Skip to content

feat(coder/modules/boundary): add boundary module #840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
35C4n0r wants to merge 2 commits into
base: main
Choose a base branch
from
+259 −0
Draft

feat(coder/modules/boundary): add boundary module #840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2b459f7
feat(boundary): add boundary module with installation and configurati…
35C4n0r Apr 13, 2026
e4e059b
chore: bun fmt
35C4n0r Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions registry/coder/modules/boundary/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
display_name: Boundary
description: Configures boundary for network isolation in Coder workspaces
icon: ../../../../.icons/coder.svg
verified: true
tags: [boundary, coder, AI, agents]
---

# Boundary

Configures boundary to enable network isolation for workspace processes in Coder.

```tf
module "boundary" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/coder/boundary/coder"
version = "1.0.0"
agent_id = coder_agent.main.id
}
```

## Examples

### Compile from source

```tf
module "boundary" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/coder/boundary/coder"
version = "1.0.0"
agent_id = coder_agent.main.id
compile_boundary_from_source = true
boundary_version = "main"
}
```

### Use release binary

```tf
module "boundary" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/coder/boundary/coder"
version = "1.0.0"
agent_id = coder_agent.main.id
use_boundary_directly = true
boundary_version = "latest"
}
```
50 changes: 50 additions & 0 deletions registry/coder/modules/boundary/boundary.tftest.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Test for boundary module

run "plan_with_required_vars" {
command = plan

variables {
agent_id = "test-agent-id"
}

# Verify the coder_script resource is created with correct agent_id
assert {
condition = coder_script.boundary_script.agent_id == "test-agent-id"
error_message = "boundary_script agent_id should match the input variable"
}

assert {
condition = coder_script.boundary_script.display_name == "Boundary Installation Script"
error_message = "display_name should be 'Boundary Installation Script'"
}
}

run "plan_with_compile_from_source" {
command = plan

variables {
agent_id = "test-agent-id"
compile_boundary_from_source = true
boundary_version = "main"
}

assert {
condition = coder_script.boundary_script.agent_id == "test-agent-id"
error_message = "boundary_script agent_id should match the input variable"
}
}

run "plan_with_use_directly" {
command = plan

variables {
agent_id = "test-agent-id"
use_boundary_directly = true
boundary_version = "latest"
}

assert {
condition = coder_script.boundary_script.agent_id == "test-agent-id"
error_message = "boundary_script agent_id should match the input variable"
}
}
59 changes: 59 additions & 0 deletions registry/coder/modules/boundary/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
terraform {
required_version = ">= 1.0"

required_providers {
coder = {
source = "coder/coder"
version = ">= 2.5"
}
}
}

# Add required variables for your modules and remove any unneeded variables
variable "agent_id" {
type = string
description = "The ID of a Coder agent."
}

variable "boundary_version" {
type = string
description = "Boundary version. When use_boundary_directly is true, a release version should be provided or 'latest' for the latest release. When compile_boundary_from_source is true, a valid git reference should be provided (tag, commit, branch)."
default = "latest"
}

variable "compile_boundary_from_source" {
type = bool
description = "Whether to compile boundary from source instead of using the official install script."
default = false
}

variable "use_boundary_directly" {
type = bool
description = "Whether to use boundary binary directly instead of `coder boundary` subcommand. When false (default), uses `coder boundary` subcommand. When true, installs and uses boundary binary from release."
default = false
}

locals {
boundary_script = file("${path.module}/scripts/install.sh")
module_directory = "$HOME/.coder-modules/coder/boundary"
boundary_script_destination = "${local.module_directory}/install.sh"
}

resource "coder_script" "boundary_script" {
agent_id = var.agent_id
display_name = "Boundary Installation Script"
script = <<-EOT
#!/bin/bash
set -o errexit
set -o pipefail
mkdir -p "$(dirname "${local.boundary_script_destination}")"
echo -n '${base64encode(local.boundary_script)}' | base64 -d > "${local.boundary_script_destination}"
chmod +x "${local.boundary_script_destination}"

ARG_BOUNDARY_VERSION="${var.boundary_version}" \
ARG_COMPILE_BOUNDARY_FROM_SOURCE="${var.compile_boundary_from_source}" \
ARG_USE_BOUNDARY_DIRECTLY="${var.use_boundary_directly}" \
ARG_MODULE_DIR="${local.module_directory}" \
"${local.boundary_script_destination}"
EOT
}
102 changes: 102 additions & 0 deletions registry/coder/modules/boundary/scripts/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
#!/bin/bash
# Exports AGENTAPI_BOUNDARY_PREFIX for use by module start scripts.

set -o nounset
BOUNDARY_VERSION="${ARG_BOUNDARY_VERSION:-latest}"
COMPILE_BOUNDARY_FROM_SOURCE="${ARG_COMPILE_BOUNDARY_FROM_SOURCE:-false}"
USE_BOUNDARY_DIRECTLY="${ARG_USE_BOUNDARY_DIRECTLY:-false}"
MODULE_DIR="${ARG_MODULE_DIR:-}"
set +o nounset

validate_boundary_subcommand() {
if hash coder; then
if coder boundary --help > /dev/null 2>&1; then
return 0
else
echo "Error: 'coder' command found but does not support 'boundary' subcommand. Please enable install_boundary."
exit 1
fi
else
echo "Error: 'coder' command not found. boundary cannot be enabled." >&2
exit 1
fi
}

# Install boundary binary if needed.
# Uses one of three strategies:
# 1. Compile from source (compile_boundary_from_source=true)
# 2. Install from release (use_boundary_directly=true)
# 3. Use coder boundary subcommand (default, no installation needed)
install_boundary() {
if [[ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]]; then
echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"

# Remove existing boundary directory to allow re-running safely
if [[ -d boundary ]]; then
rm -rf boundary
fi

echo "Cloning boundary repository"
git clone https://github.com/coder/boundary.git
cd boundary || exit 1
git checkout "${BOUNDARY_VERSION}"

make build

sudo cp boundary /usr/local/bin/
sudo chmod +x /usr/local/bin/boundary
cd - || exit 1
Comment on lines +32 to +48
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source-compile path deletes and clones a boundary/ directory relative to the current working directory (rm -rf boundary, git clone ..., cd boundary). If this script is invoked from an unexpected directory, it can delete the wrong folder and/or pollute the workspace. Prefer cloning/building under ${MODULE_DIR} (or a mktemp -d under it) and using an absolute path for cleanup.

Suggested change
echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
# Remove existing boundary directory to allow re-running safely
if [[ -d boundary ]]; then
rm -rf boundary
fi
echo "Cloning boundary repository"
git clone https://github.com/coder/boundary.git
cd boundary || exit 1
git checkout "${BOUNDARY_VERSION}"
make build
sudo cp boundary /usr/local/bin/
sudo chmod +x /usr/local/bin/boundary
cd - || exit 1
local build_dir="${MODULE_DIR}/boundary-src"
local original_dir
echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
original_dir="$(pwd)"
# Remove existing build directory to allow re-running safely
if [[ -d "${build_dir}" ]]; then
rm -rf "${build_dir}"
fi
echo "Cloning boundary repository"
git clone https://github.com/coder/boundary.git "${build_dir}"
cd "${build_dir}" || exit 1
git checkout "${BOUNDARY_VERSION}"
make build
sudo cp "${build_dir}/boundary" /usr/local/bin/
sudo chmod +x /usr/local/bin/boundary
cd "${original_dir}" || exit 1

Copilot uses AI. Check for mistakes.
elif [[ "${USE_BOUNDARY_DIRECTLY}" = "true" ]]; then
echo "Installing boundary using official install script (version: ${BOUNDARY_VERSION})"
curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}"
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curl ... | bash executes a remote script from the main branch. Even with --version, this is supply-chain risky and not reproducible. Prefer downloading a version-pinned artifact (or install script from a tag/commit), verifying a checksum/signature, and then executing it.

Suggested change
curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}"
if [[ "${BOUNDARY_VERSION}" = "latest" ]]; then
echo "Error: use_boundary_directly requires a version-pinned ARG_BOUNDARY_VERSION, not 'latest'." >&2
exit 1
fi
local install_script
install_script="$(mktemp)"
curl -fsSL "https://raw.githubusercontent.com/coder/boundary/${BOUNDARY_VERSION}/install.sh" -o "${install_script}"
bash "${install_script}" --version "${BOUNDARY_VERSION}"
rm -f "${install_script}"

Copilot uses AI. Check for mistakes.
else
validate_boundary_subcommand
echo "Using coder boundary subcommand (provided by Coder)"
fi
}

# Set up boundary: install, write config, create wrapper script.
# Exports AGENTAPI_BOUNDARY_PREFIX pointing to the wrapper script.
setup_boundary() {
local module_path="${MODULE_DIR}"

echo "Setting up coder boundary..."

# Install boundary binary if needed
install_boundary

# Determine which boundary command to use and create wrapper script
BOUNDARY_WRAPPER_SCRIPT="${module_path}/boundary-wrapper.sh"

Comment on lines +60 to +70
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setup_boundary relies on MODULE_DIR being set; if it’s empty, paths like ${module_path}/boundary-wrapper.sh become /boundary-wrapper.sh and the script may write into the filesystem root. Add a guard that MODULE_DIR is non-empty (and ideally exists / is writable) before creating wrapper scripts.

Copilot uses AI. Check for mistakes.
if [[ "${COMPILE_BOUNDARY_FROM_SOURCE}" = "true" ]] || [[ "${USE_BOUNDARY_DIRECTLY}" = "true" ]]; then
# Use boundary binary directly (from compilation or release installation)
cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
#!/usr/bin/env bash
set -euo pipefail
exec boundary -- "$@"
WRAPPER_EOF
else
# Use coder boundary subcommand (default)
# Copy coder binary to strip CAP_NET_ADMIN capabilities.
# This is necessary because boundary doesn't work with privileged binaries
# (you can't launch privileged binaries inside network namespaces unless
# you have sys_admin).
CODER_NO_CAPS="${module_path}/coder-no-caps"
if ! cp "$(command -v coder)" "${CODER_NO_CAPS}"; then
echo "Error: Failed to copy coder binary to ${CODER_NO_CAPS}. boundary cannot be enabled." >&2
exit 1
fi
cat > "${BOUNDARY_WRAPPER_SCRIPT}" << 'WRAPPER_EOF'
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
exec "${SCRIPT_DIR}/coder-no-caps" boundary -- "$@"
WRAPPER_EOF
fi

chmod +x "${BOUNDARY_WRAPPER_SCRIPT}"
export AGENTAPI_BOUNDARY_PREFIX="${BOUNDARY_WRAPPER_SCRIPT}"
echo "boundary wrapper configured: ${AGENTAPI_BOUNDARY_PREFIX}"
}

setup_boundary
Loading