coder
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/workspacebuilds.go
Lines changed: 2 additions & 1 deletion b/‎coderd/workspacebuilds.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/workspacebuilds_test.go
Lines changed: 90 additions & 12 deletions b/‎coderd/workspacebuilds_test.go
Lines changed: 90 additions & 12 deletions
diff --git a/‎coderd/wsbuilder/wsbuilder.go
Lines changed: 24 additions & 8 deletions b/‎coderd/wsbuilder/wsbuilder.go
Lines changed: 24 additions & 8 deletions
diff --git a/‎codersdk/deployment.go
Lines changed: 13 additions & 2 deletions b/‎codersdk/deployment.go
Lines changed: 13 additions & 2 deletions
diff --git a/‎docs/api/general.md
Lines changed: 1 addition & 0 deletions b/‎docs/api/general.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/api/schemas.md
Lines changed: 3 additions & 0 deletions b/‎docs/api/schemas.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/cli/server.md
Lines changed: 11 additions & 0 deletions b/‎docs/cli/server.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎enterprise/cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions b/‎enterprise/cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions
@@ -74,6 +74,9 @@ Use a YAML configuration file when your server launch become unwieldy.
           Write out the current server config as YAML to stdout.
 
 [1mIntrospection / Logging Options[0m 
+      --enable-terraform-debug-mode bool, $CODER_ENABLE_TERRAFORM_DEBUG_MODE (default: false)
+          Allow administrators to enable Terraform debug output.
+
       --log-human string, $CODER_LOGGING_HUMAN (default: /dev/stderr)
           Output human-readable logs to a given file.
 
 
@@ -201,6 +201,9 @@ introspection:
     # Output Stackdriver compatible logs to a given file.
     # (default: <unset>, type: string)
     stackdriverPath: ""
+    # Allow administrators to enable Terraform debug output.
+    # (default: false, type: bool)
+    enableTerraformDebugMode: false
 oauth2:
   github:
     # Client ID for Login with GitHub.
 
@@ -316,7 +316,8 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 	builder := wsbuilder.New(workspace, database.WorkspaceTransition(createBuild.Transition)).
 		Initiator(apiKey.UserID).
 		RichParameterValues(createBuild.RichParameterValues).
-		LogLevel(string(createBuild.LogLevel))
+		LogLevel(string(createBuild.LogLevel)).
+		DeploymentValues(api.Options.DeploymentValues)
 
 	if createBuild.TemplateVersionID != uuid.Nil {
 		builder = builder.VersionID(createBuild.TemplateVersionID)
 
@@ -640,11 +640,50 @@ func TestWorkspaceBuildStatus(t *testing.T) {
 func TestWorkspaceBuildDebugMode(t *testing.T) {
 	t.Parallel()
 
+	t.Run("DebugModeDisabled", func(t *testing.T) {
+		t.Parallel()
+
+		// Create user
+		deploymentValues := coderdtest.DeploymentValues(t)
+		deploymentValues.EnableTerraformDebugMode = false
+
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, DeploymentValues: deploymentValues})
+		owner := coderdtest.CreateFirstUser(t, adminClient)
+
+		// Template author: create a template
+		version := coderdtest.CreateTemplateVersion(t, adminClient, owner.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, adminClient, owner.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
+
+		// Template author: create a workspace
+		workspace := coderdtest.CreateWorkspace(t, adminClient, owner.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, adminClient, workspace.LatestBuild.ID)
+
+		// Template author: try to start a workspace build in debug mode
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		_, err := adminClient.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			TemplateVersionID: workspace.LatestBuild.TemplateVersionID,
+			Transition:        codersdk.WorkspaceTransitionStart,
+			LogLevel:          "debug",
+		})
+
+		// Template author: expect an error as the debug mode is disabled
+		require.NotNil(t, err)
+		var sdkError *codersdk.Error
+		isSdkError := xerrors.As(err, &sdkError)
+		require.True(t, isSdkError)
+		require.Contains(t, sdkError.Message, "Terraform debug mode is disabled in the deployment configuration.")
+	})
 	t.Run("AsRegularUser", func(t *testing.T) {
 		t.Parallel()
 
 		// Create users
-		templateAuthorClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		deploymentValues := coderdtest.DeploymentValues(t)
+		deploymentValues.EnableTerraformDebugMode = true
+
+		templateAuthorClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, DeploymentValues: deploymentValues})
 		templateAuthor := coderdtest.CreateFirstUser(t, templateAuthorClient)
 		regularUserClient, _ := coderdtest.CreateAnotherUser(t, templateAuthorClient, templateAuthor.OrganizationID)
 
@@ -672,15 +711,54 @@ func TestWorkspaceBuildDebugMode(t *testing.T) {
 		var sdkError *codersdk.Error
 		isSdkError := xerrors.As(err, &sdkError)
 		require.True(t, isSdkError)
-		require.Contains(t, sdkError.Message, "Workspace builds with a custom log level are restricted to template authors only.")
+		require.Contains(t, sdkError.Message, "Workspace builds with a custom log level are restricted to administrators only.")
 	})
 	t.Run("AsTemplateAuthor", func(t *testing.T) {
 		t.Parallel()
 
 		// Create users
-		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		deploymentValues := coderdtest.DeploymentValues(t)
+		deploymentValues.EnableTerraformDebugMode = true
+
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, DeploymentValues: deploymentValues})
+		admin := coderdtest.CreateFirstUser(t, adminClient)
+		templateAuthorClient, _ := coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID, rbac.RoleTemplateAdmin())
+
+		// Template author: create a template
+		version := coderdtest.CreateTemplateVersion(t, templateAuthorClient, admin.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, templateAuthorClient, admin.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, templateAuthorClient, version.ID)
+
+		// Template author: create a workspace
+		workspace := coderdtest.CreateWorkspace(t, templateAuthorClient, admin.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, templateAuthorClient, workspace.LatestBuild.ID)
+
+		// Template author: try to start a workspace build in debug mode
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		_, err := templateAuthorClient.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			TemplateVersionID: workspace.LatestBuild.TemplateVersionID,
+			Transition:        codersdk.WorkspaceTransitionStart,
+			LogLevel:          "debug",
+		})
+
+		// Template author: expect an error as the debug mode is disabled
+		require.NotNil(t, err)
+		var sdkError *codersdk.Error
+		isSdkError := xerrors.As(err, &sdkError)
+		require.True(t, isSdkError)
+		require.Contains(t, sdkError.Message, "Workspace builds with a custom log level are restricted to administrators only.")
+	})
+	t.Run("AsAdmin", func(t *testing.T) {
+		t.Parallel()
+
+		// Create users
+		deploymentValues := coderdtest.DeploymentValues(t)
+		deploymentValues.EnableTerraformDebugMode = true
+
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, DeploymentValues: deploymentValues})
 		admin := coderdtest.CreateFirstUser(t, adminClient)
-		templateAdminClient, _ := coderdtest.CreateAnotherUser(t, adminClient, admin.OrganizationID, rbac.RoleTemplateAdmin())
 
 		// Interact as template admin
 		echoResponses := &echo.Responses{
@@ -713,30 +791,30 @@ func TestWorkspaceBuildDebugMode(t *testing.T) {
 				},
 			}},
 		}
-		version := coderdtest.CreateTemplateVersion(t, templateAdminClient, admin.OrganizationID, echoResponses)
-		template := coderdtest.CreateTemplate(t, templateAdminClient, admin.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, templateAdminClient, version.ID)
+		version := coderdtest.CreateTemplateVersion(t, adminClient, admin.OrganizationID, echoResponses)
+		template := coderdtest.CreateTemplate(t, adminClient, admin.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
 
 		// Create workspace
-		workspace := coderdtest.CreateWorkspace(t, templateAdminClient, admin.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, templateAdminClient, workspace.LatestBuild.ID)
+		workspace := coderdtest.CreateWorkspace(t, adminClient, admin.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, adminClient, workspace.LatestBuild.ID)
 
 		// Create workspace build
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
 
-		build, err := templateAdminClient.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+		build, err := adminClient.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
 			TemplateVersionID: workspace.LatestBuild.TemplateVersionID,
 			Transition:        codersdk.WorkspaceTransitionStart,
 			ProvisionerState:  []byte(" "),
 			LogLevel:          "debug",
 		})
 		require.Nil(t, err)
 
-		build = coderdtest.AwaitWorkspaceBuildJob(t, templateAdminClient, build.ID)
+		build = coderdtest.AwaitWorkspaceBuildJob(t, adminClient, build.ID)
 
 		// Watch for incoming logs
-		logs, closer, err := templateAdminClient.WorkspaceBuildLogsAfter(ctx, build.ID, 0)
+		logs, closer, err := adminClient.WorkspaceBuildLogsAfter(ctx, build.ID, 0)
 		require.NoError(t, err)
 		defer closer.Close()
 
 
@@ -34,11 +34,13 @@ import (
 // build, job, err := b.Build(...)
 type Builder struct {
 	// settings that control the kind of build you get
-	workspace           database.Workspace
-	trans               database.WorkspaceTransition
-	version             versionTarget
-	state               stateTarget
-	logLevel            string
+	workspace        database.Workspace
+	trans            database.WorkspaceTransition
+	version          versionTarget
+	state            stateTarget
+	logLevel         string
+	deploymentValues *codersdk.DeploymentValues
+
 	richParameterValues []codersdk.WorkspaceBuildParameter
 	initiator           uuid.UUID
 	reason              database.BuildReason
@@ -128,6 +130,12 @@ func (b Builder) LogLevel(l string) Builder {
 	return b
 }
 
+func (b Builder) DeploymentValues(dv *codersdk.DeploymentValues) Builder {
+	// nolint: revive
+	b.deploymentValues = dv
+	return b
+}
+
 func (b Builder) Initiator(u uuid.UUID) Builder {
 	// nolint: revive
 	b.initiator = u
@@ -638,11 +646,19 @@ func (b *Builder) authorize(authFunc func(action rbac.Action, object rbac.Object
 		}
 	}
 
-	if b.logLevel != "" && !authFunc(rbac.ActionUpdate, template) {
+	if b.logLevel != "" && !authFunc(rbac.ActionRead, rbac.ResourceDeploymentValues) {
+		return BuildError{
+			http.StatusBadRequest,
+			"Workspace builds with a custom log level are restricted to administrators only.",
+			xerrors.New("Workspace builds with a custom log level are restricted to administrators only."),
+		}
+	}
+
+	if b.logLevel != "" && b.deploymentValues != nil && !b.deploymentValues.EnableTerraformDebugMode {
 		return BuildError{
 			http.StatusBadRequest,
-			"Workspace builds with a custom log level are restricted to template authors only.",
-			xerrors.New("Workspace builds with a custom log level are restricted to template authors only."),
+			"Terraform debug mode is disabled in the deployment configuration.",
+			xerrors.New("Terraform debug mode is disabled in the deployment configuration."),
 		}
 	}
 	return nil
 
@@ -166,6 +166,7 @@ type DeploymentValues struct {
 	WgtunnelHost                    clibase.String                  `json:"wgtunnel_host,omitempty" typescript:",notnull"`
 	DisableOwnerWorkspaceExec       clibase.Bool                    `json:"disable_owner_workspace_exec,omitempty" typescript:",notnull"`
 	ProxyHealthStatusInterval       clibase.Duration                `json:"proxy_health_status_interval,omitempty" typescript:",notnull"`
+	EnableTerraformDebugMode        clibase.Bool                    `json:"enable_terraform_debug_mode,omitempty" typescript:",notnull"`
 
 	Config      clibase.YAMLConfigPath `json:"config,omitempty" typescript:",notnull"`
 	WriteConfig clibase.Bool           `json:"write_config,omitempty" typescript:",notnull"`
@@ -1216,10 +1217,20 @@ when required by your organization's security policy.`,
 			YAML:        "stackdriverPath",
 			Annotations: clibase.Annotations{}.Mark(annotationExternalProxies, "true"),
 		},
+		{
+			Name:        "Enable Terraform debug mode",
+			Description: "Allow administrators to enable Terraform debug output.",
+			Flag:        "enable-terraform-debug-mode",
+			Env:         "CODER_ENABLE_TERRAFORM_DEBUG_MODE",
+			Default:     "false",
+			Value:       &c.EnableTerraformDebugMode,
+			Group:       &deploymentGroupIntrospectionLogging,
+			YAML:        "enableTerraformDebugMode",
+		},
 		// ☢️ Dangerous settings
 		{
-			Name:        "DANGEROUS: Allow all CORs requests",
-			Description: "For security reasons, CORs requests are blocked except between workspace apps owned by the same user. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
+			Name:        "DANGEROUS: Allow all CORS requests",
+			Description: "For security reasons, CORS requests are blocked except between workspace apps owned by the same user. If external requests are required, setting this to true will set all cors headers as '*'. This should never be used in production.",
 			Flag:        "dangerous-allow-cors-requests",
 			Env:         "CODER_DANGEROUS_ALLOW_CORS_REQUESTS",
 			Hidden:      true, // Hidden, should only be used by yarn dev server
 
@@ -197,6 +197,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
     "disable_path_apps": true,
     "disable_session_expiry_refresh": true,
     "enable_oauth_account_conversion": true,
+    "enable_terraform_debug_mode": true,
     "experiments": ["string"],
     "git_auth": {
       "value": [
 
@@ -1894,6 +1894,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
     "disable_path_apps": true,
     "disable_session_expiry_refresh": true,
     "enable_oauth_account_conversion": true,
+    "enable_terraform_debug_mode": true,
     "experiments": ["string"],
     "git_auth": {
       "value": [
@@ -2226,6 +2227,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
   "disable_path_apps": true,
   "disable_session_expiry_refresh": true,
   "enable_oauth_account_conversion": true,
+  "enable_terraform_debug_mode": true,
   "experiments": ["string"],
   "git_auth": {
     "value": [
@@ -2421,6 +2423,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 | `disable_path_apps`                  | boolean                                                                                    | false    |              |                                                                    |
 | `disable_session_expiry_refresh`     | boolean                                                                                    | false    |              |                                                                    |
 | `enable_oauth_account_conversion`    | boolean                                                                                    | false    |              |                                                                    |
+| `enable_terraform_debug_mode`        | boolean                                                                                    | false    |              |                                                                    |
 | `experiments`                        | array of string                                                                            | false    |              |                                                                    |
 | `git_auth`                           | [clibase.Struct-array_codersdk_GitAuthConfig](#clibasestruct-array_codersdk_gitauthconfig) | false    |              |                                                                    |
 | `http_address`                       | string                                                                                     | false    |              | Http address is a string because it may be set to zero to disable. |
 
@@ -223,6 +223,17 @@ Disable workspace apps that are not served from subdomains. Path-based apps can
 
 Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.
 
+### --enable-terraform-debug-mode
+
+|             |                                                             |
+| ----------- | ----------------------------------------------------------- |
+| Type        | <code>bool</code>                                           |
+| Environment | <code>$CODER_ENABLE_TERRAFORM_DEBUG_MODE</code>             |
+| YAML        | <code>introspection.logging.enableTerraformDebugMode</code> |
+| Default     | <code>false</code>                                          |
+
+Allow administrators to enable Terraform debug output.
+
 ### --swagger-enable
 
 |             |                                    |
 
@@ -74,6 +74,9 @@ Use a YAML configuration file when your server launch become unwieldy.
           Write out the current server config as YAML to stdout.
 
 [1mIntrospection / Logging Options[0m 
+      --enable-terraform-debug-mode bool, $CODER_ENABLE_TERRAFORM_DEBUG_MODE (default: false)
+          Allow administrators to enable Terraform debug output.
+
       --log-human string, $CODER_LOGGING_HUMAN (default: /dev/stderr)
           Output human-readable logs to a given file.