Add trusted_domains variable to code-server module for link protection #1

Copilot · 2025-09-27T12:20:45Z

This PR adds support for configuring trusted domains in the code-server module through a new trusted_domains variable. This allows users to specify domains that should be trusted for link protection using code-server's --link-protection-trusted-domains option.

Changes

Added trusted_domains variable to main.tf as a list(string) with an empty default for backwards compatibility
Updated the templatefile call to pass the trusted domains as a comma-separated string to the run script
Modified run.sh to set TRUSTED_DOMAINS_ARG globally at the top (matching the EXTENSION_ARG pattern)
Fixed the script to split comma-separated domains in Bash and create multiple --link-protection-trusted-domains flag instances as required by code-server
Simplified the run_code_server() function to use a consistent command pattern without conditional logic

Usage

Users can now specify trusted domains when using the code-server module:

module "code-server" {
  source = "registry.coder.com/coder/code-server/coder"
  
  agent_id        = coder_agent.example.id
  trusted_domains = ["coder.com", "github.com", "example.org"]
}

When trusted_domains is provided, code-server will be launched with:

code-server --link-protection-trusted-domains=coder.com --link-protection-trusted-domains=github.com --link-protection-trusted-domains=example.org --auth none --port 13337 --app-name code-server

When trusted_domains is empty (default), no trusted domain arguments are added, maintaining existing behavior.

Testing

All existing tests continue to pass (4/4)
Verified proper formatting with bun run fmt:ci
Manual testing confirms correct multiple flag generation for various domain configurations

This change is fully backwards compatible and follows existing module patterns, specifically matching the EXTENSION_ARG implementation style while correctly implementing the code-server flag requirements.

Warning

checkpoint-api.hashicorp.com

Triggering command: terraform --version (dns block)
Triggering command: terraform init -upgrade (dns block)
Triggering command: terraform test -verbose (dns block)
esm.ubuntu.com
- Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Modify registry/coder/modules/code-server/run.sh and registry/coder/modules/code-server/main.tf to add a TF variable which allows defining a string[] array of domains which will be fed to --link-protection-trusted-domains on launch. Make sure formatteing and everything is OK. Do minimal changes. Be professional and optimal. This will be upstreamed to the official Coder registry in a PR.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Foorack · 2025-09-27T13:24:29Z

@copilot Do TRUSTED_DOMAINS_ARG similar to EXTENSION_ARG, try keep it as similar as possible please.

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot · 2025-09-27T13:28:38Z

@copilot Do TRUSTED_DOMAINS_ARG similar to EXTENSION_ARG, try keep it as similar as possible please.

Done! I've refactored TRUSTED_DOMAINS_ARG to match the EXTENSION_ARG pattern exactly:

Moved TRUSTED_DOMAINS_ARG setup to the top of the script (like EXTENSION_ARG)
Simplified run_code_server() function to use consistent command pattern
Removed conditional logic in command execution
Both arguments are now included consistently in all $CODE_SERVER calls

All tests still pass and the implementation is much cleaner. Changes in commit e438265.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

checkpoint-api.hashicorp.com
- Triggering command: terraform init -upgrade (dns block)
- Triggering command: terraform test -verbose (dns block)
- Triggering command: terraform fmt - (dns block)
esm.ubuntu.com
- Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

registry/coder/modules/code-server/code-server.tftest.hcl

Foorack · 2025-09-27T15:39:21Z

@copilot Remove the trusted domain tests, as we don't do anything similar for extensions, and Copilot can't test them due to firewall.

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot · 2025-09-27T15:42:43Z

@copilot Remove the trusted domain tests, as we don't do anything similar for extensions, and Copilot can't test them due to firewall.

Done! Removed both trusted_domains_empty and trusted_domains_with_values test blocks from the tftest.hcl file. The module now follows the same testing pattern as extensions - the functionality works but isn't explicitly tested due to firewall restrictions. All remaining tests pass. Changes in commit 829a692.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

checkpoint-api.hashicorp.com
- Triggering command: terraform init -upgrade (dns block)
- Triggering command: terraform test -verbose (dns block)
- Triggering command: terraform fmt - (dns block)
esm.ubuntu.com
- Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Foorack · 2025-09-27T16:39:39Z

@copilot We can't just comma-merge the list, we have to in Bash split by comma and add the argument each time.

Copilot said: Based on my analysis of the code-server
Based on my analysis of the code-server repository, for the --link-protection-trusted-domains flag, you should use the argument multiple times rather than providing a comma-separated list.

Here's what I found in the code:

Type Definition: The flag is defined as type: "string[]" in the options configuration
Parsing Logic: When parsing string[] type arguments, the code specifically handles multiple instances of the same flag by pushing each value into an array
Test Evidence: The test cases show this pattern clearly:
TypeScript
const args = parse(["--proxy-domain", "*.coder.com", "--proxy-domain", "coder.com", "--proxy-domain", "coder.org"])
expect(args).toEqual({
  "proxy-domain": ["*.coder.com", "coder.com", "coder.org"],
})
Correct usage:

bash
code-server --link-protection-trusted-domains domain.com --link-protection-trusted-domains domain.net
Not:

bash
code-server --link-protection-trusted-domains domain.com,domain.net
The parsing logic in src/node/cli.ts handles string[] types by creating an array and pushing each occurrence of the flag as a separate value, which is the standard Unix/Linux command-line convention for multi-value arguments.

…eparated values Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot · 2025-09-27T16:44:32Z

@copilot We can't just comma-merge the list, we have to in Bash split by comma and add the argument each time.

...

Fixed! The script now splits the comma-separated domains in Bash and creates multiple --link-protection-trusted-domains flag instances as required by code-server. Instead of --link-protection-trusted-domains=domain1,domain2,domain3, it now generates --link-protection-trusted-domains=domain1 --link-protection-trusted-domains=domain2 --link-protection-trusted-domains=domain3. All tests pass. Changes in commit 350d595.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

checkpoint-api.hashicorp.com
- Triggering command: terraform init -upgrade (dns block)
- Triggering command: terraform test -verbose (dns block)
- Triggering command: terraform plan -var agent_id=test -var trusted_domains=["coder.com","github.com","example.org"] -out=test_domains.out (dns block)
esm.ubuntu.com
- Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Copilot

Pull Request Overview

Adds support for configuring trusted domains in the code-server module through a new trusted_domains variable, allowing users to specify domains for code-server's link protection feature.

Added trusted_domains variable as a list(string) with empty default for backwards compatibility
Updated the run script to process comma-separated domains and generate multiple --link-protection-trusted-domains flags
Modified the command execution to include the trusted domains arguments

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
main.tf	Added `trusted_domains` variable and passed it to the template as a comma-separated string
run.sh	Added logic to parse trusted domains and generate appropriate command-line flags

registry/coder/modules/code-server/run.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

#1) * Initial plan * Add trusted_domains variable to code-server module for link protection Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> * Remove temporary plan files from commit Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> * Refactor TRUSTED_DOMAINS_ARG to match EXTENSION_ARG pattern Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> * Remove trusted domains tests as requested Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> * Fix trusted domains to use multiple flag instances instead of comma-separated values Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> * Update registry/coder/modules/code-server/run.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update registry/coder/modules/code-server/run.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com> Co-authored-by: Foorack / Max Faxälv <max@foorack.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Initial plan

e7bfd4c

Copilot AI assigned Copilot and Foorack Sep 27, 2025

Copilot started work on behalf of Foorack September 27, 2025 12:20 View session

Copilot AI and others added 2 commits September 27, 2025 12:33

Add trusted_domains variable to code-server module for link protection

1c9287b

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Remove temporary plan files from commit

0a27351

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot AI requested a review from Foorack September 27, 2025 12:34

Copilot finished work on behalf of Foorack September 27, 2025 12:34

Copilot started work on behalf of Foorack September 27, 2025 13:24 View session

Refactor TRUSTED_DOMAINS_ARG to match EXTENSION_ARG pattern

e438265

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot finished work on behalf of Foorack September 27, 2025 13:29

Foorack requested changes Sep 27, 2025

View reviewed changes

registry/coder/modules/code-server/code-server.tftest.hcl Outdated Show resolved Hide resolved

Copilot started work on behalf of Foorack September 27, 2025 15:39 View session

Remove trusted domains tests as requested

829a692

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot AI requested a review from Foorack September 27, 2025 15:43

Copilot finished work on behalf of Foorack September 27, 2025 15:43

Copilot started work on behalf of Foorack September 27, 2025 16:39 View session

Fix trusted domains to use multiple flag instances instead of comma-s…

350d595

…eparated values Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

Copilot finished work on behalf of Foorack September 27, 2025 16:45

Foorack requested a review from Copilot September 27, 2025 16:46

Copilot AI reviewed Sep 27, 2025

View reviewed changes

registry/coder/modules/code-server/run.sh Outdated Show resolved Hide resolved

registry/coder/modules/code-server/run.sh Outdated Show resolved Hide resolved

Foorack and others added 2 commits September 27, 2025 18:47

Update registry/coder/modules/code-server/run.sh

286b5ed

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Update registry/coder/modules/code-server/run.sh

a8ec110

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Foorack approved these changes Sep 27, 2025

View reviewed changes

Foorack marked this pull request as ready for review September 27, 2025 16:49

Foorack merged commit ccf5b22 into link-protection-trusted-domains Sep 27, 2025

Foorack deleted the copilot/fix-c3139bb0-3d9a-4cee-a6e9-b4d925a702a8 branch September 27, 2025 16:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add trusted_domains variable to code-server module for link protection #1

Add trusted_domains variable to code-server module for link protection #1

Uh oh!

Copilot AI commented Sep 27, 2025 •

edited

Loading

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Add trusted_domains variable to code-server module for link protection #1

Add trusted_domains variable to code-server module for link protection #1

Uh oh!

Conversation

Copilot AI commented Sep 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Usage

Testing

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Foorack commented Sep 27, 2025

Uh oh!

Copilot AI commented Sep 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI commented Sep 27, 2025 •

edited

Loading

Copilot AI commented Sep 27, 2025 •

edited

Loading

Copilot AI commented Sep 27, 2025 •

edited

Loading

Copilot AI commented Sep 27, 2025 •

edited

Loading