feat(coder/modules/boundary): add boundary module

[35C4n0r]

Description

• add boundary module with installation and configuration scripts

Type of Change

• New module
• New template
• Bug fix
• Feature/enhancement
• Documentation
• Other

Module Information

Path: registry/coder/modules/boundary
New version: v1.0.0
Breaking change: [ ] Yes [x] No

Testing & Validation

• Tests pass (bun test)
• Code formatted (bun fmt)
• Changes tested locally

Related Issues

[Copilot]

Pull request overview

Adds a new coder/boundary registry module intended to set up Boundary-related tooling for Coder workspaces.

Changes:

• Introduces a Boundary install/setup shell script that can compile from source, install from release, or rely on coder boundary.
• Adds a Terraform module (main.tf) that deploys and runs the install script on an agent.
• Adds module README and Terraform native tests (.tftest.hcl).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
registry/coder/modules/boundary/scripts/install.sh	Installs Boundary (or validates coder boundary) and generates a wrapper script.
registry/coder/modules/boundary/main.tf	Defines module variables and a coder_script to deliver/execute install.sh.
registry/coder/modules/boundary/README.md	Documents module usage and examples.
registry/coder/modules/boundary/boundary.tftest.hcl	Adds Terraform plan-time assertions for basic module wiring.

[Copilot]

The source-compile path deletes and clones a boundary/ directory relative to the current working directory (rm -rf boundary, git clone ..., cd boundary). If this script is invoked from an unexpected directory, it can delete the wrong folder and/or pollute the workspace. Prefer cloning/building under ${MODULE_DIR} (or a mktemp -d under it) and using an absolute path for cleanup.

Suggested change

	echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
	# Remove existing boundary directory to allow re-running safely
	if [[ -d boundary ]]; then
	rm -rf boundary
	fi
	echo "Cloning boundary repository"
	git clone https://github.com/coder/boundary.git
	cd boundary || exit 1
	git checkout "${BOUNDARY_VERSION}"
	make build
	sudo cp boundary /usr/local/bin/
	sudo chmod +x /usr/local/bin/boundary
	cd - || exit 1
	local build_dir="${MODULE_DIR}/boundary-src"
	local original_dir
	echo "Compiling boundary from source (version: ${BOUNDARY_VERSION})"
	original_dir="$(pwd)"
	# Remove existing build directory to allow re-running safely
	if [[ -d "${build_dir}" ]]; then
	rm -rf "${build_dir}"
	fi
	echo "Cloning boundary repository"
	git clone https://github.com/coder/boundary.git "${build_dir}"
	cd "${build_dir}" || exit 1
	git checkout "${BOUNDARY_VERSION}"
	make build
	sudo cp "${build_dir}/boundary" /usr/local/bin/
	sudo chmod +x /usr/local/bin/boundary
	cd "${original_dir}" || exit 1

[Copilot]

curl ... | bash executes a remote script from the main branch. Even with --version, this is supply-chain risky and not reproducible. Prefer downloading a version-pinned artifact (or install script from a tag/commit), verifying a checksum/signature, and then executing it.

Suggested change

	curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bash -s -- --version "${BOUNDARY_VERSION}"
	if [[ "${BOUNDARY_VERSION}" = "latest" ]]; then
	echo "Error: use_boundary_directly requires a version-pinned ARG_BOUNDARY_VERSION, not 'latest'." >&2
	exit 1
	fi
	local install_script
	install_script="$(mktemp)"
	curl -fsSL "https://raw.githubusercontent.com/coder/boundary/${BOUNDARY_VERSION}/install.sh" -o "${install_script}"
	bash "${install_script}" --version "${BOUNDARY_VERSION}"
	rm -f "${install_script}"

[Copilot]

setup_boundary relies on MODULE_DIR being set; if it’s empty, paths like ${module_path}/boundary-wrapper.sh become /boundary-wrapper.sh and the script may write into the filesystem root. Add a guard that MODULE_DIR is non-empty (and ideally exists / is writable) before creating wrapper scripts.