feat(coder/modules/boundary): add boundary module

registry/coder/modules/boundary/README.md

@@ -0,0 +1,98 @@
+---
+display_name: Boundary
+description: Configures boundary for network isolation in Coder workspaces
+icon: ../../../../.icons/coder.svg
+verified: true
+tags: [boundary, ai, agents, firewall]
+---
+
+# Boundary
+
+Installs [boundary](https://coder.com/docs/ai-coder/agent-firewall) for network isolation in Coder workspaces.
+
+This module:
+
+- Installs boundary (via coder subcommand, direct installation, or compilation from source)
+- Creates a wrapper script at `$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh`
+- Exports `BOUNDARY_WRAPPER_PATH` as a workspace environment variable
+- Provides the wrapper path via the `boundary_wrapper_path` output
+
+```tf
+module "boundary" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/boundary/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.main.id
+}
+```
+
+## Usage
+
+The `BOUNDARY_WRAPPER_PATH` environment variable is automatically available to all
+workspace processes. Start scripts should check for this variable and use it to prefix
+commands that should run in network isolation:
+
+```bash
+if [ -n "${BOUNDARY_WRAPPER_PATH:-}" ]; then
+  # Run command with boundary wrapper
+  "${BOUNDARY_WRAPPER_PATH}" --config=~/.coder-modules/coder/boundary/config.yaml --log-level=info -- my-command --args
+fi
+```
+
+Alternatively, you can use the module output to access the wrapper path in Terraform:
+
+```tf
+module "boundary" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/boundary/coder"
+  version  = "0.0.1"
+  agent_id = coder_agent.main.id
+}
+
+resource "coder_script" "my_app" {
+  agent_id = coder_agent.main.id
+  script   = <<-EOT
+    # Access the boundary wrapper path
+    WRAPPER="${module.boundary[0].boundary_wrapper_path}"
+    "$WRAPPER" --config=~/.coder-modules/coder/boundary/config.yaml -- my-command --args
+  EOT
+}
+```
+
+### Script Synchronization
+
+The `scripts` output provides a list of script names that can be used with `coder exp sync` to coordinate script execution. This is useful when your scripts need to wait for boundary installation to complete before running.
+
+The list may contain the following script names:
+
+- `coder-boundary-pre_install_script` - Pre-installation script (if configured)
+- `coder-boundary-install_script` - Main boundary installation script
+- `coder-boundary-post_install_script` - Post-installation script (if configured)
+
+## Examples
+
+### Compile from source
+
+```tf
+module "boundary" {
+  count                        = data.coder_workspace.me.start_count
+  source                       = "registry.coder.com/coder/boundary/coder"
+  version                      = "0.0.1"
+  agent_id                     = coder_agent.main.id
+  compile_boundary_from_source = true
+  boundary_version             = "main"
+}
+```
+
+### Use release binary
+
+```tf
+module "boundary" {
+  count                 = data.coder_workspace.me.start_count
+  source                = "registry.coder.com/coder/boundary/coder"
+  version               = "0.0.1"
+  agent_id              = coder_agent.main.id
+  use_boundary_directly = true
+  boundary_version      = "latest"
+}
+```

registry/coder/modules/boundary/boundary.tftest.hcl

@@ -0,0 +1,137 @@
+# Test for boundary module
+
+run "plan_with_required_vars" {
+  command = plan
+
+  variables {
+    agent_id = "test-agent-id"
+  }
+
+  # Verify the coder_env resource is created with correct agent_id
+  assert {
+    condition     = coder_env.boundary_wrapper_path.agent_id == "test-agent-id"
+    error_message = "boundary_wrapper_path agent_id should match the input variable"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.name == "BOUNDARY_WRAPPER_PATH"
+    error_message = "Environment variable name should be 'BOUNDARY_WRAPPER_PATH'"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.value == "$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh"
+    error_message = "Environment variable value should be the boundary wrapper path"
+  }
+
+  # Verify the boundary_wrapper_path output
+  assert {
+    condition     = output.boundary_wrapper_path == "$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh"
+    error_message = "boundary_wrapper_path output should be correct"
+  }
+
+  # Verify the scripts output contains the install script name
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_compile_from_source" {
+  command = plan
+
+  variables {
+    agent_id                     = "test-agent-id"
+    compile_boundary_from_source = true
+    boundary_version             = "main"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.agent_id == "test-agent-id"
+    error_message = "boundary_wrapper_path agent_id should match the input variable"
+  }
+
+  assert {
+    condition     = output.boundary_wrapper_path == "$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh"
+    error_message = "boundary_wrapper_path output should be correct"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_use_directly" {
+  command = plan
+
+  variables {
+    agent_id              = "test-agent-id"
+    use_boundary_directly = true
+    boundary_version      = "latest"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.agent_id == "test-agent-id"
+    error_message = "boundary_wrapper_path agent_id should match the input variable"
+  }
+
+  assert {
+    condition     = output.boundary_wrapper_path == "$HOME/.coder-modules/coder/boundary/scripts/boundary-wrapper.sh"
+    error_message = "boundary_wrapper_path output should be correct"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+}
+
+run "plan_with_custom_hooks" {
+  command = plan
+
+  variables {
+    agent_id            = "test-agent-id"
+    pre_install_script  = "echo 'Before install'"
+    post_install_script = "echo 'After install'"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.agent_id == "test-agent-id"
+    error_message = "boundary_wrapper_path agent_id should match the input variable"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-install_script")
+    error_message = "scripts should contain the install script name"
+  }
+
+  # Verify pre and post install script names are set
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-pre_install_script")
+    error_message = "scripts should contain the pre_install script name"
+  }
+
+  assert {
+    condition     = contains(output.scripts, "coder-boundary-post_install_script")
+    error_message = "scripts should contain the post_install script name"
+  }
+}
+
+run "plan_with_custom_module_directory" {
+  command = plan
+
+  variables {
+    agent_id         = "test-agent-id"
+    module_directory = "$HOME/.coder-modules/custom/boundary"
+  }
+
+  assert {
+    condition     = coder_env.boundary_wrapper_path.value == "$HOME/.coder-modules/custom/boundary/scripts/boundary-wrapper.sh"
+    error_message = "Environment variable should use custom module directory"
+  }
+
+  assert {
+    condition     = output.boundary_wrapper_path == "$HOME/.coder-modules/custom/boundary/scripts/boundary-wrapper.sh"
+    error_message = "boundary_wrapper_path output should use custom module directory"
+  }
+}