agentkernel 0.18.1

Run AI coding agents in secure, isolated microVMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

# Terraform sandbox template
# Pre-configured for Terraform / OpenTofu with HCP Terraform CLI
# Cloud provider CLIs (aws, az, gcloud) can be installed on demand

[sandbox]
name = "terraform"
base_image = "debian:bookworm-slim"
init_script = """
set -e

# Detect architecture
ARCH=$(uname -m)
case "$ARCH" in
  x86_64)  TF_ARCH="amd64" ;;
  aarch64|arm64) TF_ARCH="arm64" ;;
  *) echo "Unsupported architecture: $ARCH" && exit 1 ;;
esac

# Install system deps
apt-get update -qq && apt-get install -y -qq ca-certificates curl unzip >/dev/null 2>&1

# Install Terraform with integrity verification
TF_VERSION="1.14.5"
curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_${TF_ARCH}.zip" -o /tmp/tf.zip
curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_SHA256SUMS" -o /tmp/tf-shasums
grep "terraform_${TF_VERSION}_linux_${TF_ARCH}.zip" /tmp/tf-shasums | (cd /tmp && sha256sum -c -) || {
  echo "Terraform checksum verification failed" >&2; exit 1
}
unzip -qo /tmp/tf.zip -d /usr/local/bin && rm /tmp/tf.zip /tmp/tf-shasums

# Install hcptf (HCP Terraform CLI) with integrity verification
HCPTF_VERSION="0.3.1"
curl -fsSL "https://github.com/thrashr888/hcptf-cli/releases/download/v${HCPTF_VERSION}/hcptf-cli_${HCPTF_VERSION}_linux_${TF_ARCH}.tar.gz" -o /tmp/hcptf.tar.gz
curl -fsSL "https://github.com/thrashr888/hcptf-cli/releases/download/v${HCPTF_VERSION}/checksums.txt" -o /tmp/hcptf-checksums
grep "hcptf-cli_${HCPTF_VERSION}_linux_${TF_ARCH}.tar.gz" /tmp/hcptf-checksums | (cd /tmp && sha256sum -c -) || {
  echo "hcptf checksum verification failed" >&2; exit 1
}
tar -xzf /tmp/hcptf.tar.gz -C /usr/local/bin hcptf && rm /tmp/hcptf.tar.gz /tmp/hcptf-checksums
"""

[secrets]
TFE_TOKEN = "app.terraform.io"
HCP_CLIENT_ID = "api.hashicorp.cloud"
HCP_CLIENT_SECRET = "api.hashicorp.cloud"
AWS_ACCESS_KEY_ID = "sts.amazonaws.com"
AWS_SECRET_ACCESS_KEY = "sts.amazonaws.com"
AWS_SESSION_TOKEN = "sts.amazonaws.com"
AZURE_CLIENT_ID = "login.microsoftonline.com"
AZURE_CLIENT_SECRET = "login.microsoftonline.com"
AZURE_TENANT_ID = "login.microsoftonline.com"
GOOGLE_APPLICATION_CREDENTIALS = "oauth2.googleapis.com"

[resources]
vcpus = 2
memory_mb = 2048

[security]
profile = "moderate"

[security.domains]
allow = [
  # Terraform / HCP
  "app.terraform.io",
  "*.terraform.io",
  "api.hashicorp.cloud",
  "*.hashicorp.cloud",
  "registry.terraform.io",
  "releases.hashicorp.com",
  "checkpoint-api.hashicorp.com",
  # AWS
  "*.amazonaws.com",
  "*.aws.amazon.com",
  # Azure
  "management.azure.com",
  "login.microsoftonline.com",
  "*.azure.com",
  "*.microsoft.com",
  # GCP
  "*.googleapis.com",
  "accounts.google.com",
  "oauth2.googleapis.com",
  # Package repos (for apt)
  "deb.debian.org",
  "security.debian.org",
  # GitHub (for hcptf-cli download)
  "github.com",
  "objects.githubusercontent.com",
]

[template]
description = "Terraform with HCP Terraform CLI"
category = "Infrastructure"
help_text = """
Terraform sandbox with HCP Terraform CLI.
How to use: Start the sandbox and run your workflow inside /workspace.
Example command: terraform version
Binaries available: terraform, hcptf
Cloud CLIs: Install on demand via exec (aws, az, gcloud not pre-installed to keep boot fast).
Services and ports: No long-running service is configured by default. Only explicitly mapped ports are exposed.
"""