write audit log

johnstcn · johnstcn · commit 459ce5cc2e9d · 2025-06-20T12:46:10.000+01:00
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -3,6 +3,7 @@ package coderd
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"math"
@@ -431,6 +432,37 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 			// Client probably doesn't care about this error, so just log it.
 			api.Logger.Error(ctx, "failed to post provisioner job to pubsub", slog.Error(err))
 		}
+
+		// We may need to complete the audit if wsbuilder determined that
+		// no provisioner could handle an orphan-delete job and completed it.
+		if createBuild.Orphan && createBuild.Transition == codersdk.WorkspaceTransitionDelete && provisionerJob.CompletedAt.Valid {
+			buildResourceInfo := audit.AdditionalFields{
+				WorkspaceName:  workspace.Name,
+				BuildNumber:    strconv.Itoa(int(workspaceBuild.BuildNumber)),
+				BuildReason:    workspaceBuild.Reason,
+				WorkspaceID:    workspace.ID,
+				WorkspaceOwner: workspace.OwnerName,
+			}
+			briBytes, err := json.Marshal(buildResourceInfo)
+			if err != nil {
+				api.Logger.Error(ctx, "failed to marshal build resource info for audit", slog.Error(err))
+			}
+			auditor := api.Auditor.Load()
+			bag := audit.BaggageFromContext(ctx)
+			audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.WorkspaceBuild]{
+				Audit:            *auditor,
+				Log:              api.Logger,
+				UserID:           provisionerJob.InitiatorID,
+				OrganizationID:   workspace.OrganizationID,
+				RequestID:        provisionerJob.ID,
+				IP:               bag.IP,
+				Action:           database.AuditActionDelete,
+				Old:              previousWorkspaceBuild,
+				New:              *workspaceBuild,
+				Status:           http.StatusOK,
+				AdditionalFields: briBytes,
+			})
+		}
 	}
 
 	apiBuild, err := api.convertWorkspaceBuild(
diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
@@ -493,8 +493,6 @@ func (b *Builder) buildTx(authFunc func(action policy.Action, object rbac.Object
 				return BuildError{http.StatusInternalServerError, "mark orphan-delete provisioner job as completed", err}
 			}
 
-			// TODO: audit baggage?
-
 			// Re-fetch the completed provisioner job.
 			if pj, err := store.GetProvisionerJobByID(b.ctx, provisionerJob.ID); err == nil {
 				provisionerJob = pj

Original file line number	Diff line number	Diff line change
`@@ -493,8 +493,6 @@ func (b *Builder) buildTx(authFunc func(action policy.Action, object rbac.Object`
`493`	`493`	`return BuildError{http.StatusInternalServerError, "mark orphan-delete provisioner job as completed", err}`
`494`	`494`	`}`
`495`	`495`
`496`		`- // TODO: audit baggage?`
`497`		`-`
`498`	`496`	`// Re-fetch the completed provisioner job.`
`499`	`497`	`if pj, err := store.GetProvisionerJobByID(b.ctx, provisionerJob.ID); err == nil {`
`500`	`498`	`provisionerJob = pj`