coder
diff --git a/‎.gitignore
+1 b/‎.gitignore
+1
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+5-6 b/‎coderd/database/dbauthz/dbauthz.go
+5-6
diff --git a/‎coderd/database/dbgen/dbgen.go
+4-3 b/‎coderd/database/dbgen/dbgen.go
+4-3
diff --git a/‎coderd/database/dbmem/dbmem.go
+1 b/‎coderd/database/dbmem/dbmem.go
+1
diff --git a/‎coderd/database/dump.sql
+5-1 b/‎coderd/database/dump.sql
+5-1
diff --git a/‎coderd/database/foreign_key_constraint.go
+1 b/‎coderd/database/foreign_key_constraint.go
+1
diff --git a/‎coderd/database/migrations/000320_terraform_cached_modules.down.sql
+1 b/‎coderd/database/migrations/000320_terraform_cached_modules.down.sql
+1
diff --git a/‎coderd/database/migrations/000320_terraform_cached_modules.up.sql
+1 b/‎coderd/database/migrations/000320_terraform_cached_modules.up.sql
+1
diff --git a/‎coderd/database/models.go
+1 b/‎coderd/database/models.go
+1
diff --git a/‎coderd/database/queries.sql.go
+20-7 b/‎coderd/database/queries.sql.go
+20-7
diff --git a/‎coderd/database/queries/templateversionterraformvalues.sql
+2 b/‎coderd/database/queries/templateversionterraformvalues.sql
+2
diff --git a/‎coderd/files/cache.go
+5-1 b/‎coderd/files/cache.go
+5-1
diff --git a/‎coderd/parameters.go
+1-1 b/‎coderd/parameters.go
+1-1
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
+59-5 b/‎coderd/provisionerdserver/provisionerdserver.go
+59-5
diff --git a/‎provisioner/echo/serve.go
+3-1 b/‎provisioner/echo/serve.go
+3-1
diff --git a/‎provisioner/terraform/executor.go
+18-2 b/‎provisioner/terraform/executor.go
+18-2
@@ -50,6 +50,7 @@ site/stats/
 *.tfplan
 *.lock.hcl
 .terraform/
+!provisioner/terraform/testdata/modules-source-caching/.terraform/
 
 **/.coderv2/*
 **/__debug_bin
 
@@ -12,21 +12,19 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"golang.org/x/xerrors"
-
 	"github.com/open-policy-agent/opa/topdown"
+	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 
-	"github.com/coder/coder/v2/coderd/prebuilds"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
-	"github.com/coder/coder/v2/coderd/rbac/rolestore"
-
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints"
 	"github.com/coder/coder/v2/coderd/httpmw/loggermw"
+	"github.com/coder/coder/v2/coderd/prebuilds"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/coderd/rbac/rolestore"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/provisionersdk"
 )
@@ -347,6 +345,7 @@ var (
 					rbac.ResourceNotificationPreference.Type: {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceNotificationTemplate.Type:   {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceCryptoKey.Type:              {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceFile.Type:                   {policy.ActionCreate, policy.ActionRead},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
 
@@ -999,9 +999,10 @@ func TemplateVersionTerraformValues(t testing.TB, db database.Store, orig databa
 	t.Helper()
 
 	params := database.InsertTemplateVersionTerraformValuesByJobIDParams{
-		JobID:      takeFirst(orig.JobID, uuid.New()),
-		CachedPlan: takeFirstSlice(orig.CachedPlan, []byte("{}")),
-		UpdatedAt:  takeFirst(orig.UpdatedAt, dbtime.Now()),
+		JobID:             takeFirst(orig.JobID, uuid.New()),
+		CachedPlan:        takeFirstSlice(orig.CachedPlan, []byte("{}")),
+		CachedModuleFiles: orig.CachedModuleFiles,
+		UpdatedAt:         takeFirst(orig.UpdatedAt, dbtime.Now()),
 	}
 
 	err := db.InsertTemplateVersionTerraformValuesByJobID(genCtx, params)
 
@@ -9315,6 +9315,7 @@ func (q *FakeQuerier) InsertTemplateVersionTerraformValuesByJobID(_ context.Cont
 	row := database.TemplateVersionTerraformValue{
 		TemplateVersionID: templateVersion.ID,
 		CachedPlan:        arg.CachedPlan,
+		CachedModuleFiles: arg.CachedModuleFiles,
 		UpdatedAt:         arg.UpdatedAt,
 	}
 	q.templateVersionTerraformValues = append(q.templateVersionTerraformValues, row)
 
@@ -0,0 +1 @@
+ALTER TABLE template_version_terraform_values DROP COLUMN cached_module_files;
@@ -0,0 +1 @@
+ALTER TABLE template_version_terraform_values ADD COLUMN cached_module_files uuid references files(id);
@@ -11,11 +11,13 @@ INSERT INTO
 	template_version_terraform_values (
 		template_version_id,
 		cached_plan,
+		cached_module_files,
 		updated_at
 	)
 VALUES
 	(
 		(select id from template_versions where job_id = @job_id),
 		@cached_plan,
+		@cached_module_files,
 		@updated_at
 	);
@@ -63,7 +63,11 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {
 	// mutex has been released, or we would continue to hold the lock until the
 	// entire file has been fetched, which may be slow, and would prevent other
 	// files from being fetched in parallel.
-	return c.prepare(ctx, fileID).Load()
+	it, err := c.prepare(ctx, fileID).Load()
+	if err != nil {
+		c.Release(fileID)
+	}
+	return it, err
 }
 
 func (c *Cache) prepare(ctx context.Context, fileID uuid.UUID) *lazy.ValueWithError[fs.FS] {
 
@@ -69,14 +69,14 @@ func (api *API) templateVersionDynamicParameters(rw http.ResponseWriter, r *http
 	}
 
 	fs, err := api.FileCache.Acquire(fileCtx, fileID)
-	defer api.FileCache.Release(fileID)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
 			Message: "Internal error fetching template version Terraform.",
 			Detail:  err.Error(),
 		})
 		return
 	}
+	defer api.FileCache.Release(fileID)
 
 	// Having the Terraform plan available for the evaluation engine is helpful
 	// for populating values from data blocks, but isn't strictly required. If
 
@@ -2,7 +2,9 @@ package provisionerdserver
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -50,6 +52,10 @@ import (
 	sdkproto "github.com/coder/coder/v2/provisionersdk/proto"
 )
 
+const (
+	tarMimeType = "application/x-tar"
+)
+
 const (
 	// DefaultAcquireJobLongPollDur is the time the (deprecated) AcquireJob rpc waits to try to obtain a job before
 	// canceling and returning an empty job.
@@ -1426,11 +1432,59 @@ func (s *server) CompleteJob(ctx context.Context, completed *proto.CompletedJob)
 			return nil, xerrors.Errorf("update template version external auth providers: %w", err)
 		}
 
-		if len(jobType.TemplateImport.Plan) > 0 {
-			err := s.Database.InsertTemplateVersionTerraformValuesByJobID(ctx, database.InsertTemplateVersionTerraformValuesByJobIDParams{
-				JobID:      jobID,
-				CachedPlan: jobType.TemplateImport.Plan,
-				UpdatedAt:  now,
+		plan := jobType.TemplateImport.Plan
+		moduleFiles := jobType.TemplateImport.ModuleFiles
+		// If there is a plan, or a module files archive we need to insert a
+		// template_version_terraform_values row.
+		if len(plan) > 0 || len(moduleFiles) > 0 {
+			// ...but the plan and the module files archive are both optional! So
+			// we need to fallback to a valid JSON object if the plan was omitted.
+			if len(plan) == 0 {
+				plan = []byte("{}")
+			}
+
+			// ...and we only want to insert a files row if an archive was provided.
+			var fileID uuid.NullUUID
+			if len(moduleFiles) > 0 {
+				hashBytes := sha256.Sum256(moduleFiles)
+				hash := hex.EncodeToString(hashBytes[:])
+
+				// nolint:gocritic // Requires reading "system" files
+				file, err := s.Database.GetFileByHashAndCreator(dbauthz.AsSystemRestricted(ctx), database.GetFileByHashAndCreatorParams{Hash: hash, CreatedBy: uuid.Nil})
+				switch {
+				case err == nil:
+					// This set of modules is already cached, which means we can reuse them
+					fileID = uuid.NullUUID{
+						Valid: true,
+						UUID:  file.ID,
+					}
+				case !xerrors.Is(err, sql.ErrNoRows):
+					return nil, xerrors.Errorf("check for cached modules: %w", err)
+				default:
+					// nolint:gocritic // Requires creating a "system" file
+					file, err = s.Database.InsertFile(dbauthz.AsSystemRestricted(ctx), database.InsertFileParams{
+						ID:        uuid.New(),
+						Hash:      hash,
+						CreatedBy: uuid.Nil,
+						CreatedAt: dbtime.Now(),
+						Mimetype:  tarMimeType,
+						Data:      moduleFiles,
+					})
+					if err != nil {
+						return nil, xerrors.Errorf("insert template version terraform modules: %w", err)
+					}
+					fileID = uuid.NullUUID{
+						Valid: true,
+						UUID:  file.ID,
+					}
+				}
+			}
+
+			err = s.Database.InsertTemplateVersionTerraformValuesByJobID(ctx, database.InsertTemplateVersionTerraformValuesByJobIDParams{
+				JobID:             jobID,
+				UpdatedAt:         now,
+				CachedPlan:        plan,
+				CachedModuleFiles: fileID,
 			})
 			if err != nil {
 				return nil, xerrors.Errorf("insert template version terraform data: %w", err)
 
@@ -52,7 +52,8 @@ var (
 	PlanComplete = []*proto.Response{{
 		Type: &proto.Response_Plan{
 			Plan: &proto.PlanComplete{
-				Plan: []byte("{}"),
+				Plan:        []byte("{}"),
+				ModuleFiles: []byte{},
 			},
 		},
 	}}
@@ -249,6 +250,7 @@ func TarWithOptions(ctx context.Context, logger slog.Logger, responses *Response
 					Parameters:            resp.GetApply().GetParameters(),
 					ExternalAuthProviders: resp.GetApply().GetExternalAuthProviders(),
 					Plan:                  []byte("{}"),
+					ModuleFiles:           []byte{},
 				}},
 			})
 		}
 
@@ -19,11 +19,13 @@ import (
 	tfjson "github.com/hashicorp/terraform-json"
 	"go.opentelemetry.io/otel/attribute"
 	"golang.org/x/xerrors"
+	protobuf "google.golang.org/protobuf/proto"
 
 	"cdr.dev/slog"
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/tracing"
+	"github.com/coder/coder/v2/codersdk/drpcsdk"
 	"github.com/coder/coder/v2/provisionersdk/proto"
 )
 
@@ -307,14 +309,28 @@ func (e *executor) plan(ctx, killCtx context.Context, env, vars []string, logr l
 
 	graphTimings.ingest(createGraphTimingsEvent(timingGraphComplete))
 
-	return &proto.PlanComplete{
+	moduleFiles, err := getModulesArchive(os.DirFS(e.workdir))
+	if err != nil {
+		// TODO: we probably want to persist this error or make it louder eventually
+		e.logger.Warn(ctx, "failed to archive terraform modules", slog.Error(err))
+	}
+
+	msg := &proto.PlanComplete{
 		Parameters:            state.Parameters,
 		Resources:             state.Resources,
 		ExternalAuthProviders: state.ExternalAuthProviders,
 		Timings:               append(e.timings.aggregate(), graphTimings.aggregate()...),
 		Presets:               state.Presets,
 		Plan:                  plan,
-	}, nil
+		ModuleFiles:           moduleFiles,
+	}
+
+	if protobuf.Size(msg) > drpcsdk.MaxMessageSize {
+		e.logger.Warn(ctx, "cannot persist terraform modules, message payload too big", slog.F("archive_size", len(msg.ModuleFiles)))
+		msg.ModuleFiles = nil
+	}
+
+	return msg, nil
 }
 
 func onlyDataResources(sm tfjson.StateModule) tfjson.StateModule {
Original file line number	Diff line number	Diff line change
`@@ -9315,6 +9315,7 @@ func (q *FakeQuerier) InsertTemplateVersionTerraformValuesByJobID(_ context.Cont`
`9315`	`9315`	`row := database.TemplateVersionTerraformValue{`
`9316`	`9316`	`TemplateVersionID: templateVersion.ID,`
`9317`	`9317`	`CachedPlan: arg.CachedPlan,`
	`9318`	`+ CachedModuleFiles: arg.CachedModuleFiles,`
`9318`	`9319`	`UpdatedAt: arg.UpdatedAt,`
`9319`	`9320`	`}`
`9320`	`9321`	`q.templateVersionTerraformValues = append(q.templateVersionTerraformValues, row)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE template_version_terraform_values DROP COLUMN cached_module_files;`
Original file line number	Diff line number	Diff line change
`@@ -11,11 +11,13 @@ INSERT INTO`
`11`	`11`	`template_version_terraform_values (`
`12`	`12`	`template_version_id,`
`13`	`13`	`cached_plan,`
	`14`	`+ cached_module_files,`
`14`	`15`	`updated_at`
`15`	`16`	`)`
`16`	`17`	`VALUES`
`17`	`18`	`(`
`18`	`19`	`(select id from template_versions where job_id = @job_id),`
`19`	`20`	`@cached_plan,`
	`21`	`+ @cached_module_files,`
`20`	`22`	`@updated_at`
`21`	`23`	`);`
Original file line number	Diff line number	Diff line change
`@@ -69,14 +69,14 @@ func (api API) templateVersionDynamicParameters(rw http.ResponseWriter, r http`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`fs, err := api.FileCache.Acquire(fileCtx, fileID)`
`72`		`- defer api.FileCache.Release(fileID)`
`73`	`72`	`if err != nil {`
`74`	`73`	`httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{`
`75`	`74`	`Message: "Internal error fetching template version Terraform.",`
`76`	`75`	`Detail: err.Error(),`
`77`	`76`	`})`
`78`	`77`	`return`
`79`	`78`	`}`
	`79`	`+ defer api.FileCache.Release(fileID)`
`80`	`80`
`81`	`81`	`// Having the Terraform plan available for the evaluation engine is helpful`
`82`	`82`	`// for populating values from data blocks, but isn't strictly required. If`