feat(coder/modules/boundary): add boundary module#840
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new coder/boundary registry module intended to set up Boundary-related tooling for Coder workspaces.
Changes:
- Introduces a Boundary install/setup shell script that can compile from source, install from release, or rely on
coder boundary. - Adds a Terraform module (
main.tf) that deploys and runs the install script on an agent. - Adds module README and Terraform native tests (
.tftest.hcl).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
registry/coder/modules/boundary/scripts/install.sh |
Installs Boundary (or validates coder boundary) and generates a wrapper script. |
registry/coder/modules/boundary/main.tf |
Defines module variables and a coder_script to deliver/execute install.sh. |
registry/coder/modules/boundary/README.md |
Documents module usage and examples. |
registry/coder/modules/boundary/boundary.tftest.hcl |
Adds Terraform plan-time assertions for basic module wiring. |
…lation and execution
4 tasks
…missing mock support Three root causes: 1. boundary_script_destination used 'install.sh' - same filename that coder-utils writes to. This caused the running script to overwrite itself, corrupting bash's incremental read and producing empty install.log / no wrapper. Fix: rename to 'boundary-install.sh'. 2. coder-mock.sh didn't handle 'coder exp sync' commands used by coder-utils for script ordering. With set -o errexit, scripts failed immediately. Fix: add exp sync as no-op (exit 0). 3. Test setup used setupUtil which only extracts ONE coder_script, but coder-utils creates multiple (pre_install, install, post_install). Fix: extract all coder_scripts from terraform state and run them sequentially in lifecycle order. 4. wrapper-script-execution test called 'wrapper.sh --help' which the mock couldn't handle after the '--' separator (tried to exec '--help'). Fix: test with 'echo boundary-test' instead.
The boundary command (both 'coder boundary' and standalone 'boundary') expects a '--' separator before the command to execute. The wrapper scripts were passing arguments directly without this separator, causing the wrapper-script-execution test to fail. 🤖 Generated by Coder Agents
This reverts commit 81df58f.
The boundary wrapper scripts pass arguments directly without a '--' separator. Updated the coder mock to match this behavior and adjusted the test comment accordingly. 🤖 Generated by Coder Agents
matifali
requested review from
SasSwart,
dannykopping and
jcjiang
and removed request for
matifali
Update README and tests to match the env var and resource rename from the latest code changes. 🤖 Generated by Coder Agents
…_WRAPPER_PATH Update install.sh comments/echo, and boundary.tftest.hcl resource references to match the env var rename. 🤖 Generated by Coder Agents
…d log level options
matifali
reviewed
Apr 23, 2026
added 2 commits
April 23, 2026 05:53
The sync_script_names output changed from an object with .script_names.install to a flat list of script name strings. Updated boundary.tftest.hcl to use contains() and README to document the actual script name values. 🤖 Generated by Coder Agents
🤖 Generated by Coder Agents
matifali
reviewed
Apr 23, 2026
…utput to scripts - Wrapper path: boundary-wrapper.sh → scripts/boundary-wrapper.sh - Log paths: *.log → logs/*.log - Output renamed: sync_script_names → scripts - Updated boundary.tftest.hcl, main.test.ts, and README.md 🤖 Generated by Coder Agents
The wrapper path moved to scripts/boundary-wrapper.sh but install.sh never created the scripts/ subdirectory, causing a 'No such file or directory' error at runtime. 🤖 Generated by Coder Agents
The wrapper script moved to scripts/ but coder-no-caps remains in the
module root. Updated the wrapper to use ${SCRIPT_DIR}/../coder-no-caps
so it correctly resolves the binary path.
🤖 Generated by Coder Agents
- boundary-install.sh → scripts/boundary-install.sh - coder-no-caps → scripts/coder-no-caps - Wrapper script now references coder-no-caps in the same directory - Updated test path for coder-no-caps 🤖 Generated by Coder Agents
- Destination script renamed to scripts/install.sh for consistency - Fixed coder-utils module source (stale branch ref → main) 🤖 Generated by Coder Agents
35C4n0r
force-pushed
the
35C4n0r/feat-boundary-module
branch
from
eed787d to
4dd0176
Compare
- Renamed scripts/install.sh → scripts/install.sh.tftpl - Use templatefile() to inject variables at plan time instead of base64-encoding the script and passing env vars at runtime - Removed boundary_script/boundary_script_destination locals - Fixed /home/coder expansion in MODULE_DIR and BOUNDARY_WRAPPER_PATH (double quotes for shell expansion) - Updated custom module_directory test paths to match coder-utils validation pattern ($HOME/.coder-modules/<ns>/<name>) - Updated script name references (coder_boundary → coder-boundary) - Fixed coder-utils source to use branch ref 🤖 Generated by Coder Agents
🤖 Generated by Coder Agents
🤖 Generated by Coder Agents
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Extracts boundary installation and wrapper logic into a standalone
coder/boundarymodule, decoupling it fromagentapi.Why
Boundary is currently embedded inside
agentapi(scripts/boundary.sh) and duplicated inclaude-code. This couples network isolation to the AI/Tasks stack, but boundary is a general-purpose primitive — users running a plain agent with no agentapi or tasks should be able to use it too.What this adds
registry/coder/modules/boundary/— a new first-class module that:coder boundarysubcommand (default, zero-install)use_boundary_directly = true)compile_boundary_from_source = true)$HOME/.coder-modules/coder/boundary/boundary-wrapper.shBOUNDARY_WRAPPER_PATHas acoder_envso any workspace process can use itCAP_NET_ADMINfrom the coder binary (copies tocoder-no-caps) to allow execution inside network namespaces withoutsys_adminpre_install_script/post_install_scripthooksboundary_wrapper_pathoutput andsync_script_namesfor script coordinationUsage
Works standalone with any agent — no agentapi dependency required.
Testing
boundary.tftest.hcl)main.test.ts): state verification, coder subcommand happy path, custom hooks, env var correctness, wrapper execution, idempotent installationType of Change
Module Information
Path:
registry/coder/modules/boundaryNew version:
v0.0.1Breaking change: No
Related Issues
Closes #844
🤖 Generated by Coder Agents