From fe3cf30ac2c224b9c3d8642fad51552dbdeb2080 Mon Sep 17 00:00:00 2001
From: DevelopmentCats <christofer@coder.com>
Date: Thu, 12 Mar 2026 08:29:18 -0500
Subject: [PATCH] refactor: button up boundary related testing

---
 registry/coder/modules/claude-code/main.tf    | 12 +++----
 .../coder/modules/claude-code/main.tftest.hcl | 32 +++++++++++++++----
 2 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/registry/coder/modules/claude-code/main.tf b/registry/coder/modules/claude-code/main.tf
index c35fd05d..099d0492 100644
--- a/registry/coder/modules/claude-code/main.tf
+++ b/registry/coder/modules/claude-code/main.tf
@@ -232,11 +232,6 @@ variable "enable_boundary" {
   description = "Whether to enable coder boundary for network filtering"
   default     = false
 
-  validation {
-    condition     = !var.enable_boundary || var.boundary_config != null || var.boundary_config_path != null
-    error_message = "When enable_boundary is true, at least one of boundary_config or boundary_config_path must be provided."
-  }
-
   validation {
     condition     = !var.enable_boundary || var.boundary_config == null || var.boundary_config_path == null
     error_message = "Only one of boundary_config or boundary_config_path can be provided, not both."
@@ -358,8 +353,9 @@ locals {
   start_script    = file("${path.module}/scripts/start.sh")
   module_dir_name = ".claude-module"
   # Extract hostname from access_url for boundary --allow flag
-  coder_host     = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
-  claude_api_key = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
+  coder_host          = replace(replace(data.coder_workspace.me.access_url, "https://", ""), "http://", "")
+  boundary_config_b64 = var.boundary_config != null ? base64encode(var.boundary_config) : ""
+  claude_api_key      = var.enable_aibridge ? data.coder_workspace_owner.me.session_token : var.claude_api_key
 
   # Required prompts for the module to properly report task status to Coder
   report_tasks_system_prompt = <<-EOT
@@ -434,7 +430,7 @@ module "agentapi" {
     ARG_COMPILE_FROM_SOURCE='${var.compile_boundary_from_source}' \
     ARG_USE_BOUNDARY_DIRECTLY='${var.use_boundary_directly}' \
     ARG_CODER_HOST='${local.coder_host}' \
-    ARG_BOUNDARY_CONFIG='${var.boundary_config != null ? base64encode(var.boundary_config) : ""}' \
+    ARG_BOUNDARY_CONFIG='${local.boundary_config_b64}' \
     ARG_BOUNDARY_CONFIG_PATH='${var.boundary_config_path != null ? var.boundary_config_path : ""}' \
     ARG_CLAUDE_BINARY_PATH='${var.claude_binary_path}' \
     /tmp/start.sh
diff --git a/registry/coder/modules/claude-code/main.tftest.hcl b/registry/coder/modules/claude-code/main.tftest.hcl
index 9646c5da..97d0c905 100644
--- a/registry/coder/modules/claude-code/main.tftest.hcl
+++ b/registry/coder/modules/claude-code/main.tftest.hcl
@@ -202,6 +202,13 @@ run "test_claude_code_with_boundary_inline_config" {
     EOT
   }
 
+  override_data {
+    target = data.coder_workspace.me
+    values = {
+      access_url = "https://coder.example.com"
+    }
+  }
+
   assert {
     condition     = var.enable_boundary == true
     error_message = "Boundary should be enabled"
@@ -213,8 +220,18 @@ run "test_claude_code_with_boundary_inline_config" {
   }
 
   assert {
-    condition     = local.coder_host != ""
-    error_message = "Coder host should be extracted from access URL"
+    condition     = local.coder_host == "coder.example.com"
+    error_message = "Coder host should be 'coder.example.com' after stripping https:// from access URL"
+  }
+
+  assert {
+    condition     = local.boundary_config_b64 != ""
+    error_message = "Boundary config should be base64-encoded for the start script"
+  }
+
+  assert {
+    condition     = base64decode(local.boundary_config_b64) == var.boundary_config
+    error_message = "Base64-encoded boundary config should decode back to the original config"
   }
 }
 
@@ -239,18 +256,19 @@ run "test_claude_code_with_boundary_config_path" {
   }
 }
 
-run "test_boundary_without_config_fails" {
+run "test_claude_code_with_boundary_no_config" {
   command = plan
 
   variables {
-    agent_id        = "test-agent-boundary-fail"
+    agent_id        = "test-agent-boundary"
     workdir         = "/home/coder/boundary-test"
     enable_boundary = true
   }
 
-  expect_failures = [
-    var.enable_boundary,
-  ]
+  assert {
+    condition     = var.enable_boundary == true
+    error_message = "Boundary should be enabled"
+  }
 }
 
 run "test_boundary_both_configs_fails" {