hashicorp · RubenSandwich · Sep 25, 2025 · Sep 26, 2025 · Sep 30, 2025 · Sep 30, 2025
@@ -405,7 +405,6 @@ jobs:
       artifact-name: "boundary_${{ needs.set-product-version.outputs.product-version }}_linux_amd64.zip"
       go-version: ${{ needs.product-metadata.outputs.go-version }}
       edition: ${{ needs.product-metadata.outputs.product-edition }}
-      docker-image-name: ${{ needs.build-docker.outputs.name }}
       docker-image-file: "boundary_default_linux_amd64_${{ needs.set-product-version.outputs.product-version }}_${{ github.sha }}.docker.dev.tar"
     secrets: inherit
   bats:

@@ -15,9 +15,6 @@ on:
       go-version:
         required: true
         type: string
-      docker-image-name:
-        required: false
-        type: string
       docker-image-file:
         required: false
         type: string
@@ -96,7 +93,6 @@ jobs:
       ENOS_VAR_crt_bundle_path: ./support/boundary.zip
       ENOS_VAR_test_email: ${{ secrets.SERVICE_USER_EMAIL }}
       ENOS_VAR_boundary_edition: ${{ inputs.edition }}
-      ENOS_VAR_boundary_docker_image_name: ${{ inputs.docker-image-name }}
       ENOS_VAR_boundary_docker_image_file: ./support/boundary_docker_image.tar
       ENOS_VAR_go_version: ${{ inputs.go-version }}
       ENOS_VAR_gcp_project_id: ${{ secrets.GCP_PROJECT_ID_CI }}

@@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.
 
 ## Executing Scenarios
 From the `enos` directory:

@@ -81,7 +81,7 @@ scenario "e2e_docker_base_plus" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

@@ -82,7 +82,7 @@ scenario "e2e_docker_base_with_gcp" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

@@ -83,7 +83,7 @@ scenario "e2e_docker_base_with_vault" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

@@ -99,7 +99,7 @@ scenario "e2e_docker_base_with_worker" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -143,7 +143,7 @@ scenario "e2e_docker_base_with_worker" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config.hcl"
       container_name   = "worker"

@@ -81,7 +81,7 @@ scenario "e2e_docker_base" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address

@@ -99,7 +99,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -113,7 +113,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
     depends_on = [step.create_boundary]
     variables {
       address      = step.create_boundary.address
-      image_name   = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name   = step.build_boundary_docker_image.image_name
       network_name = local.network_cluster
       login_name   = step.create_boundary.login_name
       password     = step.create_boundary.password
@@ -157,7 +157,7 @@ scenario "e2e_docker_worker_registration_controller_led" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config-controller-led.hcl"
       container_name   = "worker"

@@ -99,7 +99,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster, local.network_database]
       database_network = local.network_database
       postgres_address = step.create_boundary_database.address
@@ -144,7 +144,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
       step.create_boundary
     ]
     variables {
-      image_name              = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name              = step.build_boundary_docker_image.image_name
       boundary_license        = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file             = "worker-config-worker-led.hcl"
       container_name          = "worker"
@@ -165,7 +165,7 @@ scenario "e2e_docker_worker_registration_worker_led" {
     ]
     variables {
       address      = step.create_boundary.address
-      image_name   = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name   = step.build_boundary_docker_image.image_name
       network_name = local.network_cluster
       login_name   = step.create_boundary.login_name
       password     = step.create_boundary.password

@@ -81,7 +81,7 @@ scenario "e2e_ui_docker" {
       step.build_boundary_docker_image
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       network_name     = [local.network_cluster]
       database_network = local.network_cluster
       postgres_address = step.create_boundary_database.address
@@ -124,7 +124,7 @@ scenario "e2e_ui_docker" {
       step.create_boundary
     ]
     variables {
-      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      image_name       = step.build_boundary_docker_image.image_name
       boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file      = "worker-config.hcl"
       container_name   = "worker"

@@ -25,12 +25,6 @@ variable "enos_user" {
 }
 
 # Test configs
-variable "boundary_docker_image_name" {
-  description = "Name:Tag of Docker image to use"
-  type        = string
-  default     = "docker.io/hashicorp/boundary:latest"
-}
-
 variable "boundary_docker_image_file" {
   description = "Path to Boundary Docker image"
   type        = string

@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"
@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",

@@ -6,14 +6,18 @@ resource "aws_db_subnet_group" "boundary" {
   subnet_ids = data.aws_subnets.infra.ids
 }
 
+data "aws_rds_engine_version" "default" {
+  engine = var.db_engine
+}
+
 resource "aws_db_instance" "boundary" {
   count               = var.db_create == true ? 1 : 0
   identifier          = "boundary-db-${random_string.cluster_id.result}"
   allocated_storage   = var.db_storage
   storage_type        = var.db_storage_type
   iops                = var.db_storage_iops
-  engine              = var.db_engine
-  engine_version      = var.db_engine == "aurora-postgres" ? null : var.db_version
+  engine              = data.aws_rds_engine_version.default.engine
+  engine_version      = data.aws_rds_engine_version.default.version
   instance_class      = var.db_class
   monitoring_interval = var.db_monitoring_interval
   monitoring_role_arn = var.db_monitoring_role_arn

@@ -136,12 +136,6 @@ variable "db_class" {
   default     = "db.t4g.small"
 }
 
-variable "db_version" {
-  description = "AWS RDS DBS engine version (for postgres/mysql)"
-  type        = string
-  default     = "15.7"
-}
-
 variable "db_engine" {
   description = "AWS RDS DB engine type"
   type        = string
@@ -406,4 +400,4 @@ variable "vault_transit_token" {
   description = "vault token used for kms transit in the boundary config"
   type        = string
   default     = ""
-}
+}
@@ -302,6 +302,7 @@ resource "aws_instance" "domain_controller" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true

@@ -234,6 +234,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true

@@ -251,6 +251,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true

@@ -126,13 +126,18 @@ resource "aws_instance" "target" {
     "Type" : "target",
     "Project" : "Enos",
     "Project Name" : "qti-enos-boundary",
-    "Environment" : var.environment
+    "Environment" : var.environment,
     "Enos User" : var.enos_user,
   })
 
   root_block_device {
     encrypted = true
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "wait" {

@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {
       Type = local.vault_cluster_tag
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "install_dependencies" {

@@ -253,6 +253,7 @@ resource "aws_instance" "client" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true

@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {
       Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_bundle_install" "worker" {

@@ -27,6 +27,21 @@ resource "enos_local_exec" "load_docker_image" {
   inline = ["docker load -i ${var.path}"]
 }
 
+locals {
+  boundary_docker_image_name = replace(
+    element(
+      split("\n", trimspace(enos_local_exec.load_docker_image.stdout)),
+      -1
+    ),
+    "Loaded image: ",
+    ""
+  )
+}
+
 output "cli_zip_path" {
   value = var.cli_build_path
 }
+
+output "image_name" {
+  value = local.boundary_docker_image_name
+}
@@ -283,7 +283,15 @@ func (w *Worker) handleProxy(listenerCfg *listenerutil.ListenerConfig, sessionMa
 		runProxy, err := handleProxyFn(ctx, ctx, decryptFn, cc, pDialer, acResp.GetConnectionId(), protocolCtx, w.recorderManager, proxyHandlers.WithLogger(w.logger))
 		if err != nil {
 			conn.Close(proxyHandlers.WebsocketStatusProtocolSetupError, "unable to setup proxying")
-			event.WriteError(ctx, op, err)
+
+			switch {
+			case errors.Match(errors.T(errors.WindowsRDPClientEarlyDisconnection), err):
+				// This is known behavior with Windows Remote Desktop clients and does not
+				// indicate a problem with the worker or the proxy.
+				// There is no need to log an error event here.
+			default:
+				event.WriteError(ctx, op, err)
+			}
 			return
 		}
 

@@ -69,6 +69,9 @@ const (
 	InvalidListToken         Code = 136 // InvalidListToken represents an error where the provided list token is invalid
 	Paused                   Code = 137 // Paused represents an error when an operation cannot be completed because the thing being operated on is paused
 
+	// Note: Currently unused in OSS
+	WindowsRDPClientEarlyDisconnection Code = 138 // WindowsRDPClientEarlyDisconnection represents an error when a Windows RDP client disconnects early, a known behavior with Windows Remote Desktop clients
+
 	AuthAttemptExpired Code = 198 // AuthAttemptExpired represents an expired authentication attempt
 	AuthMethodInactive Code = 199 // AuthMethodInactive represents an error that means the auth method is not active.
 

@@ -455,6 +455,11 @@ func TestCode_Both_String_Info(t *testing.T) {
 			c:    Paused,
 			want: Paused,
 		},
+		{
+			name: "WindowsRDPClientEarlyDisconnection",
+			c:    WindowsRDPClientEarlyDisconnection,
+			want: WindowsRDPClientEarlyDisconnection,
+		},
 		{
 			name: "ImmutableColumn",
 			c:    ImmutableColumn,

@@ -347,6 +347,10 @@ var errorCodeInfo = map[Code]Info{
 		Message: "paused",
 		Kind:    State,
 	},
+	WindowsRDPClientEarlyDisconnection: {
+		Message: "rdp client disconnected early",
+		Kind:    State,
+	},
 	ExternalPlugin: {
 		Message: "plugin error",
 		Kind:    External,

@@ -3,7 +3,7 @@
   "info": {
     "title": "Boundary controller HTTP API",
     "description": "Welcome to the Boundary controller HTTP API documentation. This page provides a reference guide for using the Boundary controller API, a JSON-based HTTP API. The API implements commonly seen HTTP API patterns for status codes, paths, and errors. See the [API overview](https://developer.hashicorp.com/boundary/docs/api-clients/api) for more information.\n\nBefore you read this page, it is useful to understand Boundary's [domain model](https://developer.hashicorp.com/boundary/docs/concepts/domain-model) and to be aware of the terminology used here. To get started, search for the service you want to interact with in the sidebar to the left. Each resource in Boundary, such as accounts and credential stores, has its own service. Each service contains all the API endpoints for the resource.\n## Status codes\n- `2XX`: Boundary returns a code between `200` and `299` on success. Generally this is `200`, but implementations should be prepared to accept any `2XX` status code as indicating success. If a call returns a `2XX` code that is not `200`, it follows well-understood semantics for those status codes.\n- `400`: Boundary returns `400` when a command cannot be completed due to invalid user input, except for a properly-formatted identifier that does not map to an existing resource, which returns a `404` as discussed below.\n- `401`: Boundary returns `401` if no authentication token is provided or if the provided token is invalid. A valid token that simply does not have permission for a resource returns a `403` instead. A token that is invalid or missing, but where the anonymous user (`u_anon`) is able to successfully perform the action, will not return a `401` but instead will return the result of the action.\n- `403`: Boundary returns `403` if a provided token was valid but does not have the grants required to perform the requested action.\n- `404`: Boundary returns `404` if a resource cannot be found. Note that this happens _prior_ to authentication/authorization checking in nearly all cases as the resource information (such as its scope, available actions, etc.) is a required part of that check. As a result, an action against a resource that does not exist returns a `404` instead of a `401` or `403`. While this could be considered an information leak, since IDs are randomly generated and this only discloses whether an ID is valid, it's tolerable as it allows for far simpler and more robust client implementation.\n- `405`: Boundary returns a `405` to indicate that the method (HTTP verb or custom action) is not implemented for the given resource.\n- `429`: Boundary returns a `429` if any of the API rate limit quotas have been exhausted for the resource and action. It includes the `Retry-After` header so that the client knows how long to wait before making a new request.\n- `500`: Boundary returns `500` if an error occurred that is not (directly) tied to invalid user input. If a `500` is generated, information about the error is logged to Boundary's server log but is not generally provided to the client.\n- `503`: Boundary returns a `503` if it is unable to store a quota due to the API rate limit being exceeded. It includes the `Retry-After` header so that the client knows how long to wait before making a new request.\n## List pagination\nBoundary uses [API pagination](https://developer.hashicorp.com/boundary/docs/api-clients/api/pagination) to support searching and filtering large lists of results efficiently.",
-    "version": "0.20.0",
+    "version": "0.20.1",
     "contact": {
       "name": "HashiCorp Boundary",
       "url": "https://www.boundaryproject.io/"