coder
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
+31-6 b/‎coderd/provisionerdserver/provisionerdserver.go
+31-6
diff --git a/‎provisioner/terraform/provision.go
+6-3 b/‎provisioner/terraform/provision.go
+6-3
diff --git a/‎provisionerd/proto/provisionerd.pb.go
+278-260 b/‎provisionerd/proto/provisionerd.pb.go
+278-260
diff --git a/‎provisionerd/proto/provisionerd.proto
+4 b/‎provisionerd/proto/provisionerd.proto
+4
diff --git a/‎provisionerd/proto/version.go
+3 b/‎provisionerd/proto/version.go
+3
diff --git a/‎provisionerd/runner/runner.go
+8-5 b/‎provisionerd/runner/runner.go
+8-5
@@ -549,6 +549,30 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 			return nil, failJob(fmt.Sprintf("convert workspace transition: %s", err))
 		}
 
+		// A previous workspace build exists
+		var lastWorkspaceBuildParameters []database.WorkspaceBuildParameter
+		if workspaceBuild.BuildNumber > 1 {
+			// TODO: Should we fetch the last build that succeeded? This fetches the
+			//   previous build regardless of the status of the build.
+			buildNum := workspaceBuild.BuildNumber - 1
+			previous, err := s.Database.GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx, database.GetWorkspaceBuildByWorkspaceIDAndBuildNumberParams{
+				WorkspaceID: workspaceBuild.WorkspaceID,
+				BuildNumber: buildNum,
+			})
+
+			// If the error is ErrNoRows, then assume previous values are empty.
+			if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
+				return nil, xerrors.Errorf("get last build with number=%d: %w", buildNum, err)
+			}
+
+			if err == nil {
+				lastWorkspaceBuildParameters, err = s.Database.GetWorkspaceBuildParameters(ctx, previous.ID)
+				if err != nil {
+					return nil, xerrors.Errorf("get last build parameters %q: %w", previous.ID, err)
+				}
+			}
+		}
+
 		workspaceBuildParameters, err := s.Database.GetWorkspaceBuildParameters(ctx, workspaceBuild.ID)
 		if err != nil {
 			return nil, failJob(fmt.Sprintf("get workspace build parameters: %s", err))
@@ -625,12 +649,13 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 
 		protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{
 			WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
-				WorkspaceBuildId:      workspaceBuild.ID.String(),
-				WorkspaceName:         workspace.Name,
-				State:                 workspaceBuild.ProvisionerState,
-				RichParameterValues:   convertRichParameterValues(workspaceBuildParameters),
-				VariableValues:        asVariableValues(templateVariables),
-				ExternalAuthProviders: externalAuthProviders,
+				WorkspaceBuildId:        workspaceBuild.ID.String(),
+				WorkspaceName:           workspace.Name,
+				State:                   workspaceBuild.ProvisionerState,
+				RichParameterValues:     convertRichParameterValues(workspaceBuildParameters),
+				PreviousParameterValues: convertRichParameterValues(lastWorkspaceBuildParameters),
+				VariableValues:          asVariableValues(templateVariables),
+				ExternalAuthProviders:   externalAuthProviders,
 				Metadata: &sdkproto.Metadata{
 					CoderUrl:                      s.AccessURL.String(),
 					WorkspaceTransition:           transition,
 
@@ -152,7 +152,7 @@ func (s *server) Plan(
 
 	s.logger.Debug(ctx, "ran initialization")
 
-	env, err := provisionEnv(sess.Config, request.Metadata, request.RichParameterValues, request.ExternalAuthProviders)
+	env, err := provisionEnv(sess.Config, request.Metadata, request.PreviousParameterValues, request.RichParameterValues, request.ExternalAuthProviders)
 	if err != nil {
 		return provisionersdk.PlanErrorf("setup env: %s", err)
 	}
@@ -205,7 +205,7 @@ func (s *server) Apply(
 
 	// Earlier in the session, Plan() will have written the state file and the plan file.
 	statefilePath := getStateFilePath(sess.WorkDirectory)
-	env, err := provisionEnv(sess.Config, request.Metadata, nil, nil)
+	env, err := provisionEnv(sess.Config, request.Metadata, nil, nil, nil)
 	if err != nil {
 		return provisionersdk.ApplyErrorf("provision env: %s", err)
 	}
@@ -236,7 +236,7 @@ func planVars(plan *proto.PlanRequest) ([]string, error) {
 
 func provisionEnv(
 	config *proto.Config, metadata *proto.Metadata,
-	richParams []*proto.RichParameterValue, externalAuth []*proto.ExternalAuthProvider,
+	previousParams, richParams []*proto.RichParameterValue, externalAuth []*proto.ExternalAuthProvider,
 ) ([]string, error) {
 	env := safeEnviron()
 	ownerGroups, err := json.Marshal(metadata.GetWorkspaceOwnerGroups())
@@ -280,6 +280,9 @@ func provisionEnv(
 	for key, value := range provisionersdk.AgentScriptEnv() {
 		env = append(env, key+"="+value)
 	}
+	for _, param := range previousParams {
+		env = append(env, provider.ParameterEnvironmentVariablePrevious(param.Name)+"="+param.Value)
+	}
 	for _, param := range richParams {
 		env = append(env, provider.ParameterEnvironmentVariable(param.Name)+"="+param.Value)
 	}
 
@@ -22,6 +22,10 @@ message AcquiredJob {
         provisioner.Metadata metadata = 7;
         bytes state = 8;
         string log_level = 9;
+        // previous_parameter_values is used to pass the values of the previous
+        // workspace build. Omit these values if the workspace is being created
+        // for the first time.
+        repeated provisioner.RichParameterValue previous_parameter_values = 10;
     }
     message TemplateImport {
         provisioner.Metadata metadata = 1;
 
@@ -16,6 +16,9 @@ import "github.com/coder/coder/v2/apiversion"
 // API v1.5:
 //   - Add new field named `prebuilt_workspace_build_stage` enum in the Metadata message.
 //   - Add `plan` and `module_files` fields to `CompletedJob.TemplateImport`.
+//   - Add previous parameter values to 'WorkspaceBuild' jobs. Provisioner passes
+//     the previous values for the `terraform apply` to enforce monotonicity
+//     in the terraform provider.
 const (
 	CurrentMajor = 1
 	CurrentMinor = 5
 
@@ -691,7 +691,9 @@ func (r *Runner) runTemplateImportProvisionWithRichParameters(
 	err := r.session.Send(&sdkproto.Request{Type: &sdkproto.Request_Plan{Plan: &sdkproto.PlanRequest{
 		Metadata:            metadata,
 		RichParameterValues: richParameterValues,
-		VariableValues:      variableValues,
+		// Template import has no previous values
+		PreviousParameterValues: make([]*sdkproto.RichParameterValue, 0),
+		VariableValues:          variableValues,
 	}}})
 	if err != nil {
 		return nil, xerrors.Errorf("start provision: %w", err)
@@ -960,10 +962,11 @@ func (r *Runner) runWorkspaceBuild(ctx context.Context) (*proto.CompletedJob, *p
 	resp, failed := r.buildWorkspace(ctx, "Planning infrastructure", &sdkproto.Request{
 		Type: &sdkproto.Request_Plan{
 			Plan: &sdkproto.PlanRequest{
-				Metadata:              r.job.GetWorkspaceBuild().Metadata,
-				RichParameterValues:   r.job.GetWorkspaceBuild().RichParameterValues,
-				VariableValues:        r.job.GetWorkspaceBuild().VariableValues,
-				ExternalAuthProviders: r.job.GetWorkspaceBuild().ExternalAuthProviders,
+				Metadata:                r.job.GetWorkspaceBuild().Metadata,
+				RichParameterValues:     r.job.GetWorkspaceBuild().RichParameterValues,
+				PreviousParameterValues: r.job.GetWorkspaceBuild().PreviousParameterValues,
+				VariableValues:          r.job.GetWorkspaceBuild().VariableValues,
+				ExternalAuthProviders:   r.job.GetWorkspaceBuild().ExternalAuthProviders,
 			},
 		},
 	})