feat(coder/modules/boundary): add boundary module#840
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new coder/boundary registry module intended to set up Boundary-related tooling for Coder workspaces.
Changes:
- Introduces a Boundary install/setup shell script that can compile from source, install from release, or rely on
coder boundary. - Adds a Terraform module (
main.tf) that deploys and runs the install script on an agent. - Adds module README and Terraform native tests (
.tftest.hcl).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
registry/coder/modules/boundary/scripts/install.sh |
Installs Boundary (or validates coder boundary) and generates a wrapper script. |
registry/coder/modules/boundary/main.tf |
Defines module variables and a coder_script to deliver/execute install.sh. |
registry/coder/modules/boundary/README.md |
Documents module usage and examples. |
registry/coder/modules/boundary/boundary.tftest.hcl |
Adds Terraform plan-time assertions for basic module wiring. |
…lation and execution
4 tasks
…missing mock support Three root causes: 1. boundary_script_destination used 'install.sh' - same filename that coder-utils writes to. This caused the running script to overwrite itself, corrupting bash's incremental read and producing empty install.log / no wrapper. Fix: rename to 'boundary-install.sh'. 2. coder-mock.sh didn't handle 'coder exp sync' commands used by coder-utils for script ordering. With set -o errexit, scripts failed immediately. Fix: add exp sync as no-op (exit 0). 3. Test setup used setupUtil which only extracts ONE coder_script, but coder-utils creates multiple (pre_install, install, post_install). Fix: extract all coder_scripts from terraform state and run them sequentially in lifecycle order. 4. wrapper-script-execution test called 'wrapper.sh --help' which the mock couldn't handle after the '--' separator (tried to exec '--help'). Fix: test with 'echo boundary-test' instead.
The boundary command (both 'coder boundary' and standalone 'boundary') expects a '--' separator before the command to execute. The wrapper scripts were passing arguments directly without this separator, causing the wrapper-script-execution test to fail. 🤖 Generated by Coder Agents
This reverts commit 81df58f.
The boundary wrapper scripts pass arguments directly without a '--' separator. Updated the coder mock to match this behavior and adjusted the test comment accordingly. 🤖 Generated by Coder Agents
matifali
requested review from
SasSwart,
dannykopping and
jcjiang
and removed request for
matifali
Collaborator
Author
|
/coder-agents-review |
…configuration variables
base64 decode outputs the literal string '$HOME/...' — command substitution does not expand variables in its output. Add an explicit bash parameter substitution step for all path variables.
Plain strings and paths are injected directly with single/double quotes. Only the config content needs base64 since it is arbitrary multi-line YAML from user input.
…nt printf - Revert log_dir back to /tmp/boundary_logs (static default) - Remove BOUNDARY_LOG_DIR template variable - Remove jail_type: landjail (debug leftover) - Remove printf for BOUNDARY_CONFIG_CONTENT (too verbose)
Collaborator
|
Reviewing and testing this morning. |
matifali
reviewed
May 7, 2026
matifali
reviewed
May 7, 2026
|
|
||
| - Installs boundary (via coder subcommand, direct installation, or compilation from source) | ||
| - Creates a wrapper script at `$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh` | ||
| - Writes a default boundary config to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable) |
Member
There was a problem hiding this comment.
Suggested change
| - Writes a default boundary config to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable) | |
| - Writes a [default boundary config](./config.yaml.tftpl) to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable) |
Collaborator
Author
There was a problem hiding this comment.
@matifali Writes a default boundary config
will this render as a valid url in registry ?
Member
There was a problem hiding this comment.
Thats a good question. @DevelopmentCats do you know?
…n config at runtime - Rename all public input variables: boundary_* -> agent_firewall_* - Rename outputs: boundary_wrapper_path -> agent_firewall_wrapper_path, boundary_config_path -> agent_firewall_config_path - Set log_dir to $HOME/.coder-modules/coder/boundary/logs/boundary_logs in default config template - Expand $HOME in config content via sed at runtime before writing to disk, so the config contains absolute paths - Internals (locals, template vars, script logic) unchanged
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
matifali
approved these changes
May 7, 2026
Member
|
Lets rename the module path to |
matifali
reviewed
May 7, 2026
Member
There was a problem hiding this comment.
lest move this all to registry/coder/modules/agent-firewall
Comment on lines
+2
to
+6
| display_name: Boundary | ||
| description: Configures boundary for network isolation in Coder workspaces | ||
| icon: ../../../../.icons/coder.svg | ||
| verified: true | ||
| tags: [boundary, ai, agents, firewall] |
Member
There was a problem hiding this comment.
Suggested change
| display_name: Boundary | |
| description: Configures boundary for network isolation in Coder workspaces | |
| icon: ../../../../.icons/coder.svg | |
| verified: true | |
| tags: [boundary, ai, agents, firewall] | |
| display_name: Agent Firewall | |
| description: Configures agent firewall for network isolation in Coder workspaces | |
| icon: ../../../../.icons/coder.svg | |
| verified: true | |
| tags: [boundary, ai, agents, firewall] |
While we are at it, let's rename the front-facing content.
Comment on lines
+9
to
+27
| # Boundary | ||
|
|
||
| Installs [boundary](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces. | ||
|
|
||
| This module: | ||
|
|
||
| - Installs boundary (via coder subcommand, direct installation, or compilation from source) | ||
| - Creates a wrapper script at `$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh` | ||
| - Writes a default boundary config to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable) | ||
| - Provides the wrapper path, config path, and script names via outputs | ||
| - Uses coder-utils and output `scripts` for synchronization. https://registry.coder.com/modules/coder/coder-utils?tab=outputs | ||
|
|
||
| ```tf | ||
| module "boundary" { | ||
| source = "registry.coder.com/coder/boundary/coder" | ||
| version = "0.0.1" | ||
| agent_id = coder_agent.main.id | ||
| } | ||
| ``` |
Member
There was a problem hiding this comment.
Suggested change
| # Boundary | |
| Installs [boundary](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces. | |
| This module: | |
| - Installs boundary (via coder subcommand, direct installation, or compilation from source) | |
| - Creates a wrapper script at `$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh` | |
| - Writes a default boundary config to `$HOME/.coder-modules/coder/boundary/config/config.yaml` (customizable) | |
| - Provides the wrapper path, config path, and script names via outputs | |
| - Uses coder-utils and output `scripts` for synchronization. https://registry.coder.com/modules/coder/coder-utils?tab=outputs | |
| ```tf | |
| module "boundary" { | |
| source = "registry.coder.com/coder/boundary/coder" | |
| version = "0.0.1" | |
| agent_id = coder_agent.main.id | |
| } | |
| ``` | |
| # Agent Firewall | |
| Installs [Agent Firewall](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces. | |
| ```tf | |
| module "agent-firewall" { | |
| source = "registry.coder.com/coder/agent-firewall/coder" | |
| version = "0.0.1" | |
| agent_id = coder_agent.main.id | |
| } |
And similarly at other places.
35C4n0r
force-pushed
the
35C4n0r/feat-boundary-module
branch
from
f58688c to
f255d6c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Extracts boundary installation and wrapper logic into a standalone
coder/agent-firewallmodule, decoupling it fromagentapi.Why
Boundary is currently embedded inside
agentapi(scripts/boundary.sh) and duplicated inclaude-code. This couples network isolation to the AI/Tasks stack, but boundary is a general-purpose primitive — users running a plain agent with no agentapi or tasks should be able to use it too.What this adds
registry/coder/modules/agent-firewall/— a new first-class module that:coder boundarysubcommand (default, zero-install)use_agent_firewall_directly = true)compile_agent_firewall_from_source = true)data.coder_workspace.me.access_urlagent_firewall_config) or external file (agent_firewall_config_path), mutually exclusive with cross-variable validation$HOME/.coder-modules/coder/agent-firewall/scripts/agent-firewall-wrapper.shCAP_NET_ADMINfrom the coder binary (copies tocoder-no-caps) to allow execution inside network namespaces withoutsys_adminpre_install_script/post_install_scripthooksagent_firewall_wrapper_path,agent_firewall_config_path, andscriptsoutputs for script coordinationUsage
Works standalone with any agent — no agentapi dependency required.
Testing
agent-firewall.tftest.hcl): default outputs, compile from source, use directly, custom hooks, custom module directory, inline config, external config path, mutual exclusion validationmain.test.ts): state verification, coder subcommand happy path, inline config, config path skip, custom hooks, env var absence, wrapper execution, idempotent installationType of Change
Module Information
Path:
registry/coder/modules/agent-firewallNew version:
v0.0.1Breaking change: No
Related Issues
Closes #844
🤖 Generated by Coder Agents