +} diff --git a/registry/coder/modules/boundary/main.tf b/registry/coder/modules/boundary/main.tf new file mode 100644 index 000000000..82c33285a --- /dev/null +++ b/registry/coder/modules/boundary/main.tf @@ -0,0 +1,59 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + coder = { + source = "coder/coder" + version = ">= 2.5" + } + } +} + +# Add required variables for your modules and remove any unneeded variables +variable "agent_id" { + type = string + description = "The ID of a Coder agent." +} + +variable "boundary_version" { + type = string + description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)." + default = "latest" +} + +variable "compile_boundary_from_source" { + type = bool + description = "Whether to compile boundary from source instead of using the official install script." + default = false +} + +variable "use_boundary_directly" { + type = bool + description = "Whether to use boundary binary directly instead of `coder boundary` subcommand. When false (default), uses `coder boundary` subcommand. When true, installs and uses boundary binary from release." + default = false +} + +locals { + boundary_script = file("${path.module}/scripts/install.sh") + module_directory = "$HOME/.coder-modules/coder/boundary" + boundary_script_destination = "${local.module_directory}/install.sh" +} + +resource "coder_script" "boundary_script" { + agent_id = var.agent_id + display_name = "Boundary Installation Script" + script = <<-EOT + #!/bin/bash + set -o errexit + set -o pipefail + mkdir -p "$(dirname "${local.boundary_script_destination}")" + echo -n '${base64encode(local.boundary_script)}' | base64 -d > "${local.boundary_script_destination}" + chmod +x "${local.boundary_script_destination}" + + ARG_BOUNDARY_VERSION="${var.boundary_version}" \ + ARG_COMPILE_BOUNDARY_FROM_SOURCE="${var.compile_boundary_from_source}" \ + ARG_USE_BOUNDARY_DIRECTLY="${var.use_boundary_directly}" \ + ARG_MODULE_DIR="${local.module_directory}" \ + "${local.boundary_script_destination}" +EOT +} diff --git a/registry/coder/modules/boundary/scripts/install.sh b/registry/coder/modules/boundary/scripts/install.sh new file mode 100644 index 000000000..10a71c172 --- /dev/null +++ b/registry/coder/modules/boundary/scripts/install.sh @@ -0,0 +1,102 @@ +#!/bin/bash +# Exports AGENTAPI_BOUNDARY_PREFIX for use by module start scripts. + +set -o nounset +BOUNDARY_VERSION="${ARG_BOUNDARY_VERSION:-latest}" +COMPILE_BOUNDARY_FROM_SOURCE="${ARG_COMPILE_BOUNDARY_FROM_SOURCE:-false}" +USE_BOUNDARY_DIRECTLY="${ARG_USE_BOUNDARY_DIRECTLY:-false}" +MODULE_DIR="${ARG_MODULE_DIR:-}" +set +o nounset + +validate_boundary_subcommand() { + if hash coder; then + if coder boundary --help > /dev/null 2>&1; then + return 0 + else + echo "Error: 'coder' command found but does not support 'boundary' subcommand. Please enable install_boundary." + exit 1 + fi + else + echo "Error: 'coder' command not found. boundary cannot be enabled." >&2 + exit 1 + fi +} + +# Install boundary binary if needed. +# Uses one of three strategies: +# 1. Compile from source (compile_boundary_from_source=true) +# 2. Install from release (use_boundary_directly=true) +# 3. Use coder boundary subcommand (default, no installation needed) +install_boundary() { + if [[ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]]; then + echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})" + + # Remove existing boundary directory to allow re-running safely + if [[ -d boundary ]]; then + rm -rf boundary + fi + + echo "Cloning boundary repository" + git clone https://github.com/coder/boundary.git + cd boundary || exit 1 + git checkout "${BOUNDARY_VERSION}" + + make build + + sudo cp boundary /usr/local/bin/ + sudo chmod +x /usr/local/bin/boundary + cd - || exit 1 + elif [[ "${USE_BOUNDARY_DIRECTLY}" = "true" ]]; then + echo "Installing boundary using official install script (version: ${BOUNDARY_VERSION})" + curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}" + else + validate_boundary_subcommand + echo "Using coder boundary subcommand (provided by Coder)" + fi +} + +# Set up boundary: install, write config, create wrapper script. +# Exports AGENTAPI_BOUNDARY_PREFIX pointing to the wrapper script. +setup_boundary() { + local module_path="${MODULE_DIR}" + + echo "Setting up coder boundary..." + + # Install boundary binary if needed + install_boundary + + # Determine which boundary command to use and create wrapper script + BOUNDARY_WRAPPER_SCRIPT="${module_path}/boundary-wrapper.sh" + + if [[ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]] || [[ "${USE_BOUNDARY_DIRECTLY}" = "true" ]]; then + # Use boundary binary directly (from compilation or release installation) + cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF' +#!/usr/bin/env bash +set -euo pipefail +exec boundary -- "$@" +WRAPPER_EOF + else + # Use coder boundary subcommand (default) + # Copy coder binary to strip CAP_NET_ADMIN capabilities. + # This is necessary because boundary doesn't work with privileged binaries + # (you can't launch privileged binaries inside network namespaces unless + # you have sys_admin). + CODER_NO_CAPS="${module_path}/coder-no-caps" + if ! cp "$(command -v coder)" "${CODER_NO_CAPS}"; then + echo "Error: Failed to copy coder binary to ${CODER_NO_CAPS}. boundary cannot be enabled." >&2 + exit 1 + fi + cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF' +#!/usr/bin/env bash +set -euo pipefail +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +exec "${SCRIPT_DIR}/coder-no-caps" boundary -- "$@" +WRAPPER_EOF + fi + + chmod +x "${BOUNDARY_WRAPPER_SCRIPT}" + export AGENTAPI_BOUNDARY_PREFIX="${BOUNDARY_WRAPPER_SCRIPT}" + echo "boundary wrapper configured: ${AGENTAPI_BOUNDARY_PREFIX}" +} + +setup_boundary \ No newline at end of file From e4e059be4ada3387d3e82a10a2620cc103326ab7 Mon Sep 17 00:00:00 2001 From: 35C4n0r Date: Mon, 13 Apr 2026 08:54:07 +0530 Subject: [PATCH 2/2] chore: bun fmt --- registry/coder/modules/boundary/boundary.tftest.hcl | 4 ++-- registry/coder/modules/boundary/scripts/install.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/registry/coder/modules/boundary/boundary.tftest.hcl b/registry/coder/modules/boundary/boundary.tftest.hcl index f399f9e05..f728b5efe 100644 --- a/registry/coder/modules/boundary/boundary.tftest.hcl +++ b/registry/coder/modules/boundary/boundary.tftest.hcl @@ -38,9 +38,9 @@ run "plan_with_use_directly" { command = plan variables { - agent_id = "test-agent-id" + agent_id = "test-agent-id" use_boundary_directly = true - boundary_version = "latest" + boundary_version = "latest" } assert { diff --git a/registry/coder/modules/boundary/scripts/install.sh b/registry/coder/modules/boundary/scripts/install.sh index 10a71c172..383a70d4b 100644 --- a/registry/coder/modules/boundary/scripts/install.sh +++ b/registry/coder/modules/boundary/scripts/install.sh @@ -99,4 +99,4 @@ WRAPPER_EOF echo "boundary wrapper configured: ${AGENTAPI_BOUNDARY_PREFIX}" } -setup_boundary \ No newline at end of file +setup_boundary