coder
diff --git a/‎.github/actions/setup-tf/action.yaml
Lines changed: 11 additions & 0 deletions b/‎.github/actions/setup-tf/action.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 14 additions & 21 deletions b/‎.github/workflows/ci.yaml
Lines changed: 14 additions & 21 deletions
diff --git a/‎.github/workflows/nightly-gauntlet.yaml
Lines changed: 1 addition & 5 deletions b/‎.github/workflows/nightly-gauntlet.yaml
Lines changed: 1 addition & 5 deletions
diff --git a/‎cli/clitest/handlers.go
Lines changed: 24 additions & 0 deletions b/‎cli/clitest/handlers.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎cli/root.go
Lines changed: 12 additions & 0 deletions b/‎cli/root.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎cli/root_test.go
Lines changed: 10 additions & 0 deletions b/‎cli/root_test.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 10 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 10 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎codersdk/templates.go
Lines changed: 5 additions & 2 deletions b/‎codersdk/templates.go
Lines changed: 5 additions & 2 deletions
diff --git a/‎docs/api/enterprise.md
Lines changed: 4 additions & 4 deletions b/‎docs/api/enterprise.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/api/schemas.md
Lines changed: 10 additions & 10 deletions b/‎docs/api/schemas.md
Lines changed: 10 additions & 10 deletions
diff --git a/‎docs/manifest.json
Lines changed: 5 additions & 0 deletions b/‎docs/manifest.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/templates/modules.md
Lines changed: 89 additions & 0 deletions b/‎docs/templates/modules.md
Lines changed: 89 additions & 0 deletions
diff --git a/‎enterprise/cli/provisionerdaemons.go
Lines changed: 3 additions & 0 deletions b/‎enterprise/cli/provisionerdaemons.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎enterprise/cli/root_test.go
Lines changed: 10 additions & 0 deletions b/‎enterprise/cli/root_test.go
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,11 @@
+name: "Setup Terraform"
+description: |
+  Sets up Terraform for tests, builds, etc.
+runs:
+  using: "composite"
+  steps:
+    - name: Install Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.5.2
+        terraform_wrapper: false
@@ -203,7 +203,16 @@ jobs:
           go-version: 1.20.5
 
       - name: Install prettier
-        run: npm install -g prettier
+        # We only need prettier for fmt, so do not install all dependencies.
+        # There is no way to install a single package with yarn, so we have to
+        # make a new package.json with only prettier listed as a dependency.
+        # Then running `yarn` will only install prettier.
+        run: |
+          cd site
+          mv package.json package.json.bak
+          jq '{dependencies: {prettier: .devDependencies.prettier}}' < package.json.bak > package.json
+          yarn --frozen-lockfile
+          mv package.json.bak package.json
 
       - name: Install shfmt
         run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
@@ -231,11 +240,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - uses: ./.github/actions/setup-go
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.5.1
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-tf
 
       - name: Test with Mock Database
         id: test
@@ -296,11 +301,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - uses: ./.github/actions/setup-go
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.5.1
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-tf
 
       - name: Test with PostgreSQL Database
         run: |
@@ -340,11 +341,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - uses: ./.github/actions/setup-go
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.5.1
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-tf
 
       - name: Run Tests
         run: |
@@ -479,11 +476,7 @@ jobs:
 
       - uses: ./.github/actions/setup-node
       - uses: ./.github/actions/setup-go
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.5.1
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-tf
 
       - name: Build
         run: |
 
@@ -19,11 +19,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - uses: ./.github/actions/setup-go
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.9
-          terraform_wrapper: false
+      - uses: ./.github/actions/setup-tf
 
       - name: Run Tests
         run: |
 
@@ -0,0 +1,24 @@
+package clitest
+
+import (
+	"testing"
+
+	"github.com/coder/coder/cli/clibase"
+)
+
+// HandlersOK asserts that all commands have a handler.
+// Without a handler, the command has no default behavior. Even for
+// non-root commands (like 'groups' or 'users'), a handler is required.
+// These handlers are likely just the 'help' handler, but this must be
+// explicitly set.
+func HandlersOK(t *testing.T, cmd *clibase.Cmd) {
+	cmd.Walk(func(cmd *clibase.Cmd) {
+		if cmd.Handler == nil {
+			// If you see this error, make the Handler a helper invoker.
+			//   Handler: func(inv *clibase.Invocation) error {
+			//	   return inv.Command.HelpHandler(inv)
+			//	 },
+			t.Errorf("command %q has no handler, change to a helper invoker using: 'inv.Command.HelpHandler(inv)'", cmd.Name())
+		}
+	})
+}
@@ -260,6 +260,18 @@ func (r *RootCmd) Command(subcommands []*clibase.Cmd) (*clibase.Cmd, error) {
 	// Add a wrapper to every command to enable debugging options.
 	cmd.Walk(func(cmd *clibase.Cmd) {
 		h := cmd.Handler
+		if h == nil {
+			// We should never have a nil handler, but if we do, do not
+			// wrap it. Wrapping it just hides a nil pointer dereference.
+			// If a nil handler exists, this is a developer bug. If no handler
+			// is required for a command such as command grouping (e.g. `users'
+			// and 'groups'), then the handler should be set to the helper
+			// function.
+			//	func(inv *clibase.Invocation) error {
+			//		return inv.Command.HelpHandler(inv)
+			//	}
+			return
+		}
 		cmd.Handler = func(i *clibase.Invocation) error {
 			if !debugOptions {
 				return h(i)
 
@@ -181,3 +181,13 @@ func TestDERPHeaders(t *testing.T) {
 
 	require.Greater(t, atomic.LoadInt64(&derpCalled), int64(0), "expected /derp to be called at least once")
 }
+
+func TestHandlersOK(t *testing.T) {
+	t.Parallel()
+
+	var root cli.RootCmd
+	cmd, err := root.Command(root.Core())
+	require.NoError(t, err)
+
+	clitest.HandlersOK(t, cmd)
+}
@@ -85,8 +85,11 @@ type TemplateUser struct {
 }
 
 type UpdateTemplateACL struct {
-	UserPerms  map[string]TemplateRole `json:"user_perms,omitempty"`
-	GroupPerms map[string]TemplateRole `json:"group_perms,omitempty"`
+	// UserPerms should be a mapping of user id to role. The user id must be the
+	// uuid of the user, not a username or email address.
+	UserPerms map[string]TemplateRole `json:"user_perms,omitempty" example:"<group_id>:admin,4df59e74-c027-470b-ab4d-cbba8963a5e9:use"`
+	// GroupPerms should be a mapping of group id to role.
+	GroupPerms map[string]TemplateRole `json:"group_perms,omitempty" example:"<user_id>>:admin,8bd26b20-f3e8-48be-a903-46bb920cf671:use"`
 }
 
 type UpdateTemplateMeta struct {
 
@@ -1080,12 +1080,12 @@ curl -X PATCH http://coder-server:8080/api/v2/templates/{template}/acl \
 ```json
 {
   "group_perms": {
-    "property1": "admin",
-    "property2": "admin"
+    "8bd26b20-f3e8-48be-a903-46bb920cf671": "use",
+    "<user_id>>": "admin"
   },
   "user_perms": {
-    "property1": "admin",
-    "property2": "admin"
+    "4df59e74-c027-470b-ab4d-cbba8963a5e9": "use",
+    "<group_id>": "admin"
   }
 }
 ```
 
@@ -4441,24 +4441,24 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 ```json
 {
   "group_perms": {
-    "property1": "admin",
-    "property2": "admin"
+    "8bd26b20-f3e8-48be-a903-46bb920cf671": "use",
+    "<user_id>>": "admin"
   },
   "user_perms": {
-    "property1": "admin",
-    "property2": "admin"
+    "4df59e74-c027-470b-ab4d-cbba8963a5e9": "use",
+    "<group_id>": "admin"
   }
 }
 ```
 
 ### Properties
 
-| Name               | Type                                           | Required | Restrictions | Description |
-| ------------------ | ---------------------------------------------- | -------- | ------------ | ----------- |
-| `group_perms`      | object                                         | false    |              |             |
-| » `[any property]` | [codersdk.TemplateRole](#codersdktemplaterole) | false    |              |             |
-| `user_perms`       | object                                         | false    |              |             |
-| » `[any property]` | [codersdk.TemplateRole](#codersdktemplaterole) | false    |              |             |
+| Name               | Type                                           | Required | Restrictions | Description                                                                                                                   |
+| ------------------ | ---------------------------------------------- | -------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------- |
+| `group_perms`      | object                                         | false    |              | Group perms should be a mapping of group ID to role.                                                                          |
+| » `[any property]` | [codersdk.TemplateRole](#codersdktemplaterole) | false    |              |                                                                                                                               |
+| `user_perms`       | object                                         | false    |              | User perms should be a mapping of user ID to role. The user ID must be the uuid of the user, not a username or email address. |
+| » `[any property]` | [codersdk.TemplateRole](#codersdktemplaterole) | false    |              |                                                                                                                               |
 
 ## codersdk.UpdateUserPasswordRequest
 
 
@@ -175,6 +175,11 @@
           "description": "Use docker inside containerized templates",
           "path": "./templates/docker-in-workspaces.md",
           "icon_path": "./images/icons/docker.svg"
+        },
+        {
+          "title": "Terraform Modules",
+          "description": "Reuse code across Coder templates",
+          "path": "./templates/modules.md"
         }
       ]
     },
 
@@ -0,0 +1,89 @@
+# Template inheritance
+
+In instances where you want to reuse code across different Coder templates, such as common scripts or resource definitions, we suggest using [Terraform Modules](https://developer.hashicorp.com/terraform/language/modules).
+
+These modules can be stored externally from Coder, like in a Git repository or a Terraform registry. Below is an example of how to reference a module in your template:
+
+```hcl
+data "coder_workspace" "me" {}
+
+module "coder-base" {
+  source = "github.com/my-organization/coder-base"
+
+  # Modules take in variables and can provision infrastructure
+  vpc_name            = "devex-3"
+  subnet_tags         = { "name": data.coder_workspace.me.name }
+  code_server_version = 4.14.1
+}
+
+resource "coder_agent" "dev" {
+  # Modules can provide outputs, such as helper scripts
+  startup_script=<<EOF
+  #!/bin/sh
+  ${module.coder-base.code_server_install_command}
+  EOF
+}
+```
+
+> Learn more about [creating modules](https://developer.hashicorp.com/terraform/language/modules) and [module sources](https://developer.hashicorp.com/terraform/language/modules/sources) in the Terraform documentation.
+
+## Git authentication
+
+If you are importing a module from a private git repository, the Coder server [or provisioner](../admin/provisioners.md) needs git credentials. Since this token will only be used for cloning your repositories with modules, it is best to create a token with limited access to repositories and no extra permissions. In GitHub, you can generate a [fine-grained token](https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28) with read only access to repos.
+
+If you are running Coder on a VM, make sure you have `git` installed and the `coder` user has access to the following files
+
+```sh
+# /home/coder/.gitconfig
+[credential]
+  helper = store
+```
+
+```sh
+# /home/coder/.gitconfig
+
+# GitHub example:
+https://your-github-username:your-github-pat@github.com
+```
+
+If you are running Coder on Docker or Kubernetes, `git` is pre-installed in the Coder image. However, you still need to mount credentials. This can be done via a Docker volume mount or Kubernetes secrets.
+
+### Passing git credentials in Kubernetes
+
+First, create a `.gitconfig` and `.git-credentials` file on your local machine. You may want to do this in a temporary directory to avoid conflicting with your own git credentials.
+
+Next, create the secret in Kubernetes. Be sure to do this in the same namespace that Coder is installed in.
+
+```sh
+export NAMESPACE=coder
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-secrets
+  namespace: $NAMESPACE
+type: Opaque
+data:
+  .gitconfig: $(cat .gitconfig | base64 | tr -d '\n')
+  .git-credentials: $(cat .git-credentials | base64 | tr -d '\n')
+EOF
+```
+
+Then, modify Coder's Helm values to mount the secret.
+
+```yaml
+coder:
+  volumes:
+    - name: git-secrets
+      secret:
+        secretName: git-secrets
+  volumeMounts:
+    - name: git-secrets
+      mountPath: "/home/coder/.gitconfig"
+      subPath: .gitconfig
+      readOnly: true
+    - name: git-secrets
+      mountPath: "/home/coder/.git-credentials"
+      subPath: .git-credentials
+      readOnly: true
+```
@@ -27,6 +27,9 @@ func (r *RootCmd) provisionerDaemons() *clibase.Cmd {
 	cmd := &clibase.Cmd{
 		Use:   "provisionerd",
 		Short: "Manage provisioner daemons",
+		Handler: func(inv *clibase.Invocation) error {
+			return inv.Command.HelpHandler(inv)
+		},
 		Children: []*clibase.Cmd{
 			r.provisionerDaemonStart(),
 		},
 
@@ -17,3 +17,13 @@ func newCLI(t *testing.T, args ...string) (*clibase.Invocation, config.Root) {
 	require.NoError(t, err)
 	return clitest.NewWithCommand(t, cmd, args...)
 }
+
+func TestEnterpriseHandlersOK(t *testing.T) {
+	t.Parallel()
+
+	var root cli.RootCmd
+	cmd, err := root.Command(root.EnterpriseSubcommands())
+	require.NoError(t, err)
+
+	clitest.HandlersOK(t, cmd)
+}
Original file line number	Diff line number	Diff line change
`@@ -85,8 +85,11 @@ type TemplateUser struct {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`type UpdateTemplateACL struct {`
`88`		- UserPerms map[string]TemplateRole `json:"user_perms,omitempty"`
`89`		- GroupPerms map[string]TemplateRole `json:"group_perms,omitempty"`
	`88`	`+ // UserPerms should be a mapping of user id to role. The user id must be the`
	`89`	`+ // uuid of the user, not a username or email address.`
	`90`	+ UserPerms map[string]TemplateRole `json:"user_perms,omitempty" example:"<group_id>:admin,4df59e74-c027-470b-ab4d-cbba8963a5e9:use"`
	`91`	`+ // GroupPerms should be a mapping of group id to role.`
	`92`	+ GroupPerms map[string]TemplateRole `json:"group_perms,omitempty" example:"<user_id>>:admin,8bd26b20-f3e8-48be-a903-46bb920cf671:use"`
`90`	`93`	`}`
`91`	`94`
`92`	`95`	`type UpdateTemplateMeta struct {`
Original file line number	Diff line number	Diff line change
`@@ -1080,12 +1080,12 @@ curl -X PATCH http://coder-server:8080/api/v2/templates/{template}/acl \`
`1080`	`1080`	```json
`1081`	`1081`	`{`
`1082`	`1082`	`"group_perms": {`
`1083`		`- "property1": "admin",`
`1084`		`- "property2": "admin"`
	`1083`	`+ "8bd26b20-f3e8-48be-a903-46bb920cf671": "use",`
	`1084`	`+ "<user_id>>": "admin"`
`1085`	`1085`	`},`
`1086`	`1086`	`"user_perms": {`
`1087`		`- "property1": "admin",`
`1088`		`- "property2": "admin"`
	`1087`	`+ "4df59e74-c027-470b-ab4d-cbba8963a5e9": "use",`
	`1088`	`+ "<group_id>": "admin"`
`1089`	`1089`	`}`
`1090`	`1090`	`}`
`1091`	`1091`	```
Original file line number	Diff line number	Diff line change
`@@ -175,6 +175,11 @@`
`175`	`175`	`"description": "Use docker inside containerized templates",`
`176`	`176`	`"path": "./templates/docker-in-workspaces.md",`
`177`	`177`	`"icon_path": "./images/icons/docker.svg"`
	`178`	`+ },`
	`179`	`+ {`
	`180`	`+ "title": "Terraform Modules",`
	`181`	`+ "description": "Reuse code across Coder templates",`
	`182`	`+ "path": "./templates/modules.md"`
`178`	`183`	`}`
`179`	`184`	`]`
`180`	`185`	`},`