coder
diff --git a/‎cli/templateedit.go
Lines changed: 18 additions & 0 deletions b/‎cli/templateedit.go
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/accesscontrol.go
Lines changed: 11 additions & 1 deletion b/‎coderd/database/dbauthz/accesscontrol.go
Lines changed: 11 additions & 1 deletion
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 5 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 5 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000169_deprecate_template.down.sql
Lines changed: 24 additions & 0 deletions b/‎coderd/database/migrations/000169_deprecate_template.down.sql
Lines changed: 24 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000169_deprecate_template.up.sql
Lines changed: 28 additions & 0 deletions b/‎coderd/database/migrations/000169_deprecate_template.up.sql
Lines changed: 28 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 3 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 12 additions & 6 deletions b/‎coderd/database/queries.sql.go
Lines changed: 12 additions & 6 deletions
diff --git a/‎coderd/database/queries/templates.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/queries/templates.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/templates.go
Lines changed: 14 additions & 3 deletions b/‎coderd/templates.go
Lines changed: 14 additions & 3 deletions
diff --git a/‎coderd/templates_test.go
Lines changed: 23 additions & 0 deletions b/‎coderd/templates_test.go
Lines changed: 23 additions & 0 deletions
diff --git a/‎coderd/workspaces.go
Lines changed: 11 additions & 0 deletions b/‎coderd/workspaces.go
Lines changed: 11 additions & 0 deletions
@@ -16,6 +16,7 @@ import (
 )
 
 func (r *RootCmd) templateEdit() *clibase.Cmd {
+	const deprecatedFlagName = "deprecated"
 	var (
 		name                           string
 		displayName                    string
@@ -32,6 +33,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 		allowUserAutostart             bool
 		allowUserAutostop              bool
 		requireActiveVersion           bool
+		deprecatedMessage              string
 	)
 	client := new(codersdk.Client)
 
@@ -118,6 +120,15 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 				autostopRequirementDaysOfWeek = []string{}
 			}
 
+			// Only pass explicitly set deprecated values since the empty string
+			// removes the deprecated message. By default if we pass a nil,
+			// there is no change to this field.
+			var deprecated *string
+			opt := inv.Command.Options.ByName(deprecatedFlagName)
+			if !(opt.ValueSource == "" || opt.ValueSource == clibase.ValueSourceDefault) {
+				deprecated = &deprecatedMessage
+			}
+
 			// NOTE: coderd will ignore empty fields.
 			req := codersdk.UpdateTemplateMeta{
 				Name:             name,
@@ -139,6 +150,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 				AllowUserAutostart:           allowUserAutostart,
 				AllowUserAutostop:            allowUserAutostop,
 				RequireActiveVersion:         requireActiveVersion,
+				DeprecatedMessage:            deprecated,
 			}
 
 			_, err = client.UpdateTemplateMeta(inv.Context(), template.ID, req)
@@ -166,6 +178,12 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 			Description: "Edit the template description.",
 			Value:       clibase.StringOf(&description),
 		},
+		{
+			Name:        deprecatedFlagName,
+			Flag:        "deprecated",
+			Description: "Sets the template as deprecated. Must be a message explaining why the template is deprecated.",
+			Value:       clibase.StringOf(&deprecatedMessage),
+		},
 		{
 			Flag:        "icon",
 			Description: "Edit the template icon path.",
 
@@ -18,6 +18,11 @@ type AccessControlStore interface {
 
 type TemplateAccessControl struct {
 	RequireActiveVersion bool
+	Deprecated           string
+}
+
+func (t TemplateAccessControl) IsDeprecated() bool {
+	return t.Deprecated != ""
 }
 
 // AGPLTemplateAccessControlStore always returns the defaults for access control
@@ -26,9 +31,14 @@ type AGPLTemplateAccessControlStore struct{}
 
 var _ AccessControlStore = AGPLTemplateAccessControlStore{}
 
-func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(database.Template) TemplateAccessControl {
+func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(t database.Template) TemplateAccessControl {
 	return TemplateAccessControl{
 		RequireActiveVersion: false,
+		// AGPL cannot set deprecated templates, but it should return
+		// existing deprecated templates. This is erroring on the safe side
+		// if a license expires, we should not allow deprecated templates
+		// to be used for new workspaces.
+		Deprecated: t.Deprecated,
 	}
 }
 
 
@@ -5905,6 +5905,7 @@ func (q *FakeQuerier) UpdateTemplateAccessControlByID(_ context.Context, arg dat
 			continue
 		}
 		q.templates[idx].RequireActiveVersion = arg.RequireActiveVersion
+		q.templates[idx].Deprecated = arg.Deprecated
 		return nil
 	}
 
 
@@ -0,0 +1,24 @@
+BEGIN;
+
+DROP VIEW template_with_users;
+
+ALTER TABLE templates
+	DROP COLUMN deprecated;
+
+CREATE VIEW
+	template_with_users
+AS
+SELECT
+	templates.*,
+	coalesce(visible_users.avatar_url, '') AS created_by_avatar_url,
+	coalesce(visible_users.username, '') AS created_by_username
+FROM
+	templates
+		LEFT JOIN
+	visible_users
+	ON
+			templates.created_by = visible_users.id;
+
+COMMENT ON VIEW template_with_users IS 'Joins in the username + avatar url of the created by user.';
+
+COMMIT;
@@ -0,0 +1,28 @@
+BEGIN;
+
+-- The view will be rebuilt with the new column
+DROP VIEW template_with_users;
+
+ALTER TABLE templates
+	ADD COLUMN deprecated TEXT NOT NULL DEFAULT '';
+
+COMMENT ON COLUMN templates.deprecated IS 'If set to a non empty string, the template will no longer be able to be used. The message will be displayed to the user.';
+
+-- Restore the old version of the template_with_users view.
+CREATE VIEW
+	template_with_users
+AS
+SELECT
+	templates.*,
+	coalesce(visible_users.avatar_url, '') AS created_by_avatar_url,
+	coalesce(visible_users.username, '') AS created_by_username
+FROM
+	templates
+		LEFT JOIN
+	visible_users
+	ON
+			templates.created_by = visible_users.id;
+
+COMMENT ON VIEW template_with_users IS 'Joins in the username + avatar url of the created by user.';
+
+COMMIT;
@@ -174,7 +174,8 @@ FROM build_times
 UPDATE
 	templates
 SET
-	require_active_version = $2
+	require_active_version = $2,
+	deprecated = $3
 WHERE
 	id = $1
 ;
@@ -584,6 +584,11 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 	if req.AutostopRequirement.Weeks > schedule.MaxTemplateAutostopRequirementWeeks {
 		validErrs = append(validErrs, codersdk.ValidationError{Field: "autostop_requirement.weeks", Detail: fmt.Sprintf("Must be less than %d.", schedule.MaxTemplateAutostopRequirementWeeks)})
 	}
+	// Defaults to the existing.
+	deprecatedMessage := template.Deprecated
+	if req.DeprecatedMessage != nil {
+		deprecatedMessage = *req.DeprecatedMessage
+	}
 
 	// The minimum valid value for a dormant TTL is 1 minute. This is
 	// to ensure an uninformed user does not send an unintentionally
@@ -624,7 +629,8 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			req.FailureTTLMillis == time.Duration(template.FailureTTL).Milliseconds() &&
 			req.TimeTilDormantMillis == time.Duration(template.TimeTilDormant).Milliseconds() &&
 			req.TimeTilDormantAutoDeleteMillis == time.Duration(template.TimeTilDormantAutoDelete).Milliseconds() &&
-			req.RequireActiveVersion == template.RequireActiveVersion {
+			req.RequireActiveVersion == template.RequireActiveVersion &&
+			(deprecatedMessage == template.Deprecated) {
 			return nil
 		}
 
@@ -648,9 +654,10 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			return xerrors.Errorf("update template metadata: %w", err)
 		}
 
-		if template.RequireActiveVersion != req.RequireActiveVersion {
+		if template.RequireActiveVersion != req.RequireActiveVersion || deprecatedMessage != template.Deprecated {
 			err = (*api.AccessControlStore.Load()).SetTemplateAccessControl(ctx, tx, template.ID, dbauthz.TemplateAccessControl{
 				RequireActiveVersion: req.RequireActiveVersion,
+				Deprecated:           deprecatedMessage,
 			})
 			if err != nil {
 				return xerrors.Errorf("set template access control: %w", err)
@@ -804,6 +811,7 @@ func (api *API) convertTemplates(templates []database.Template) []codersdk.Templ
 func (api *API) convertTemplate(
 	template database.Template,
 ) codersdk.Template {
+	templateAccessControl := (*(api.Options.AccessControlStore.Load())).GetTemplateAccessControl(template)
 	activeCount, _ := api.metricsCache.TemplateUniqueUsers(template.ID)
 
 	buildTimeStats := api.metricsCache.TemplateBuildTimeStats(template.ID)
@@ -843,6 +851,9 @@ func (api *API) convertTemplate(
 		AutostartRequirement: codersdk.TemplateAutostartRequirement{
 			DaysOfWeek: codersdk.BitmapToWeekdays(template.AutostartAllowedDays()),
 		},
-		RequireActiveVersion: template.RequireActiveVersion,
+		// These values depend on entitlements and come from the templateAccessControl
+		RequireActiveVersion: templateAccessControl.RequireActiveVersion,
+		Deprecated:           templateAccessControl.IsDeprecated(),
+		DeprecatedMessage:    templateAccessControl.Deprecated,
 	}
 }
@@ -516,6 +516,29 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[4].Action)
 	})
 
+	t.Run("AGPL_Deprecated", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: false})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		req := codersdk.UpdateTemplateMeta{
+			DeprecatedMessage: ptr.Ref("APGL cannot deprecate"),
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		updated, err := client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
+		// AGPL cannot deprecate, expect no change
+		assert.False(t, updated.Deprecated)
+		assert.Empty(t, updated.DeprecatedMessage)
+	})
+
 	t.Run("NoDefaultTTL", func(t *testing.T) {
 		t.Parallel()
 
 
@@ -394,6 +394,17 @@ func (api *API) postWorkspacesByOrganization(rw http.ResponseWriter, r *http.Req
 		return
 	}
 
+	templateAccessControl := (*(api.AccessControlStore.Load())).GetTemplateAccessControl(template)
+	if templateAccessControl.IsDeprecated() {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Template %q has been deprecated, and cannot be used to create a new workspace.", template.Name),
+			// Pass the deprecated message to the user.
+			Detail:      templateAccessControl.Deprecated,
+			Validations: nil,
+		})
+		return
+	}
+
 	if organization.ID != template.OrganizationID {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: fmt.Sprintf("Template is not in organization %q.", organization.Name),
Original file line number	Diff line number	Diff line change
`@@ -5905,6 +5905,7 @@ func (q *FakeQuerier) UpdateTemplateAccessControlByID(_ context.Context, arg dat`
`5905`	`5905`	`continue`
`5906`	`5906`	`}`
`5907`	`5907`	`q.templates[idx].RequireActiveVersion = arg.RequireActiveVersion`
	`5908`	`+ q.templates[idx].Deprecated = arg.Deprecated`
`5908`	`5909`	`return nil`
`5909`	`5910`	`}`
`5910`	`5911`