claude-code: Add boundary_config or boundary_config_path input when enable_boundary = true #792
Description
Problem
The enable_boundary = true option is documented but there's no way to pass a boundary config to the module directly. Users who need custom allow/deny rules must:
- Write a separate
coder_scriptresource that manually writes the config to~/.config/coder_boundary/config.yaml - Know the exact path boundary expects (undocumented in the module README)
- Ensure ordering so the file exists before boundary starts
The README implies enable_boundary = true "just works", but custom network rules require undocumented, non-obvious workarounds. The dogfood template in coder/coder handles this via a base64-encode-decode trick in a startup script — not beginner-friendly.
Proposed Solution
Add two optional inputs, where at least one must be provided when enable_boundary = true:
boundary_config— inline YAML stringboundary_config_path— path to a config file already on disk
module "claude-code" {
source = "registry.coder.com/coder/claude-code/coder"
version = "4.8.0"
agent_id = coder_agent.main.id
enable_boundary = true
# Option A: inline config
boundary_config = <<-EOT
allow:
- "*.anthropic.com"
- "*.github.com"
EOT
# Option B: path to file on disk
# boundary_config_path = "/home/coder/.config/coder_boundary/config.yaml"
}The module should validate that when enable_boundary = true, at least one of boundary_config or boundary_config_path is set (using a Terraform precondition or validation block), and write the inline config to the expected path internally if boundary_config is provided.
Why Both?
boundary_configis best for self-contained templates (config lives in the template repo)boundary_config_pathis best for cases where the file is provisioned separately or managed outside the template