Merge branch 'main' into dependabot/go_modules/github.com/hashicorp/terraform-json-0.17.0

matifali · web-flow · commit f9b82058a995 · 2023-06-13T11:35:34.000+03:00
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -10,7 +10,7 @@ on:
 
   schedule:
     # Run every 6 hours Monday-Friday!
-    - cron: "0 0,6,12,18 * * 1-5"
+    - cron: "0 0/6 * * 1-5"
 
 # Cancel in-progress runs for pull requests when developers push
 # additional changes
@@ -117,6 +117,14 @@ jobs:
           make -j "$image_job"
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
+      - name: Run Prisma Cloud image scan
+        uses: PaloAltoNetworks/prisma-cloud-scan@v1
+        with:
+          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
+          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+          image_name: ${{ steps.build.outputs.image }}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
         with:
diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md
@@ -43,6 +43,59 @@ The supported filters are:
 - `date_to` - The inclusive end date with format `YYYY-MM-DD`.
 - `build_reason` - To be used with `resource_type:workspace_build`, the [initiator](https://pkg.go.dev/github.com/coder/coder/codersdk#BuildReason) behind the build start or stop.
 
+## Capturing/Exporting Audit Logs
+
+In addition to the user interface, there are multiple ways to consume or query audit trails.
+
+## REST API
+
+Audit logs can be accessed through our REST API. You can find detailed information about this in our [endpoint documentation](../api/audit#get-audit-logs).
+
+## Service Logs
+
+Audit trails are also dispatched as service logs and can be captured and categorized using any log management tool such as [Splunk](https://splunk.com).
+
+Example of a [JSON formatted](../cli/server#--log-json) audit log entry:
+
+```json
+{
+  "ts": "2023-06-13T03:45:37.294730279Z",
+  "level": "INFO",
+  "msg": "audit_log",
+  "caller": "/home/runner/work/coder/coder/enterprise/audit/backends/slog.go:36",
+  "func": "github.com/coder/coder/enterprise/audit/backends.slogBackend.Export",
+  "logger_names": ["coderd"],
+  "fields": {
+    "ID": "033a9ffa-b54d-4c10-8ec3-2aaf9e6d741a",
+    "Time": "2023-06-13T03:45:37.288506Z",
+    "UserID": "6c405053-27e3-484a-9ad7-bcb64e7bfde6",
+    "OrganizationID": "00000000-0000-0000-0000-000000000000",
+    "Ip": "{IPNet:{IP:\u003cnil\u003e Mask:\u003cnil\u003e} Valid:false}",
+    "UserAgent": "{String: Valid:false}",
+    "ResourceType": "workspace_build",
+    "ResourceID": "ca5647e0-ef50-4202-a246-717e04447380",
+    "ResourceTarget": "",
+    "Action": "start",
+    "Diff": {},
+    "StatusCode": 200,
+    "AdditionalFields": {
+      "workspace_name": "linux-container",
+      "build_number": "9",
+      "build_reason": "initiator",
+      "workspace_owner": ""
+    },
+    "RequestID": "bb791ac3-f6ee-4da8-8ec2-f54e87013e93",
+    "ResourceIcon": ""
+  }
+}
+```
+
+Example of a [human readable](../cli/server#--log-human) audit log entry:
+
+```sh
+2023-06-13 03:43:29.233 [info]  coderd: audit_log  ID=95f7c392-da3e-480c-a579-8909f145fbe2  Time="2023-06-13T03:43:29.230422Z"  UserID=6c405053-27e3-484a-9ad7-bcb64e7bfde6  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=<nil>  UserAgent=<nil>  ResourceType=workspace_build  ResourceID=988ae133-5b73-41e3-a55e-e1e9d3ef0b66  ResourceTarget=""  Action=start  Diff="{}"  StatusCode=200  AdditionalFields="{\"workspace_name\":\"linux-container\",\"build_number\":\"7\",\"build_reason\":\"initiator\",\"workspace_owner\":\"\"}"  RequestID=9682b1b5-7b9f-4bf2-9a39-9463f8e41cd6  ResourceIcon=""
+```
+
 ## Enabling this feature
 
 This feature is only available with an enterprise license. [Learn more](../enterprise.md)
diff --git a/examples/templates/envbox/README.md b/examples/templates/envbox/README.md
@@ -27,6 +27,20 @@ The following environment variables can be used to configure various aspects of
 | `CODER_CPUS`               | Dictates the number of CPUs to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables).                                                                                                                                                                                 | false    |
 | `CODER_MEMORY`             | Dictates the max memory (in bytes) to allocate the inner container. It is recommended to set this using the Kubernetes [Downward API](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables).                                                                                                                                                                          | false    |
 
+# Migrating Existing Envbox Templates
+
+Due to the [deprecation and removal of legacy parameters](https://coder.com/docs/v2/latest/templates/parameters#legacy)
+it may be necessary to migrate existing envbox templates on newer versions of
+Coder. Consult the [migration](https://coder.com/docs/v2/latest/templates/parameters#migration)
+documentation for details on how to do so.
+
+To supply values to existing existing Terraform variables you can specify the
+`--variable` flag. For example
+
+```bash
+coder templates create envbox --variable namespace="mynamespace" --variable max_cpus=2 --variable min_cpus=1 --variable max_memory=4 --variable min_memory=1
+```
+
 ## Contributions
 
 Contributions are welcome and can be made against the [envbox repo](https://github.com/coder/envbox).
diff --git a/examples/templates/envbox/main.tf b/examples/templates/envbox/main.tf
@@ -27,6 +27,7 @@ data "coder_parameter" "home_disk" {
 variable "use_kubeconfig" {
   type        = bool
   sensitive   = true
+  default     = true
   description = <<-EOF
   Use host kubeconfig? (true/false)
   Set this to false if the Coder host is itself running as a Pod on the same
@@ -36,6 +37,10 @@ variable "use_kubeconfig" {
   EOF
 }
 
+provider "coder" {
+  feature_use_managed_variables = "true"
+}
+
 variable "namespace" {
   type        = string
   sensitive   = true
@@ -46,12 +51,14 @@ variable "create_tun" {
   type        = bool
   sensitive   = true
   description = "Add a TUN device to the workspace."
+  default     = false
 }
 
 variable "create_fuse" {
   type        = bool
   description = "Add a FUSE device to the workspace."
   sensitive   = true
+  default     = false
 }
 
 variable "max_cpus" {
@@ -138,11 +145,15 @@ resource "kubernetes_persistent_volume_claim" "home" {
 
 resource "kubernetes_pod" "main" {
   count = data.coder_workspace.me.start_count
+
   metadata {
     name      = "coder-${lower(data.coder_workspace.me.owner)}-${lower(data.coder_workspace.me.name)}"
     namespace = var.namespace
   }
+
   spec {
+    restart_policy = "Never"
+
     container {
       name              = "dev"
       image             = "ghcr.io/coder/envbox:latest"
