coder
diff --git a/‎cli/restart.go
+23-12 b/‎cli/restart.go
+23-12
diff --git a/‎cli/start.go
+65-13 b/‎cli/start.go
+65-13
diff --git a/‎cli/templatecreate.go
+38-11 b/‎cli/templatecreate.go
+38-11
diff --git a/‎cli/templatecreate_test.go
+31 b/‎cli/templatecreate_test.go
+31
@@ -2,15 +2,15 @@ package cli
 
 import (
 	"fmt"
+	"net/http"
 	"time"
 
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
 )
 
 func (r *RootCmd) restart() *clibase.Cmd {
@@ -40,19 +40,14 @@ func (r *RootCmd) restart() *clibase.Cmd {
 				return err
 			}
 
-			template, err := client.Template(inv.Context(), workspace.TemplateID)
-			if err != nil {
-				return err
-			}
-
 			buildOptions, err := asWorkspaceBuildParameters(parameterFlags.buildOptions)
 			if err != nil {
 				return xerrors.Errorf("can't parse build options: %w", err)
 			}
 
 			buildParameters, err := prepStartWorkspace(inv, client, prepStartWorkspaceArgs{
-				Action:   WorkspaceRestart,
-				Template: template,
+				Action:            WorkspaceRestart,
+				TemplateVersionID: workspace.LatestBuild.TemplateVersionID,
 
 				LastBuildParameters: lastBuildParameters,
 
@@ -82,13 +77,29 @@ func (r *RootCmd) restart() *clibase.Cmd {
 				return err
 			}
 
-			build, err = client.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			req := codersdk.CreateWorkspaceBuildRequest{
 				Transition:          codersdk.WorkspaceTransitionStart,
 				RichParameterValues: buildParameters,
-			})
-			if err != nil {
+				TemplateVersionID:   workspace.LatestBuild.TemplateVersionID,
+			}
+
+			build, err = client.CreateWorkspaceBuild(ctx, workspace.ID, req)
+			// It's possible for a workspace build to fail due to the template requiring starting
+			// workspaces with the active version.
+			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusUnauthorized {
+				build, err = startWorkspaceActiveVersion(inv, client, startWorkspaceActiveVersionArgs{
+					BuildOptions:        buildOptions,
+					LastBuildParameters: lastBuildParameters,
+					PromptBuildOptions:  parameterFlags.promptBuildOptions,
+					Workspace:           workspace,
+				})
+				if err != nil {
+					return xerrors.Errorf("start workspace with active template version: %w", err)
+				}
+			} else if err != nil {
 				return err
 			}
+
 			err = cliui.WorkspaceBuild(ctx, out, client, build.ID)
 			if err != nil {
 				return err
 
@@ -2,8 +2,10 @@ package cli
 
 import (
 	"fmt"
+	"net/http"
 	"time"
 
+	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/cli/clibase"
@@ -35,19 +37,14 @@ func (r *RootCmd) start() *clibase.Cmd {
 				return err
 			}
 
-			template, err := client.Template(inv.Context(), workspace.TemplateID)
-			if err != nil {
-				return err
-			}
-
 			buildOptions, err := asWorkspaceBuildParameters(parameterFlags.buildOptions)
 			if err != nil {
 				return xerrors.Errorf("unable to parse build options: %w", err)
 			}
 
 			buildParameters, err := prepStartWorkspace(inv, client, prepStartWorkspaceArgs{
-				Action:   WorkspaceStart,
-				Template: template,
+				Action:            WorkspaceStart,
+				TemplateVersionID: workspace.LatestBuild.TemplateVersionID,
 
 				LastBuildParameters: lastBuildParameters,
 
@@ -58,11 +55,26 @@ func (r *RootCmd) start() *clibase.Cmd {
 				return err
 			}
 
-			build, err := client.CreateWorkspaceBuild(inv.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			req := codersdk.CreateWorkspaceBuildRequest{
 				Transition:          codersdk.WorkspaceTransitionStart,
 				RichParameterValues: buildParameters,
-			})
-			if err != nil {
+				TemplateVersionID:   workspace.LatestBuild.TemplateVersionID,
+			}
+
+			build, err := client.CreateWorkspaceBuild(inv.Context(), workspace.ID, req)
+			// It's possible for a workspace build to fail due to the template requiring starting
+			// workspaces with the active version.
+			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusUnauthorized {
+				build, err = startWorkspaceActiveVersion(inv, client, startWorkspaceActiveVersionArgs{
+					BuildOptions:        buildOptions,
+					LastBuildParameters: lastBuildParameters,
+					PromptBuildOptions:  parameterFlags.promptBuildOptions,
+					Workspace:           workspace,
+				})
+				if err != nil {
+					return xerrors.Errorf("start workspace with active template version: %w", err)
+				}
+			} else if err != nil {
 				return err
 			}
 
@@ -82,8 +94,8 @@ func (r *RootCmd) start() *clibase.Cmd {
 }
 
 type prepStartWorkspaceArgs struct {
-	Action   WorkspaceCLIAction
-	Template codersdk.Template
+	Action            WorkspaceCLIAction
+	TemplateVersionID uuid.UUID
 
 	LastBuildParameters []codersdk.WorkspaceBuildParameter
 
@@ -94,7 +106,7 @@ type prepStartWorkspaceArgs struct {
 func prepStartWorkspace(inv *clibase.Invocation, client *codersdk.Client, args prepStartWorkspaceArgs) ([]codersdk.WorkspaceBuildParameter, error) {
 	ctx := inv.Context()
 
-	templateVersion, err := client.TemplateVersion(ctx, args.Template.ActiveVersionID)
+	templateVersion, err := client.TemplateVersion(ctx, args.TemplateVersionID)
 	if err != nil {
 		return nil, xerrors.Errorf("get template version: %w", err)
 	}
@@ -110,3 +122,43 @@ func prepStartWorkspace(inv *clibase.Invocation, client *codersdk.Client, args p
 		WithBuildOptions(args.BuildOptions)
 	return resolver.Resolve(inv, args.Action, templateVersionParameters)
 }
+
+type startWorkspaceActiveVersionArgs struct {
+	BuildOptions        []codersdk.WorkspaceBuildParameter
+	LastBuildParameters []codersdk.WorkspaceBuildParameter
+	PromptBuildOptions  bool
+	Workspace           codersdk.Workspace
+}
+
+func startWorkspaceActiveVersion(inv *clibase.Invocation, client *codersdk.Client, args startWorkspaceActiveVersionArgs) (codersdk.WorkspaceBuild, error) {
+	_, _ = fmt.Fprintln(inv.Stdout, "Failed to restart with the template version from your last build. Policy may require you to restart with the current active template version.")
+
+	template, err := client.Template(inv.Context(), args.Workspace.TemplateID)
+	if err != nil {
+		return codersdk.WorkspaceBuild{}, xerrors.Errorf("get template: %w", err)
+	}
+
+	buildParameters, err := prepStartWorkspace(inv, client, prepStartWorkspaceArgs{
+		Action:            WorkspaceStart,
+		TemplateVersionID: template.ActiveVersionID,
+
+		LastBuildParameters: args.LastBuildParameters,
+
+		PromptBuildOptions: args.PromptBuildOptions,
+		BuildOptions:       args.BuildOptions,
+	})
+	if err != nil {
+		return codersdk.WorkspaceBuild{}, err
+	}
+
+	build, err := client.CreateWorkspaceBuild(inv.Context(), args.Workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+		Transition:          codersdk.WorkspaceTransitionStart,
+		RichParameterValues: buildParameters,
+		TemplateVersionID:   template.ActiveVersionID,
+	})
+	if err != nil {
+		return codersdk.WorkspaceBuild{}, err
+	}
+
+	return build, nil
+}
@@ -24,11 +24,12 @@ import (
 
 func (r *RootCmd) templateCreate() *clibase.Cmd {
 	var (
-		provisioner     string
-		provisionerTags []string
-		variablesFile   string
-		variables       []string
-		disableEveryone bool
+		provisioner          string
+		provisionerTags      []string
+		variablesFile        string
+		variables            []string
+		disableEveryone      bool
+		requireActiveVersion bool
 
 		defaultTTL    time.Duration
 		failureTTL    time.Duration
@@ -46,17 +47,35 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
 			r.InitClient(client),
 		),
 		Handler: func(inv *clibase.Invocation) error {
-			if failureTTL != 0 || inactivityTTL != 0 || maxTTL != 0 {
+			isTemplateSchedulingOptionsSet := failureTTL != 0 || inactivityTTL != 0 || maxTTL != 0
+
+			if isTemplateSchedulingOptionsSet || requireActiveVersion {
 				entitlements, err := client.Entitlements(inv.Context())
-				var sdkErr *codersdk.Error
-				if xerrors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusNotFound {
-					return xerrors.Errorf("your deployment appears to be an AGPL deployment, so you cannot set --failure-ttl or --inactivityTTL")
+				if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusNotFound {
+					return xerrors.Errorf("your deployment appears to be an AGPL deployment, so you cannot set enterprise-only flags")
 				} else if err != nil {
 					return xerrors.Errorf("get entitlements: %w", err)
 				}
 
-				if !entitlements.Features[codersdk.FeatureAdvancedTemplateScheduling].Enabled {
-					return xerrors.Errorf("your license is not entitled to use advanced template scheduling, so you cannot set --failure-ttl or --inactivityTTL")
+				if isTemplateSchedulingOptionsSet {
+					if !entitlements.Features[codersdk.FeatureAdvancedTemplateScheduling].Enabled {
+						return xerrors.Errorf("your license is not entitled to use advanced template scheduling, so you cannot set --failure-ttl or --inactivityTTL")
+					}
+				}
+
+				if requireActiveVersion {
+					if !entitlements.Features[codersdk.FeatureAccessControl].Enabled {
+						return xerrors.Errorf("your license is not entitled to use enterprise access control, so you cannot set --require-active-version")
+					}
+
+					experiments, exErr := client.Experiments(inv.Context())
+					if exErr != nil {
+						return xerrors.Errorf("get experiments: %w", exErr)
+					}
+
+					if !experiments.Enabled(codersdk.ExperimentTemplateUpdatePolicies) {
+						return xerrors.Errorf("--require-active-version is an experimental feature, contact an administrator to enable the 'template_update_policies' experiment on your Coder server")
+					}
 				}
 			}
 
@@ -129,6 +148,7 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
 				MaxTTLMillis:               ptr.Ref(maxTTL.Milliseconds()),
 				TimeTilDormantMillis:       ptr.Ref(inactivityTTL.Milliseconds()),
 				DisableEveryoneGroupAccess: disableEveryone,
+				RequireActiveVersion:       requireActiveVersion,
 			}
 
 			_, err = client.CreateTemplate(inv.Context(), organization.ID, createReq)
@@ -205,6 +225,13 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
 			Value:       clibase.StringOf(&provisioner),
 			Hidden:      true,
 		},
+		{
+			Flag:        "require-active-version",
+			Description: "Requires workspace builds to use the active template version. This setting does not apply to template admins. This is an enterprise-only feature.",
+			Value:       clibase.BoolOf(&requireActiveVersion),
+			Default:     "false",
+		},
+
 		cliui.SkipPromptOption(),
 	}
 	cmd.Options = append(cmd.Options, uploadFlags.options()...)
 
@@ -13,6 +13,7 @@ import (
 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/provisioner/echo"
 	"github.com/coder/coder/v2/provisionersdk/proto"
 	"github.com/coder/coder/v2/pty/ptytest"
@@ -393,6 +394,36 @@ func TestTemplateCreate(t *testing.T) {
 			}
 		}
 	})
+
+	t.Run("RequireActiveVersionInvalid", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentTemplateUpdatePolicies),
+		}
+
+		client := coderdtest.New(t, &coderdtest.Options{
+			IncludeProvisionerDaemon: true,
+			DeploymentValues:         dv,
+		})
+		coderdtest.CreateFirstUser(t, client)
+		source := clitest.CreateTemplateVersionSource(t, completeWithAgent())
+		args := []string{
+			"templates",
+			"create",
+			"my-template",
+			"--directory", source,
+			"--test.provisioner", string(database.ProvisionerTypeEcho),
+			"--require-active-version",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, client, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "your deployment appears to be an AGPL deployment, so you cannot set enterprise-only flags")
+	})
 }
 
 // Need this for Windows because of a known issue with Go: