From c2b05f082e18644821ca486c158738f4569f55ea Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Thu, 16 Nov 2023 16:42:28 -0600
Subject: [PATCH 01/15] feat: implement deprecated flag for templates to
 prevent new workspaces

---
 cli/templateedit.go                           | 18 +++++++++
 coderd/database/dbauthz/accesscontrol.go      | 12 +++++-
 coderd/database/dbmem/dbmem.go                |  1 +
 coderd/database/dump.sql                      |  6 ++-
 .../000169_deprecate_template.down.sql        | 24 ++++++++++++
 .../000169_deprecate_template.up.sql          | 28 ++++++++++++++
 coderd/database/models.go                     |  3 ++
 coderd/database/queries.sql.go                | 18 ++++++---
 coderd/database/queries/templates.sql         |  3 +-
 coderd/templates.go                           | 17 +++++++--
 coderd/templates_test.go                      | 23 +++++++++++
 coderd/workspaces.go                          | 11 ++++++
 codersdk/templates.go                         | 17 ++++++---
 enterprise/audit/table.go                     |  1 +
 enterprise/coderd/dbauthz/accesscontrol.go    |  2 +
 enterprise/coderd/templates_test.go           | 38 +++++++++++++++++++
 16 files changed, 205 insertions(+), 17 deletions(-)
 create mode 100644 coderd/database/migrations/000169_deprecate_template.down.sql
 create mode 100644 coderd/database/migrations/000169_deprecate_template.up.sql

diff --git a/cli/templateedit.go b/cli/templateedit.go
index 1c17ec52bcab3..126f87a0c3b79 100644
--- a/cli/templateedit.go
+++ b/cli/templateedit.go
@@ -16,6 +16,7 @@ import (
 )
 
 func (r *RootCmd) templateEdit() *clibase.Cmd {
+	const deprecatedFlagName = "deprecated"
 	var (
 		name                           string
 		displayName                    string
@@ -32,6 +33,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 		allowUserAutostart             bool
 		allowUserAutostop              bool
 		requireActiveVersion           bool
+		deprecatedMessage              string
 	)
 	client := new(codersdk.Client)
 
@@ -118,6 +120,15 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 				autostopRequirementDaysOfWeek = []string{}
 			}
 
+			// Only pass explicitly set deprecated values since the empty string
+			// removes the deprecated message. By default if we pass a nil,
+			// there is no change to this field.
+			var deprecated *string
+			opt := inv.Command.Options.ByName(deprecatedFlagName)
+			if !(opt.ValueSource == "" || opt.ValueSource == clibase.ValueSourceDefault) {
+				deprecated = &deprecatedMessage
+			}
+
 			// NOTE: coderd will ignore empty fields.
 			req := codersdk.UpdateTemplateMeta{
 				Name:             name,
@@ -139,6 +150,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 				AllowUserAutostart:           allowUserAutostart,
 				AllowUserAutostop:            allowUserAutostop,
 				RequireActiveVersion:         requireActiveVersion,
+				DeprecatedMessage:            deprecated,
 			}
 
 			_, err = client.UpdateTemplateMeta(inv.Context(), template.ID, req)
@@ -166,6 +178,12 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 			Description: "Edit the template description.",
 			Value:       clibase.StringOf(&description),
 		},
+		{
+			Name:        deprecatedFlagName,
+			Flag:        "deprecated",
+			Description: "Sets the template as deprecated. Must be a message explaining why the template is deprecated.",
+			Value:       clibase.StringOf(&deprecatedMessage),
+		},
 		{
 			Flag:        "icon",
 			Description: "Edit the template icon path.",
diff --git a/coderd/database/dbauthz/accesscontrol.go b/coderd/database/dbauthz/accesscontrol.go
index 92417ff4114ba..096676a43a1b5 100644
--- a/coderd/database/dbauthz/accesscontrol.go
+++ b/coderd/database/dbauthz/accesscontrol.go
@@ -18,6 +18,11 @@ type AccessControlStore interface {
 
 type TemplateAccessControl struct {
 	RequireActiveVersion bool
+	Deprecated           string
+}
+
+func (t TemplateAccessControl) IsDeprecated() bool {
+	return t.Deprecated != ""
 }
 
 // AGPLTemplateAccessControlStore always returns the defaults for access control
@@ -26,9 +31,14 @@ type AGPLTemplateAccessControlStore struct{}
 
 var _ AccessControlStore = AGPLTemplateAccessControlStore{}
 
-func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(database.Template) TemplateAccessControl {
+func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(t database.Template) TemplateAccessControl {
 	return TemplateAccessControl{
 		RequireActiveVersion: false,
+		// AGPL cannot set deprecated templates, but it should return
+		// existing deprecated templates. This is erroring on the safe side
+		// if a license expires, we should not allow deprecated templates
+		// to be used for new workspaces.
+		Deprecated: t.Deprecated,
 	}
 }
 
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
index cfeebdc928b1c..59dda6dc14e8a 100644
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@@ -5905,6 +5905,7 @@ func (q *FakeQuerier) UpdateTemplateAccessControlByID(_ context.Context, arg dat
 			continue
 		}
 		q.templates[idx].RequireActiveVersion = arg.RequireActiveVersion
+		q.templates[idx].Deprecated = arg.Deprecated
 		return nil
 	}
 
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
index c4e1c26f1b389..a475d82f3d805 100644
--- a/coderd/database/dump.sql
+++ b/coderd/database/dump.sql
@@ -805,7 +805,8 @@ CREATE TABLE templates (
     autostop_requirement_days_of_week smallint DEFAULT 0 NOT NULL,
     autostop_requirement_weeks bigint DEFAULT 0 NOT NULL,
     autostart_block_days_of_week smallint DEFAULT 0 NOT NULL,
-    require_active_version boolean DEFAULT false NOT NULL
+    require_active_version boolean DEFAULT false NOT NULL,
+    deprecated text DEFAULT ''::text NOT NULL
 );
 
 COMMENT ON COLUMN templates.default_ttl IS 'The default duration for autostop for workspaces created from this template.';
@@ -824,6 +825,8 @@ COMMENT ON COLUMN templates.autostop_requirement_weeks IS 'The number of weeks b
 
 COMMENT ON COLUMN templates.autostart_block_days_of_week IS 'A bitmap of days of week that autostart of a workspace is not allowed. Default allows all days. This is intended as a cost savings measure to prevent auto start on weekends (for example).';
 
+COMMENT ON COLUMN templates.deprecated IS 'If set to a non empty string, the template will no longer be able to be used. The message will be displayed to the user.';
+
 CREATE VIEW template_with_users AS
  SELECT templates.id,
     templates.created_at,
@@ -851,6 +854,7 @@ CREATE VIEW template_with_users AS
     templates.autostop_requirement_weeks,
     templates.autostart_block_days_of_week,
     templates.require_active_version,
+    templates.deprecated,
     COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
     COALESCE(visible_users.username, ''::text) AS created_by_username
    FROM (public.templates
diff --git a/coderd/database/migrations/000169_deprecate_template.down.sql b/coderd/database/migrations/000169_deprecate_template.down.sql
new file mode 100644
index 0000000000000..3d944135ae30b
--- /dev/null
+++ b/coderd/database/migrations/000169_deprecate_template.down.sql
@@ -0,0 +1,24 @@
+BEGIN;
+
+DROP VIEW template_with_users;
+
+ALTER TABLE templates
+	DROP COLUMN deprecated;
+
+CREATE VIEW
+	template_with_users
+AS
+SELECT
+	templates.*,
+	coalesce(visible_users.avatar_url, '') AS created_by_avatar_url,
+	coalesce(visible_users.username, '') AS created_by_username
+FROM
+	templates
+		LEFT JOIN
+	visible_users
+	ON
+			templates.created_by = visible_users.id;
+
+COMMENT ON VIEW template_with_users IS 'Joins in the username + avatar url of the created by user.';
+
+COMMIT;
diff --git a/coderd/database/migrations/000169_deprecate_template.up.sql b/coderd/database/migrations/000169_deprecate_template.up.sql
new file mode 100644
index 0000000000000..3e688a6bef2a1
--- /dev/null
+++ b/coderd/database/migrations/000169_deprecate_template.up.sql
@@ -0,0 +1,28 @@
+BEGIN;
+
+-- The view will be rebuilt with the new column
+DROP VIEW template_with_users;
+
+ALTER TABLE templates
+	ADD COLUMN deprecated TEXT NOT NULL DEFAULT '';
+
+COMMENT ON COLUMN templates.deprecated IS 'If set to a non empty string, the template will no longer be able to be used. The message will be displayed to the user.';
+
+-- Restore the old version of the template_with_users view.
+CREATE VIEW
+	template_with_users
+AS
+SELECT
+	templates.*,
+	coalesce(visible_users.avatar_url, '') AS created_by_avatar_url,
+	coalesce(visible_users.username, '') AS created_by_username
+FROM
+	templates
+		LEFT JOIN
+	visible_users
+	ON
+			templates.created_by = visible_users.id;
+
+COMMENT ON VIEW template_with_users IS 'Joins in the username + avatar url of the created by user.';
+
+COMMIT;
diff --git a/coderd/database/models.go b/coderd/database/models.go
index 84147dc28fcc2..8ab3417dd6406 100644
--- a/coderd/database/models.go
+++ b/coderd/database/models.go
@@ -1966,6 +1966,7 @@ type Template struct {
 	AutostopRequirementWeeks      int64           `db:"autostop_requirement_weeks" json:"autostop_requirement_weeks"`
 	AutostartBlockDaysOfWeek      int16           `db:"autostart_block_days_of_week" json:"autostart_block_days_of_week"`
 	RequireActiveVersion          bool            `db:"require_active_version" json:"require_active_version"`
+	Deprecated                    string          `db:"deprecated" json:"deprecated"`
 	CreatedByAvatarURL            sql.NullString  `db:"created_by_avatar_url" json:"created_by_avatar_url"`
 	CreatedByUsername             string          `db:"created_by_username" json:"created_by_username"`
 }
@@ -2005,6 +2006,8 @@ type TemplateTable struct {
 	// A bitmap of days of week that autostart of a workspace is not allowed. Default allows all days. This is intended as a cost savings measure to prevent auto start on weekends (for example).
 	AutostartBlockDaysOfWeek int16 `db:"autostart_block_days_of_week" json:"autostart_block_days_of_week"`
 	RequireActiveVersion     bool  `db:"require_active_version" json:"require_active_version"`
+	// If set to a non empty string, the template will no longer be able to be used. The message will be displayed to the user.
+	Deprecated string `db:"deprecated" json:"deprecated"`
 }
 
 // Joins in the username + avatar url of the created by user.
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index fb42ca657e6e7..fa65e4f236979 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -5183,7 +5183,7 @@ func (q *sqlQuerier) GetTemplateAverageBuildTime(ctx context.Context, arg GetTem
 
 const getTemplateByID = `-- name: GetTemplateByID :one
 SELECT
-	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, created_by_avatar_url, created_by_username
+	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, created_by_avatar_url, created_by_username
 FROM
 	template_with_users
 WHERE
@@ -5222,6 +5222,7 @@ func (q *sqlQuerier) GetTemplateByID(ctx context.Context, id uuid.UUID) (Templat
 		&i.AutostopRequirementWeeks,
 		&i.AutostartBlockDaysOfWeek,
 		&i.RequireActiveVersion,
+		&i.Deprecated,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 	)
@@ -5230,7 +5231,7 @@ func (q *sqlQuerier) GetTemplateByID(ctx context.Context, id uuid.UUID) (Templat
 
 const getTemplateByOrganizationAndName = `-- name: GetTemplateByOrganizationAndName :one
 SELECT
-	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, created_by_avatar_url, created_by_username
+	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, created_by_avatar_url, created_by_username
 FROM
 	template_with_users AS templates
 WHERE
@@ -5277,6 +5278,7 @@ func (q *sqlQuerier) GetTemplateByOrganizationAndName(ctx context.Context, arg G
 		&i.AutostopRequirementWeeks,
 		&i.AutostartBlockDaysOfWeek,
 		&i.RequireActiveVersion,
+		&i.Deprecated,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 	)
@@ -5284,7 +5286,7 @@ func (q *sqlQuerier) GetTemplateByOrganizationAndName(ctx context.Context, arg G
 }
 
 const getTemplates = `-- name: GetTemplates :many
-SELECT id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, created_by_avatar_url, created_by_username FROM template_with_users AS templates
+SELECT id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, created_by_avatar_url, created_by_username FROM template_with_users AS templates
 ORDER BY (name, id) ASC
 `
 
@@ -5324,6 +5326,7 @@ func (q *sqlQuerier) GetTemplates(ctx context.Context) ([]Template, error) {
 			&i.AutostopRequirementWeeks,
 			&i.AutostartBlockDaysOfWeek,
 			&i.RequireActiveVersion,
+			&i.Deprecated,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 		); err != nil {
@@ -5342,7 +5345,7 @@ func (q *sqlQuerier) GetTemplates(ctx context.Context) ([]Template, error) {
 
 const getTemplatesWithFilter = `-- name: GetTemplatesWithFilter :many
 SELECT
-	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, created_by_avatar_url, created_by_username
+	id, created_at, updated_at, organization_id, deleted, name, provisioner, active_version_id, description, default_ttl, created_by, icon, user_acl, group_acl, display_name, allow_user_cancel_workspace_jobs, max_ttl, allow_user_autostart, allow_user_autostop, failure_ttl, time_til_dormant, time_til_dormant_autodelete, autostop_requirement_days_of_week, autostop_requirement_weeks, autostart_block_days_of_week, require_active_version, deprecated, created_by_avatar_url, created_by_username
 FROM
 	template_with_users AS templates
 WHERE
@@ -5419,6 +5422,7 @@ func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplate
 			&i.AutostopRequirementWeeks,
 			&i.AutostartBlockDaysOfWeek,
 			&i.RequireActiveVersion,
+			&i.Deprecated,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 		); err != nil {
@@ -5519,7 +5523,8 @@ const updateTemplateAccessControlByID = `-- name: UpdateTemplateAccessControlByI
 UPDATE
 	templates
 SET
-	require_active_version = $2
+	require_active_version = $2,
+	deprecated = $3
 WHERE
 	id = $1
 `
@@ -5527,10 +5532,11 @@ WHERE
 type UpdateTemplateAccessControlByIDParams struct {
 	ID                   uuid.UUID `db:"id" json:"id"`
 	RequireActiveVersion bool      `db:"require_active_version" json:"require_active_version"`
+	Deprecated           string    `db:"deprecated" json:"deprecated"`
 }
 
 func (q *sqlQuerier) UpdateTemplateAccessControlByID(ctx context.Context, arg UpdateTemplateAccessControlByIDParams) error {
-	_, err := q.db.ExecContext(ctx, updateTemplateAccessControlByID, arg.ID, arg.RequireActiveVersion)
+	_, err := q.db.ExecContext(ctx, updateTemplateAccessControlByID, arg.ID, arg.RequireActiveVersion, arg.Deprecated)
 	return err
 }
 
diff --git a/coderd/database/queries/templates.sql b/coderd/database/queries/templates.sql
index c5bc72d7911d6..6e1518baf9ef0 100644
--- a/coderd/database/queries/templates.sql
+++ b/coderd/database/queries/templates.sql
@@ -174,7 +174,8 @@ FROM build_times
 UPDATE
 	templates
 SET
-	require_active_version = $2
+	require_active_version = $2,
+	deprecated = $3
 WHERE
 	id = $1
 ;
diff --git a/coderd/templates.go b/coderd/templates.go
index c1f3bc97a01c3..a29b47a2bf46b 100644
--- a/coderd/templates.go
+++ b/coderd/templates.go
@@ -584,6 +584,11 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 	if req.AutostopRequirement.Weeks > schedule.MaxTemplateAutostopRequirementWeeks {
 		validErrs = append(validErrs, codersdk.ValidationError{Field: "autostop_requirement.weeks", Detail: fmt.Sprintf("Must be less than %d.", schedule.MaxTemplateAutostopRequirementWeeks)})
 	}
+	// Defaults to the existing.
+	deprecatedMessage := template.Deprecated
+	if req.DeprecatedMessage != nil {
+		deprecatedMessage = *req.DeprecatedMessage
+	}
 
 	// The minimum valid value for a dormant TTL is 1 minute. This is
 	// to ensure an uninformed user does not send an unintentionally
@@ -624,7 +629,8 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			req.FailureTTLMillis == time.Duration(template.FailureTTL).Milliseconds() &&
 			req.TimeTilDormantMillis == time.Duration(template.TimeTilDormant).Milliseconds() &&
 			req.TimeTilDormantAutoDeleteMillis == time.Duration(template.TimeTilDormantAutoDelete).Milliseconds() &&
-			req.RequireActiveVersion == template.RequireActiveVersion {
+			req.RequireActiveVersion == template.RequireActiveVersion &&
+			(deprecatedMessage == template.Deprecated) {
 			return nil
 		}
 
@@ -648,9 +654,10 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			return xerrors.Errorf("update template metadata: %w", err)
 		}
 
-		if template.RequireActiveVersion != req.RequireActiveVersion {
+		if template.RequireActiveVersion != req.RequireActiveVersion || deprecatedMessage != template.Deprecated {
 			err = (*api.AccessControlStore.Load()).SetTemplateAccessControl(ctx, tx, template.ID, dbauthz.TemplateAccessControl{
 				RequireActiveVersion: req.RequireActiveVersion,
+				Deprecated:           deprecatedMessage,
 			})
 			if err != nil {
 				return xerrors.Errorf("set template access control: %w", err)
@@ -804,6 +811,7 @@ func (api *API) convertTemplates(templates []database.Template) []codersdk.Templ
 func (api *API) convertTemplate(
 	template database.Template,
 ) codersdk.Template {
+	templateAccessControl := (*(api.Options.AccessControlStore.Load())).GetTemplateAccessControl(template)
 	activeCount, _ := api.metricsCache.TemplateUniqueUsers(template.ID)
 
 	buildTimeStats := api.metricsCache.TemplateBuildTimeStats(template.ID)
@@ -843,6 +851,9 @@ func (api *API) convertTemplate(
 		AutostartRequirement: codersdk.TemplateAutostartRequirement{
 			DaysOfWeek: codersdk.BitmapToWeekdays(template.AutostartAllowedDays()),
 		},
-		RequireActiveVersion: template.RequireActiveVersion,
+		// These values depend on entitlements and come from the templateAccessControl
+		RequireActiveVersion: templateAccessControl.RequireActiveVersion,
+		Deprecated:           templateAccessControl.IsDeprecated(),
+		DeprecatedMessage:    templateAccessControl.Deprecated,
 	}
 }
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
index a218119e266e4..447d6a0ae78a7 100644
--- a/coderd/templates_test.go
+++ b/coderd/templates_test.go
@@ -516,6 +516,29 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[4].Action)
 	})
 
+	t.Run("AGPL_Deprecated", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: false})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		req := codersdk.UpdateTemplateMeta{
+			DeprecatedMessage: ptr.Ref("APGL cannot deprecate"),
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		updated, err := client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
+		// AGPL cannot deprecate, expect no change
+		assert.False(t, updated.Deprecated)
+		assert.Empty(t, updated.DeprecatedMessage)
+	})
+
 	t.Run("NoDefaultTTL", func(t *testing.T) {
 		t.Parallel()
 
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
index 6a86e9e735501..e55879338e5e7 100644
--- a/coderd/workspaces.go
+++ b/coderd/workspaces.go
@@ -394,6 +394,17 @@ func (api *API) postWorkspacesByOrganization(rw http.ResponseWriter, r *http.Req
 		return
 	}
 
+	templateAccessControl := (*(api.AccessControlStore.Load())).GetTemplateAccessControl(template)
+	if templateAccessControl.IsDeprecated() {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Template %q has been deprecated, and cannot be used to create a new workspace.", template.Name),
+			// Pass the deprecated message to the user.
+			Detail:      templateAccessControl.Deprecated,
+			Validations: nil,
+		})
+		return
+	}
+
 	if organization.ID != template.OrganizationID {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: fmt.Sprintf("Template is not in organization %q.", organization.Name),
diff --git a/codersdk/templates.go b/codersdk/templates.go
index 3a3240ca711b2..f59175ac3fdda 100644
--- a/codersdk/templates.go
+++ b/codersdk/templates.go
@@ -24,11 +24,13 @@ type Template struct {
 	Provisioner     ProvisionerType `json:"provisioner" enums:"terraform"`
 	ActiveVersionID uuid.UUID       `json:"active_version_id" format:"uuid"`
 	// ActiveUserCount is set to -1 when loading.
-	ActiveUserCount  int                    `json:"active_user_count"`
-	BuildTimeStats   TemplateBuildTimeStats `json:"build_time_stats"`
-	Description      string                 `json:"description"`
-	Icon             string                 `json:"icon"`
-	DefaultTTLMillis int64                  `json:"default_ttl_ms"`
+	ActiveUserCount   int                    `json:"active_user_count"`
+	BuildTimeStats    TemplateBuildTimeStats `json:"build_time_stats"`
+	Description       string                 `json:"description"`
+	Deprecated        bool                   `json:"deprecated"`
+	DeprecatedMessage string                 `json:"deprecated_message"`
+	Icon              string                 `json:"icon"`
+	DefaultTTLMillis  int64                  `json:"default_ttl_ms"`
 	// TODO(@dean): remove max_ttl once autostop_requirement is matured
 	MaxTTLMillis int64 `json:"max_ttl_ms"`
 	// AutostopRequirement and AutostartRequirement are enterprise features. Its
@@ -229,6 +231,11 @@ type UpdateTemplateMeta struct {
 	// use the active version of the template. This option has no
 	// effect on template admins.
 	RequireActiveVersion bool `json:"require_active_version"`
+	// DeprecatedMessage if set, will mark the template as deprecated and block
+	// any new workspaces from using this template.
+	// If passed an empty string, will remove the deprecated message, making
+	// the template usable for new workspaces again.
+	DeprecatedMessage *string `json:"deprecated_message"`
 }
 
 type TemplateExample struct {
diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go
index f272354d649ac..e49432091d6db 100644
--- a/enterprise/audit/table.go
+++ b/enterprise/audit/table.go
@@ -86,6 +86,7 @@ var auditableResourcesTypes = map[any]map[string]Action{
 		"time_til_dormant":                  ActionTrack,
 		"time_til_dormant_autodelete":       ActionTrack,
 		"require_active_version":            ActionTrack,
+		"deprecated":                        ActionTrack,
 	},
 	&database.TemplateVersion{}: {
 		"id":                      ActionTrack,
diff --git a/enterprise/coderd/dbauthz/accesscontrol.go b/enterprise/coderd/dbauthz/accesscontrol.go
index 454f416ab8736..7ba49bf03f5c3 100644
--- a/enterprise/coderd/dbauthz/accesscontrol.go
+++ b/enterprise/coderd/dbauthz/accesscontrol.go
@@ -15,6 +15,7 @@ type EnterpriseTemplateAccessControlStore struct{}
 func (EnterpriseTemplateAccessControlStore) GetTemplateAccessControl(t database.Template) agpldbz.TemplateAccessControl {
 	return agpldbz.TemplateAccessControl{
 		RequireActiveVersion: t.RequireActiveVersion,
+		Deprecated:           t.Deprecated,
 	}
 }
 
@@ -22,6 +23,7 @@ func (EnterpriseTemplateAccessControlStore) SetTemplateAccessControl(ctx context
 	err := store.UpdateTemplateAccessControlByID(ctx, database.UpdateTemplateAccessControlByIDParams{
 		ID:                   id,
 		RequireActiveVersion: opts.RequireActiveVersion,
+		Deprecated:           opts.Deprecated,
 	})
 	if err != nil {
 		return xerrors.Errorf("update template access control: %w", err)
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
index 9ff7799553d03..c6f55d766d92d 100644
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@@ -8,12 +8,14 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
@@ -89,6 +91,42 @@ func TestTemplates(t *testing.T) {
 		require.Contains(t, apiErr.Validations[0].Detail, "time until shutdown must be less than or equal to the template's maximum TTL")
 	})
 
+	t.Run("Deprecated", func(t *testing.T) {
+		t.Parallel()
+
+		client, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				IncludeProvisionerDaemon: true,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureAccessControl: 1,
+				},
+			},
+		})
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		updated, err := client.UpdateTemplateMeta(ctx, template.ID, codersdk.UpdateTemplateMeta{
+			DeprecatedMessage: ptr.Ref("Stop using this template"),
+		})
+		require.NoError(t, err)
+		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
+		// AGPL cannot deprecate, expect no change
+		assert.True(t, updated.Deprecated)
+		assert.NotEmpty(t, updated.DeprecatedMessage)
+
+		_, err = client.CreateWorkspace(ctx, user.OrganizationID, codersdk.Me, codersdk.CreateWorkspaceRequest{
+			TemplateID: template.ID,
+			Name:       "foobar",
+		})
+		require.ErrorContains(t, err, "deprecated")
+	})
+
 	t.Run("BlockDisablingAutoOffWithMaxTTL", func(t *testing.T) {
 		t.Parallel()
 		client, user := coderdenttest.New(t, &coderdenttest.Options{

From 628b97a1a7436f22fba2d438de7fb1ba661c9615 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 09:59:29 -0600
Subject: [PATCH 02/15] Fix which user is used in unit tests

---
 enterprise/coderd/templates_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
index c6f55d766d92d..f76a9a4640455 100644
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@@ -94,7 +94,7 @@ func TestTemplates(t *testing.T) {
 	t.Run("Deprecated", func(t *testing.T) {
 		t.Parallel()
 
-		client, user := coderdenttest.New(t, &coderdenttest.Options{
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
 			Options: &coderdtest.Options{
 				IncludeProvisionerDaemon: true,
 			},
@@ -104,6 +104,7 @@ func TestTemplates(t *testing.T) {
 				},
 			},
 		})
+		client, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.RoleTemplateAdmin())
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)

From 0935732e691298b00aab72954cc1237b1e1fd847 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 10:46:17 -0600
Subject: [PATCH 03/15] Update golden files

---
 cli/testdata/coder_templates_edit_--help.golden | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cli/testdata/coder_templates_edit_--help.golden b/cli/testdata/coder_templates_edit_--help.golden
index fd5841125e708..bd4cdee8d8482 100644
--- a/cli/testdata/coder_templates_edit_--help.golden
+++ b/cli/testdata/coder_templates_edit_--help.golden
@@ -28,6 +28,10 @@ OPTIONS:
           from this template default to this value. Maps to "Default autostop"
           in the UI.
 
+      --deprecated string
+          Sets the template as deprecated. Must be a message explaining why the
+          template is deprecated.
+
       --description string
           Edit the template description.
 

From 33f54f87d0573251add4c221d8961e2d1811a9f2 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 11:45:01 -0600
Subject: [PATCH 04/15] Add deprecated filter to template fetching

---
 coderd/database/dbmem/dbmem.go                |  3 +++
 coderd/database/modelqueries.go               |  2 ++
 coderd/database/queries.sql.go                | 21 +++++++++++++++----
 coderd/database/queries/templates.sql         | 11 ++++++++++
 coderd/templates.go                           | 19 +++++++++++++++++
 site/src/api/api.ts                           | 12 +++++++++++
 site/src/api/queries/templates.ts             |  8 +++----
 .../pages/WorkspacesPage/WorkspacesPage.tsx   |  2 +-
 site/src/pages/WorkspacesPage/filter/menus.ts |  6 ++++--
 9 files changed, 73 insertions(+), 11 deletions(-)

diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
index 59dda6dc14e8a..1837c6f2588b5 100644
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@@ -6888,6 +6888,9 @@ func (q *FakeQuerier) GetAuthorizedTemplates(ctx context.Context, arg database.G
 		if arg.ExactName != "" && !strings.EqualFold(template.Name, arg.ExactName) {
 			continue
 		}
+		if arg.Deprecated.Valid && arg.Deprecated.Bool == (template.Deprecated != "") {
+			continue
+		}
 
 		if len(arg.IDs) > 0 {
 			match := false
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
index 5c78600237e1d..a050997a17ba1 100644
--- a/coderd/database/modelqueries.go
+++ b/coderd/database/modelqueries.go
@@ -52,6 +52,7 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 		arg.OrganizationID,
 		arg.ExactName,
 		pq.Array(arg.IDs),
+		arg.Deprecated,
 	)
 	if err != nil {
 		return nil, err
@@ -87,6 +88,7 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 			&i.AutostopRequirementWeeks,
 			&i.AutostartBlockDaysOfWeek,
 			&i.RequireActiveVersion,
+			&i.Deprecated,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 		); err != nil {
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index fa65e4f236979..842b05380258e 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -5369,16 +5369,28 @@ WHERE
 			id = ANY($4)
 		ELSE true
 	END
+	-- Filter by deprecated
+	AND CASE
+		WHEN $5 :: boolean IS NOT NULL THEN
+			CASE
+				WHEN $5 :: boolean THEN
+					deprecated != ''
+				ELSE
+					deprecated = ''
+			END
+		ELSE true
+	END
   -- Authorize Filter clause will be injected below in GetAuthorizedTemplates
   -- @authorize_filter
 ORDER BY (name, id) ASC
 `
 
 type GetTemplatesWithFilterParams struct {
-	Deleted        bool        `db:"deleted" json:"deleted"`
-	OrganizationID uuid.UUID   `db:"organization_id" json:"organization_id"`
-	ExactName      string      `db:"exact_name" json:"exact_name"`
-	IDs            []uuid.UUID `db:"ids" json:"ids"`
+	Deleted        bool         `db:"deleted" json:"deleted"`
+	OrganizationID uuid.UUID    `db:"organization_id" json:"organization_id"`
+	ExactName      string       `db:"exact_name" json:"exact_name"`
+	IDs            []uuid.UUID  `db:"ids" json:"ids"`
+	Deprecated     sql.NullBool `db:"deprecated" json:"deprecated"`
 }
 
 func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplatesWithFilterParams) ([]Template, error) {
@@ -5387,6 +5399,7 @@ func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplate
 		arg.OrganizationID,
 		arg.ExactName,
 		pq.Array(arg.IDs),
+		arg.Deprecated,
 	)
 	if err != nil {
 		return nil, err
diff --git a/coderd/database/queries/templates.sql b/coderd/database/queries/templates.sql
index 6e1518baf9ef0..87d827b0daea6 100644
--- a/coderd/database/queries/templates.sql
+++ b/coderd/database/queries/templates.sql
@@ -34,6 +34,17 @@ WHERE
 			id = ANY(@ids)
 		ELSE true
 	END
+	-- Filter by deprecated
+	AND CASE
+		WHEN sqlc.narg('deprecated') :: boolean IS NOT NULL THEN
+			CASE
+				WHEN sqlc.narg('deprecated') :: boolean THEN
+					deprecated != ''
+				ELSE
+					deprecated = ''
+			END
+		ELSE true
+	END
   -- Authorize Filter clause will be injected below in GetAuthorizedTemplates
   -- @authorize_filter
 ORDER BY (name, id) ASC
diff --git a/coderd/templates.go b/coderd/templates.go
index a29b47a2bf46b..91a528809f34f 100644
--- a/coderd/templates.go
+++ b/coderd/templates.go
@@ -437,6 +437,24 @@ func (api *API) templatesByOrganization(rw http.ResponseWriter, r *http.Request)
 	ctx := r.Context()
 	organization := httpmw.OrganizationParam(r)
 
+	p := httpapi.NewQueryParamParser()
+	values := r.URL.Query()
+
+	deprecated := sql.NullBool{}
+	if values.Has("deprecated") {
+		deprecated = sql.NullBool{
+			Bool:  p.Boolean(values, false, "deprecated"),
+			Valid: true,
+		}
+	}
+	if len(p.Errors) > 0 {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message:     "Invalid query params.",
+			Validations: p.Errors,
+		})
+		return
+	}
+
 	prepared, err := api.HTTPAuth.AuthorizeSQLFilter(r, rbac.ActionRead, rbac.ResourceTemplate.Type)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
@@ -449,6 +467,7 @@ func (api *API) templatesByOrganization(rw http.ResponseWriter, r *http.Request)
 	// Filter templates based on rbac permissions
 	templates, err := api.Database.GetAuthorizedTemplates(ctx, database.GetTemplatesWithFilterParams{
 		OrganizationID: organization.ID,
+		Deprecated:     deprecated,
 	}, prepared)
 	if errors.Is(err, sql.ErrNoRows) {
 		err = nil
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
index 6f0e4d38327df..13994306e7842 100644
--- a/site/src/api/api.ts
+++ b/site/src/api/api.ts
@@ -222,9 +222,21 @@ export const getTemplate = async (
 
 export const getTemplates = async (
   organizationId: string,
+  deprecated?: boolean,
 ): Promise<TypesGen.Template[]> => {
+  const params = {} as Record<string,string>
+  if(deprecated !== undefined) {
+    // Just want to check if it isn't undefined. If it has
+    // a boolean value, convert it to a string and include
+    // it as a param.
+    params["deprecated"] = String(deprecated)
+  }
+
   const response = await axios.get<TypesGen.Template[]>(
     `/api/v2/organizations/${organizationId}/templates`,
+    {
+      params,
+    }
   );
   return response.data;
 };
diff --git a/site/src/api/queries/templates.ts b/site/src/api/queries/templates.ts
index 406f7a0bb53e1..9a18ec5e17a30 100644
--- a/site/src/api/queries/templates.ts
+++ b/site/src/api/queries/templates.ts
@@ -33,12 +33,12 @@ export const templateByName = (
   };
 };
 
-const getTemplatesQueryKey = (orgId: string) => [orgId, "templates"];
+const getTemplatesQueryKey = (orgId: string, deprecated?: boolean) => [orgId, "templates", deprecated];
 
-export const templates = (orgId: string) => {
+export const templates = (orgId: string, deprecated?: boolean) => {
   return {
-    queryKey: getTemplatesQueryKey(orgId),
-    queryFn: () => API.getTemplates(orgId),
+    queryKey: getTemplatesQueryKey(orgId, deprecated),
+    queryFn: () => API.getTemplates(orgId, deprecated),
   };
 };
 
diff --git a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
index e237fc7867215..fa2ae3ea9e8f5 100644
--- a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
+++ b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
@@ -43,7 +43,7 @@ const WorkspacesPage: FC = () => {
   const pagination = usePagination({ searchParamsResult });
 
   const organizationId = useOrganizationId();
-  const templatesQuery = useQuery(templates(organizationId));
+  const templatesQuery = useQuery(templates(organizationId, false));
 
   const filterProps = useWorkspacesFilter({
     searchParamsResult,
diff --git a/site/src/pages/WorkspacesPage/filter/menus.ts b/site/src/pages/WorkspacesPage/filter/menus.ts
index d83a00aba6afd..48696b53b25bd 100644
--- a/site/src/pages/WorkspacesPage/filter/menus.ts
+++ b/site/src/pages/WorkspacesPage/filter/menus.ts
@@ -17,7 +17,8 @@ export const useTemplateFilterMenu = ({
     value,
     id: "template",
     getSelectedOption: async () => {
-      const templates = await getTemplates(orgId);
+      // Show all templates including deprecated
+      const templates = await getTemplates(orgId, undefined);
       const template = templates.find((template) => template.name === value);
       if (template) {
         return {
@@ -32,7 +33,8 @@ export const useTemplateFilterMenu = ({
       return null;
     },
     getOptions: async (query) => {
-      const templates = await getTemplates(orgId);
+      // Show all templates including deprecated
+      const templates = await getTemplates(orgId, undefined);
       const filteredTemplates = templates.filter(
         (template) =>
           template.name.toLowerCase().includes(query.toLowerCase()) ||

From f5dc43f3768a81b47f6e1df57ab0d1562ddd0b7a Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 14:30:58 -0600
Subject: [PATCH 05/15] Add deprecated to template table

---
 cli/templateedit.go                           |  8 ++---
 coderd/apidoc/docs.go                         |  6 ++++
 coderd/apidoc/swagger.json                    |  6 ++++
 coderd/templates.go                           | 14 ++++-----
 coderd/templates_test.go                      |  4 +--
 codersdk/templates.go                         | 18 +++++------
 docs/admin/audit-logs.md                      | 26 ++++++++--------
 docs/api/schemas.md                           |  4 +++
 docs/api/templates.md                         | 12 +++++++
 docs/cli/templates_edit.md                    |  8 +++++
 enterprise/coderd/templates_test.go           |  4 +--
 site/src/api/typesGenerated.ts                |  3 ++
 .../TemplateSettingsPage.test.tsx             |  5 ++-
 .../TemplatesPageView.stories.tsx             | 20 ++++++++++++
 .../pages/TemplatesPage/TemplatesPageView.tsx | 31 +++++++++++--------
 site/src/testHelpers/entities.ts              |  2 ++
 16 files changed, 120 insertions(+), 51 deletions(-)

diff --git a/cli/templateedit.go b/cli/templateedit.go
index 126f87a0c3b79..9c46e98427f8d 100644
--- a/cli/templateedit.go
+++ b/cli/templateedit.go
@@ -33,7 +33,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 		allowUserAutostart             bool
 		allowUserAutostop              bool
 		requireActiveVersion           bool
-		deprecatedMessage              string
+		deprecationMessage             string
 	)
 	client := new(codersdk.Client)
 
@@ -126,7 +126,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 			var deprecated *string
 			opt := inv.Command.Options.ByName(deprecatedFlagName)
 			if !(opt.ValueSource == "" || opt.ValueSource == clibase.ValueSourceDefault) {
-				deprecated = &deprecatedMessage
+				deprecated = &deprecationMessage
 			}
 
 			// NOTE: coderd will ignore empty fields.
@@ -150,7 +150,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 				AllowUserAutostart:           allowUserAutostart,
 				AllowUserAutostop:            allowUserAutostop,
 				RequireActiveVersion:         requireActiveVersion,
-				DeprecatedMessage:            deprecated,
+				DeprecationMessage:           deprecated,
 			}
 
 			_, err = client.UpdateTemplateMeta(inv.Context(), template.ID, req)
@@ -182,7 +182,7 @@ func (r *RootCmd) templateEdit() *clibase.Cmd {
 			Name:        deprecatedFlagName,
 			Flag:        "deprecated",
 			Description: "Sets the template as deprecated. Must be a message explaining why the template is deprecated.",
-			Value:       clibase.StringOf(&deprecatedMessage),
+			Value:       clibase.StringOf(&deprecationMessage),
 		},
 		{
 			Flag:        "icon",
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index 7d583695b66c4..ef50a4aae6bc7 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -10059,6 +10059,12 @@ const docTemplate = `{
                 "default_ttl_ms": {
                     "type": "integer"
                 },
+                "deprecated": {
+                    "type": "boolean"
+                },
+                "deprecation_message": {
+                    "type": "string"
+                },
                 "description": {
                     "type": "string"
                 },
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index 550a90c6805d7..91661d1c2c7c9 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -9087,6 +9087,12 @@
         "default_ttl_ms": {
           "type": "integer"
         },
+        "deprecated": {
+          "type": "boolean"
+        },
+        "deprecation_message": {
+          "type": "string"
+        },
         "description": {
           "type": "string"
         },
diff --git a/coderd/templates.go b/coderd/templates.go
index 91a528809f34f..227e5934af257 100644
--- a/coderd/templates.go
+++ b/coderd/templates.go
@@ -604,9 +604,9 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 		validErrs = append(validErrs, codersdk.ValidationError{Field: "autostop_requirement.weeks", Detail: fmt.Sprintf("Must be less than %d.", schedule.MaxTemplateAutostopRequirementWeeks)})
 	}
 	// Defaults to the existing.
-	deprecatedMessage := template.Deprecated
-	if req.DeprecatedMessage != nil {
-		deprecatedMessage = *req.DeprecatedMessage
+	deprecationMessage := template.Deprecated
+	if req.DeprecationMessage != nil {
+		deprecationMessage = *req.DeprecationMessage
 	}
 
 	// The minimum valid value for a dormant TTL is 1 minute. This is
@@ -649,7 +649,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			req.TimeTilDormantMillis == time.Duration(template.TimeTilDormant).Milliseconds() &&
 			req.TimeTilDormantAutoDeleteMillis == time.Duration(template.TimeTilDormantAutoDelete).Milliseconds() &&
 			req.RequireActiveVersion == template.RequireActiveVersion &&
-			(deprecatedMessage == template.Deprecated) {
+			(deprecationMessage == template.Deprecated) {
 			return nil
 		}
 
@@ -673,10 +673,10 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			return xerrors.Errorf("update template metadata: %w", err)
 		}
 
-		if template.RequireActiveVersion != req.RequireActiveVersion || deprecatedMessage != template.Deprecated {
+		if template.RequireActiveVersion != req.RequireActiveVersion || deprecationMessage != template.Deprecated {
 			err = (*api.AccessControlStore.Load()).SetTemplateAccessControl(ctx, tx, template.ID, dbauthz.TemplateAccessControl{
 				RequireActiveVersion: req.RequireActiveVersion,
-				Deprecated:           deprecatedMessage,
+				Deprecated:           deprecationMessage,
 			})
 			if err != nil {
 				return xerrors.Errorf("set template access control: %w", err)
@@ -873,6 +873,6 @@ func (api *API) convertTemplate(
 		// These values depend on entitlements and come from the templateAccessControl
 		RequireActiveVersion: templateAccessControl.RequireActiveVersion,
 		Deprecated:           templateAccessControl.IsDeprecated(),
-		DeprecatedMessage:    templateAccessControl.Deprecated,
+		DeprecationMessage:   templateAccessControl.Deprecated,
 	}
 }
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
index 447d6a0ae78a7..23c144278495e 100644
--- a/coderd/templates_test.go
+++ b/coderd/templates_test.go
@@ -525,7 +525,7 @@ func TestPatchTemplateMeta(t *testing.T) {
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
 		req := codersdk.UpdateTemplateMeta{
-			DeprecatedMessage: ptr.Ref("APGL cannot deprecate"),
+			DeprecationMessage: ptr.Ref("APGL cannot deprecate"),
 		}
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
@@ -536,7 +536,7 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
 		// AGPL cannot deprecate, expect no change
 		assert.False(t, updated.Deprecated)
-		assert.Empty(t, updated.DeprecatedMessage)
+		assert.Empty(t, updated.DeprecationMessage)
 	})
 
 	t.Run("NoDefaultTTL", func(t *testing.T) {
diff --git a/codersdk/templates.go b/codersdk/templates.go
index f59175ac3fdda..3ebe2359c8600 100644
--- a/codersdk/templates.go
+++ b/codersdk/templates.go
@@ -24,13 +24,13 @@ type Template struct {
 	Provisioner     ProvisionerType `json:"provisioner" enums:"terraform"`
 	ActiveVersionID uuid.UUID       `json:"active_version_id" format:"uuid"`
 	// ActiveUserCount is set to -1 when loading.
-	ActiveUserCount   int                    `json:"active_user_count"`
-	BuildTimeStats    TemplateBuildTimeStats `json:"build_time_stats"`
-	Description       string                 `json:"description"`
-	Deprecated        bool                   `json:"deprecated"`
-	DeprecatedMessage string                 `json:"deprecated_message"`
-	Icon              string                 `json:"icon"`
-	DefaultTTLMillis  int64                  `json:"default_ttl_ms"`
+	ActiveUserCount    int                    `json:"active_user_count"`
+	BuildTimeStats     TemplateBuildTimeStats `json:"build_time_stats"`
+	Description        string                 `json:"description"`
+	Deprecated         bool                   `json:"deprecated"`
+	DeprecationMessage string                 `json:"deprecation_message"`
+	Icon               string                 `json:"icon"`
+	DefaultTTLMillis   int64                  `json:"default_ttl_ms"`
 	// TODO(@dean): remove max_ttl once autostop_requirement is matured
 	MaxTTLMillis int64 `json:"max_ttl_ms"`
 	// AutostopRequirement and AutostartRequirement are enterprise features. Its
@@ -231,11 +231,11 @@ type UpdateTemplateMeta struct {
 	// use the active version of the template. This option has no
 	// effect on template admins.
 	RequireActiveVersion bool `json:"require_active_version"`
-	// DeprecatedMessage if set, will mark the template as deprecated and block
+	// DeprecationMessage if set, will mark the template as deprecated and block
 	// any new workspaces from using this template.
 	// If passed an empty string, will remove the deprecated message, making
 	// the template usable for new workspaces again.
-	DeprecatedMessage *string `json:"deprecated_message"`
+	DeprecationMessage *string `json:"deprecation_message"`
 }
 
 type TemplateExample struct {
diff --git a/docs/admin/audit-logs.md b/docs/admin/audit-logs.md
index af7a5724458d7..69c61ad69deed 100644
--- a/docs/admin/audit-logs.md
+++ b/docs/admin/audit-logs.md
@@ -8,19 +8,19 @@ We track the following resources:
 
 <!-- Code generated by 'make docs/admin/audit-logs.md'. DO NOT EDIT -->
 
-| <b>Resource<b>                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| APIKey<br><i>login, logout, register, create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>true</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>token_name</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| AuditOAuthConvertState<br><i></i>                        | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>from_login_type</td><td>true</td></tr><tr><td>to_login_type</td><td>true</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| Group<br><i>create, write, delete</i>                    | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr><tr><td>source</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| GitSSHKey<br><i>create</i>                               | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| License<br><i>create, delete</i>                         | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Template<br><i>write, delete</i>                         | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_autostart</td><td>true</td></tr><tr><td>allow_user_autostop</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>autostart_block_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_weeks</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>failure_ttl</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>max_ttl</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>require_active_version</td><td>true</td></tr><tr><td>time_til_dormant</td><td>true</td></tr><tr><td>time_til_dormant_autodelete</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
-| TemplateVersion<br><i>create, write</i>                  | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>archived</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>external_auth_providers</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>message</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| User<br><i>create, write, delete</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>true</td></tr><tr><td>quiet_hours_schedule</td><td>true</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Workspace<br><i>create, write, delete</i>                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>automatic_updates</td><td>true</td></tr><tr><td>autostart_schedule</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>deleting_at</td><td>true</td></tr><tr><td>dormant_at</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_used_at</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>owner_id</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>ttl</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| WorkspaceBuild<br><i>start, stop</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>build_number</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>daily_cost</td><td>false</td></tr><tr><td>deadline</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>initiator_by_avatar_url</td><td>false</td></tr><tr><td>initiator_by_username</td><td>false</td></tr><tr><td>initiator_id</td><td>false</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>max_deadline</td><td>false</td></tr><tr><td>provisioner_state</td><td>false</td></tr><tr><td>reason</td><td>false</td></tr><tr><td>template_version_id</td><td>true</td></tr><tr><td>transition</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>workspace_id</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| WorkspaceProxy<br><i></i>                                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>derp_enabled</td><td>true</td></tr><tr><td>derp_only</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>region_id</td><td>true</td></tr><tr><td>token_hashed_secret</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>url</td><td>true</td></tr><tr><td>wildcard_hostname</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| <b>Resource<b>                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| -------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| APIKey<br><i>login, logout, register, create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>true</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>token_name</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| AuditOAuthConvertState<br><i></i>                        | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>from_login_type</td><td>true</td></tr><tr><td>to_login_type</td><td>true</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Group<br><i>create, write, delete</i>                    | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr><tr><td>source</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| GitSSHKey<br><i>create</i>                               | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| License<br><i>create, delete</i>                         | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| Template<br><i>write, delete</i>                         | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_autostart</td><td>true</td></tr><tr><td>allow_user_autostop</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>autostart_block_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_weeks</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>deprecated</td><td>true</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>failure_ttl</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>max_ttl</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>require_active_version</td><td>true</td></tr><tr><td>time_til_dormant</td><td>true</td></tr><tr><td>time_til_dormant_autodelete</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
+| TemplateVersion<br><i>create, write</i>                  | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>archived</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>external_auth_providers</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>message</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| User<br><i>create, write, delete</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>true</td></tr><tr><td>quiet_hours_schedule</td><td>true</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| Workspace<br><i>create, write, delete</i>                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>automatic_updates</td><td>true</td></tr><tr><td>autostart_schedule</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>deleting_at</td><td>true</td></tr><tr><td>dormant_at</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_used_at</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>owner_id</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>ttl</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| WorkspaceBuild<br><i>start, stop</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>build_number</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>daily_cost</td><td>false</td></tr><tr><td>deadline</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>initiator_by_avatar_url</td><td>false</td></tr><tr><td>initiator_by_username</td><td>false</td></tr><tr><td>initiator_id</td><td>false</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>max_deadline</td><td>false</td></tr><tr><td>provisioner_state</td><td>false</td></tr><tr><td>reason</td><td>false</td></tr><tr><td>template_version_id</td><td>true</td></tr><tr><td>transition</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>workspace_id</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| WorkspaceProxy<br><i></i>                                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>derp_enabled</td><td>true</td></tr><tr><td>derp_only</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>region_id</td><td>true</td></tr><tr><td>token_hashed_secret</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>url</td><td>true</td></tr><tr><td>wildcard_hostname</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 
 <!-- End generated by 'make docs/admin/audit-logs.md'. -->
 
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
index d3a61585d096c..e047926f31dd6 100644
--- a/docs/api/schemas.md
+++ b/docs/api/schemas.md
@@ -4412,6 +4412,8 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
   "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
   "created_by_name": "string",
   "default_ttl_ms": 0,
+  "deprecated": true,
+  "deprecation_message": "string",
   "description": "string",
   "display_name": "string",
   "failure_ttl_ms": 0,
@@ -4444,6 +4446,8 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 | `created_by_id`                    | string                                                                         | false    |              |                                                                                                                                                                                                 |
 | `created_by_name`                  | string                                                                         | false    |              |                                                                                                                                                                                                 |
 | `default_ttl_ms`                   | integer                                                                        | false    |              |                                                                                                                                                                                                 |
+| `deprecated`                       | boolean                                                                        | false    |              |                                                                                                                                                                                                 |
+| `deprecation_message`              | string                                                                         | false    |              |                                                                                                                                                                                                 |
 | `description`                      | string                                                                         | false    |              |                                                                                                                                                                                                 |
 | `display_name`                     | string                                                                         | false    |              |                                                                                                                                                                                                 |
 | `failure_ttl_ms`                   | integer                                                                        | false    |              | Failure ttl ms TimeTilDormantMillis, and TimeTilDormantAutoDeleteMillis are enterprise-only. Their values are used if your license is entitled to use the advanced template scheduling feature. |
diff --git a/docs/api/templates.md b/docs/api/templates.md
index 279ab1ff5cfb7..0fcfd2a8b3cc5 100644
--- a/docs/api/templates.md
+++ b/docs/api/templates.md
@@ -52,6 +52,8 @@ curl -X GET http://coder-server:8080/api/v2/organizations/{organization}/templat
     "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
     "created_by_name": "string",
     "default_ttl_ms": 0,
+    "deprecated": true,
+    "deprecation_message": "string",
     "description": "string",
     "display_name": "string",
     "failure_ttl_ms": 0,
@@ -101,6 +103,8 @@ Status Code **200**
 | `» created_by_id`                                                                     | string(uuid)                                                                             | false    |              |                                                                                                                                                                                                                                                                                                                |
 | `» created_by_name`                                                                   | string                                                                                   | false    |              |                                                                                                                                                                                                                                                                                                                |
 | `» default_ttl_ms`                                                                    | integer                                                                                  | false    |              |                                                                                                                                                                                                                                                                                                                |
+| `» deprecated`                                                                        | boolean                                                                                  | false    |              |                                                                                                                                                                                                                                                                                                                |
+| `» deprecation_message`                                                               | string                                                                                   | false    |              |                                                                                                                                                                                                                                                                                                                |
 | `» description`                                                                       | string                                                                                   | false    |              |                                                                                                                                                                                                                                                                                                                |
 | `» display_name`                                                                      | string                                                                                   | false    |              |                                                                                                                                                                                                                                                                                                                |
 | `» failure_ttl_ms`                                                                    | integer                                                                                  | false    |              | Failure ttl ms TimeTilDormantMillis, and TimeTilDormantAutoDeleteMillis are enterprise-only. Their values are used if your license is entitled to use the advanced template scheduling feature.                                                                                                                |
@@ -205,6 +209,8 @@ curl -X POST http://coder-server:8080/api/v2/organizations/{organization}/templa
   "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
   "created_by_name": "string",
   "default_ttl_ms": 0,
+  "deprecated": true,
+  "deprecation_message": "string",
   "description": "string",
   "display_name": "string",
   "failure_ttl_ms": 0,
@@ -341,6 +347,8 @@ curl -X GET http://coder-server:8080/api/v2/organizations/{organization}/templat
   "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
   "created_by_name": "string",
   "default_ttl_ms": 0,
+  "deprecated": true,
+  "deprecation_message": "string",
   "description": "string",
   "display_name": "string",
   "failure_ttl_ms": 0,
@@ -653,6 +661,8 @@ curl -X GET http://coder-server:8080/api/v2/templates/{template} \
   "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
   "created_by_name": "string",
   "default_ttl_ms": 0,
+  "deprecated": true,
+  "deprecation_message": "string",
   "description": "string",
   "display_name": "string",
   "failure_ttl_ms": 0,
@@ -772,6 +782,8 @@ curl -X PATCH http://coder-server:8080/api/v2/templates/{template} \
   "created_by_id": "9377d689-01fb-4abf-8450-3368d2c1924f",
   "created_by_name": "string",
   "default_ttl_ms": 0,
+  "deprecated": true,
+  "deprecation_message": "string",
   "description": "string",
   "display_name": "string",
   "failure_ttl_ms": 0,
diff --git a/docs/cli/templates_edit.md b/docs/cli/templates_edit.md
index cd65ac99ef9d0..0157b06404720 100644
--- a/docs/cli/templates_edit.md
+++ b/docs/cli/templates_edit.md
@@ -55,6 +55,14 @@ Edit the template autostart requirement weekdays - workspaces created from this
 
 Edit the template default time before shutdown - workspaces created from this template default to this value. Maps to "Default autostop" in the UI.
 
+### --deprecated
+
+|      |                     |
+| ---- | ------------------- |
+| Type | <code>string</code> |
+
+Sets the template as deprecated. Must be a message explaining why the template is deprecated.
+
 ### --description
 
 |      |                     |
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
index f76a9a4640455..3268739f2560f 100644
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@@ -113,13 +113,13 @@ func TestTemplates(t *testing.T) {
 		defer cancel()
 
 		updated, err := client.UpdateTemplateMeta(ctx, template.ID, codersdk.UpdateTemplateMeta{
-			DeprecatedMessage: ptr.Ref("Stop using this template"),
+			DeprecationMessage: ptr.Ref("Stop using this template"),
 		})
 		require.NoError(t, err)
 		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
 		// AGPL cannot deprecate, expect no change
 		assert.True(t, updated.Deprecated)
-		assert.NotEmpty(t, updated.DeprecatedMessage)
+		assert.NotEmpty(t, updated.DeprecationMessage)
 
 		_, err = client.CreateWorkspace(ctx, user.OrganizationID, codersdk.Me, codersdk.CreateWorkspaceRequest{
 			TemplateID: template.ID,
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index 032c3854138dd..524c9f7cacf51 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -918,6 +918,8 @@ export interface Template {
   readonly active_user_count: number;
   readonly build_time_stats: TemplateBuildTimeStats;
   readonly description: string;
+  readonly deprecated: boolean;
+  readonly deprecation_message: string;
   readonly icon: string;
   readonly default_ttl_ms: number;
   readonly max_ttl_ms: number;
@@ -1183,6 +1185,7 @@ export interface UpdateTemplateMeta {
   readonly update_workspace_last_used_at: boolean;
   readonly update_workspace_dormant_at: boolean;
   readonly require_active_version: boolean;
+  readonly deprecation_message?: string;
 }
 
 // From codersdk/users.go
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx
index c9f2059672fce..7449457aa998f 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx
@@ -12,7 +12,10 @@ import { getValidationSchema } from "./TemplateSettingsForm";
 import { TemplateSettingsPage } from "./TemplateSettingsPage";
 
 type FormValues = Required<
-  Omit<UpdateTemplateMeta, "default_ttl_ms" | "max_ttl_ms">
+  Omit<
+    UpdateTemplateMeta,
+    "default_ttl_ms" | "max_ttl_ms" | "deprecation_message"
+  >
 >;
 
 const validFormValues: FormValues = {
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
index 5bbbb55fdce56..51954c75d77c7 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
@@ -38,6 +38,26 @@ export const WithTemplates: Story = {
         description:
           "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. ",
       },
+      {
+        ...MockTemplate,
+        name: "template-without-icon",
+        display_name: "No Icon",
+        description: "This one has no icon",
+      },
+      {
+        ...MockTemplate,
+        name: "template-without-icon-deprecated",
+        display_name: "Deprecated No Icon",
+        description: "This one has no icon and is deprecated",
+        deprecated: true,
+        deprecation_message: "This template is so old, it's deprecated",
+      },
+      {
+        ...MockTemplate,
+        name: "deprecated-template",
+        display_name: "Deprecated",
+        description: "Template is incompatible",
+      },
     ],
     examples: [],
   },
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index e06914f470ad7..085def04a896c 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -44,6 +44,7 @@ import { docs } from "utils/docs";
 import Skeleton from "@mui/material/Skeleton";
 import { Box } from "@mui/system";
 import { AvatarDataSkeleton } from "components/AvatarData/AvatarDataSkeleton";
+import { Pill } from "components/Pill/Pill";
 
 export const Language = {
   developerCount: (activeCount: number): string => {
@@ -118,19 +119,23 @@ const TemplateRow: FC<{ template: Template }> = ({ template }) => {
       </TableCell>
 
       <TableCell css={styles.actionCell}>
-        <Button
-          size="small"
-          css={styles.actionButton}
-          className="actionButton"
-          startIcon={<ArrowForwardOutlined />}
-          title={`Create a workspace using the ${template.display_name} template`}
-          onClick={(e) => {
-            e.stopPropagation();
-            navigate(`/templates/${template.name}/workspace`);
-          }}
-        >
-          Create Workspace
-        </Button>
+        {template.deprecated ? (
+          <Pill text="Deprecated" type="warning" />
+        ) : (
+          <Button
+            size="small"
+            css={styles.actionButton}
+            className="actionButton"
+            startIcon={<ArrowForwardOutlined />}
+            title={`Create a workspace using the ${template.display_name} template`}
+            onClick={(e) => {
+              e.stopPropagation();
+              navigate(`/templates/${template.name}/workspace`);
+            }}
+          >
+            Create Workspace
+          </Button>
+        )}
       </TableCell>
     </TableRow>
   );
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index ad822e76e273d..d964d330e3f22 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -452,6 +452,8 @@ export const MockTemplate: TypesGen.Template = {
   allow_user_autostart: true,
   allow_user_autostop: true,
   require_active_version: false,
+  deprecated: false,
+  deprecation_message: "",
 };
 
 export const MockTemplateVersionFiles: TemplateVersionFiles = {

From 4cfa94022011b383463dfe0ccecb5189657693ea Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 14:51:38 -0600
Subject: [PATCH 06/15] Add deprecated notice to template page

---
 site/src/api/api.ts                           |  8 +++----
 site/src/api/queries/templates.ts             |  6 +++++-
 .../pages/TemplatePage/TemplatePageHeader.tsx | 21 ++++++++++++-------
 .../pages/WorkspacePage/Workspace.stories.tsx | 11 ++++++++++
 site/src/pages/WorkspacePage/Workspace.tsx    |  7 +++++++
 5 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/site/src/api/api.ts b/site/src/api/api.ts
index 13994306e7842..48d2d5c34ae50 100644
--- a/site/src/api/api.ts
+++ b/site/src/api/api.ts
@@ -224,19 +224,19 @@ export const getTemplates = async (
   organizationId: string,
   deprecated?: boolean,
 ): Promise<TypesGen.Template[]> => {
-  const params = {} as Record<string,string>
-  if(deprecated !== undefined) {
+  const params = {} as Record<string, string>;
+  if (deprecated !== undefined) {
     // Just want to check if it isn't undefined. If it has
     // a boolean value, convert it to a string and include
     // it as a param.
-    params["deprecated"] = String(deprecated)
+    params["deprecated"] = String(deprecated);
   }
 
   const response = await axios.get<TypesGen.Template[]>(
     `/api/v2/organizations/${organizationId}/templates`,
     {
       params,
-    }
+    },
   );
   return response.data;
 };
diff --git a/site/src/api/queries/templates.ts b/site/src/api/queries/templates.ts
index 9a18ec5e17a30..092c0d0fed881 100644
--- a/site/src/api/queries/templates.ts
+++ b/site/src/api/queries/templates.ts
@@ -33,7 +33,11 @@ export const templateByName = (
   };
 };
 
-const getTemplatesQueryKey = (orgId: string, deprecated?: boolean) => [orgId, "templates", deprecated];
+const getTemplatesQueryKey = (orgId: string, deprecated?: boolean) => [
+  orgId,
+  "templates",
+  deprecated,
+];
 
 export const templates = (orgId: string, deprecated?: boolean) => {
   return {
diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
index 711b251f2be9e..dab4423f074b0 100644
--- a/site/src/pages/TemplatePage/TemplatePageHeader.tsx
+++ b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
@@ -34,6 +34,7 @@ import {
   ThreeDotsButton,
 } from "components/MoreMenu/MoreMenu";
 import Divider from "@mui/material/Divider";
+import { Pill } from "components/Pill/Pill";
 
 type TemplateMenuProps = {
   templateName: string;
@@ -172,14 +173,16 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
       <PageHeader
         actions={
           <>
-            <Button
-              variant="contained"
-              startIcon={<AddIcon />}
-              component={RouterLink}
-              to={`/templates/${template.name}/workspace`}
-            >
-              Create Workspace
-            </Button>
+            {!template.deprecated && (
+              <Button
+                variant="contained"
+                startIcon={<AddIcon />}
+                component={RouterLink}
+                to={`/templates/${template.name}/workspace`}
+              >
+                Create Workspace
+              </Button>
+            )}
 
             {permissions.canUpdateTemplate && (
               <TemplateMenu
@@ -212,6 +215,8 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
               </PageHeaderSubtitle>
             )}
           </div>
+
+          {template.deprecated && <Pill text="Deprecated" type="warning" />}
         </Stack>
       </PageHeader>
     </Margins>
diff --git a/site/src/pages/WorkspacePage/Workspace.stories.tsx b/site/src/pages/WorkspacePage/Workspace.stories.tsx
index 10887f5b5ebdc..bd7fc91db52e5 100644
--- a/site/src/pages/WorkspacePage/Workspace.stories.tsx
+++ b/site/src/pages/WorkspacePage/Workspace.stories.tsx
@@ -243,6 +243,17 @@ export const CancellationError: Story = {
   },
 };
 
+export const Deprecated: Story = {
+  args: {
+    ...Running.args,
+    template: {
+      ...Mocks.MockTemplate,
+      deprecated: true,
+      deprecation_message: "Template deprecated due to reasons",
+    },
+  },
+};
+
 export const Unhealthy: Story = {
   args: {
     ...Running.args,
diff --git a/site/src/pages/WorkspacePage/Workspace.tsx b/site/src/pages/WorkspacePage/Workspace.tsx
index 060ee10c5b8a2..14f18642eaef5 100644
--- a/site/src/pages/WorkspacePage/Workspace.tsx
+++ b/site/src/pages/WorkspacePage/Workspace.tsx
@@ -328,6 +328,13 @@ export const Workspace: FC<React.PropsWithChildren<WorkspaceProps>> = ({
             </Alert>
           )}
 
+          {template?.deprecated && (
+            <Alert severity="error">
+              <AlertTitle>Workspace using deprecated template</AlertTitle>
+              <AlertDetail>{template?.deprecation_message}</AlertDetail>
+            </Alert>
+          )}
+
           {transitionStats !== undefined && (
             <WorkspaceBuildProgress
               workspace={workspace}

From 873300f34c256af3fd3581187538edeb0005de03 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 15:15:26 -0600
Subject: [PATCH 07/15] Add ui to deprecate a template

---
 .../Dashboard/DashboardProvider.tsx           |  5 +++
 .../TemplateSettingsForm.tsx                  | 45 ++++++++++++++++++-
 .../TemplateSettingsPage.tsx                  |  9 +++-
 .../TemplateSettingsPageView.tsx              |  3 ++
 4 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/site/src/components/Dashboard/DashboardProvider.tsx b/site/src/components/Dashboard/DashboardProvider.tsx
index 4243c8b01effe..4df5be5946c88 100644
--- a/site/src/components/Dashboard/DashboardProvider.tsx
+++ b/site/src/components/Dashboard/DashboardProvider.tsx
@@ -129,3 +129,8 @@ export const useTemplatePoliciesEnabled = (): boolean => {
     experiments.includes("template_update_policies")
   );
 };
+
+export const useAccessControlEntitled = (): boolean => {
+  const { entitlements } = useDashboard();
+  return entitlements.features.access_control.enabled;
+};
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx
index 80a1b82355985..2a6dd37a6661c 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx
@@ -24,6 +24,7 @@ import {
   HelpTooltip,
   HelpTooltipText,
 } from "components/HelpTooltip/HelpTooltip";
+import { EnterpriseBadge } from "components/Badges/Badges";
 
 const MAX_DESCRIPTION_CHAR_LIMIT = 128;
 
@@ -49,6 +50,7 @@ export interface TemplateSettingsForm {
   // Helpful to show field errors on Storybook
   initialTouched?: FormikTouched<UpdateTemplateMeta>;
   accessControlEnabled: boolean;
+  templatePoliciesEnabled: boolean;
 }
 
 export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
@@ -59,6 +61,7 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
   isSubmitting,
   initialTouched,
   accessControlEnabled,
+  templatePoliciesEnabled,
 }) => {
   const validationSchema = getValidationSchema();
   const form: FormikContextType<UpdateTemplateMeta> =
@@ -73,6 +76,7 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
         update_workspace_last_used_at: false,
         update_workspace_dormant_at: false,
         require_active_version: template.require_active_version,
+        deprecation_message: template.deprecation_message,
       },
       validationSchema,
       onSubmit,
@@ -170,7 +174,7 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
               </Stack>
             </Stack>
           </label>
-          {accessControlEnabled && (
+          {templatePoliciesEnabled && (
             <label htmlFor="require_active_version">
               <Stack direction="row" spacing={1}>
                 <Checkbox
@@ -205,6 +209,45 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
         </Stack>
       </FormSection>
 
+      <FormSection
+        title="Deprecate"
+        description="Deprecating a template prevents any new workspaces from being created. Existing workspaces will continue to function."
+      >
+        <FormFields>
+          <Stack direction="column" spacing={0.5}>
+            <Stack
+              direction="row"
+              alignItems="center"
+              spacing={0.5}
+              css={styles.optionText}
+            >
+              Deprecation Message
+            </Stack>
+            <span css={styles.optionHelperText}>
+              Leave the message empty to keep the template active. Any message
+              provided will mark the template as deprecated. Use this message to
+              inform users of the deprecation and how to migrate to a new
+              template.
+            </span>
+          </Stack>
+          <TextField
+            {...getFieldHelpers("deprecation_message")}
+            disabled={isSubmitting || !accessControlEnabled}
+            autoFocus
+            fullWidth
+            label="Deprecation Message"
+          />
+          {!accessControlEnabled && (
+            <Stack direction="row">
+              <EnterpriseBadge />
+              <span css={styles.optionHelperText}>
+                Enterprise license required to deprecate templates.
+              </span>
+            </Stack>
+          )}
+        </FormFields>
+      </FormSection>
+
       <FormFooter onCancel={onCancel} isLoading={isSubmitting} />
     </HorizontalForm>
   );
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
index 3a3fa11a425f7..4cc9f7f3ca6d6 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
@@ -10,7 +10,10 @@ import { useTemplateSettings } from "../TemplateSettingsLayout";
 import { TemplateSettingsPageView } from "./TemplateSettingsPageView";
 import { templateByNameKey } from "api/queries/templates";
 import { useOrganizationId } from "hooks";
-import { useTemplatePoliciesEnabled } from "components/Dashboard/DashboardProvider";
+import {
+  useAccessControlEntitled,
+  useTemplatePoliciesEnabled,
+} from "components/Dashboard/DashboardProvider";
 
 export const TemplateSettingsPage: FC = () => {
   const { template: templateName } = useParams() as { template: string };
@@ -18,7 +21,8 @@ export const TemplateSettingsPage: FC = () => {
   const orgId = useOrganizationId();
   const { template } = useTemplateSettings();
   const queryClient = useQueryClient();
-  const accessControlEnabled = useTemplatePoliciesEnabled();
+  const accessControlEnabled = useAccessControlEntitled();
+  const templatePoliciesEnabled = useTemplatePoliciesEnabled();
 
   const {
     mutate: updateTemplate,
@@ -55,6 +59,7 @@ export const TemplateSettingsPage: FC = () => {
           });
         }}
         accessControlEnabled={accessControlEnabled}
+        templatePoliciesEnabled={templatePoliciesEnabled}
       />
     </>
   );
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.tsx
index 5eac1759d5ca2..1bda2acb7e142 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.tsx
@@ -13,6 +13,7 @@ export interface TemplateSettingsPageViewProps {
     typeof TemplateSettingsForm
   >["initialTouched"];
   accessControlEnabled: boolean;
+  templatePoliciesEnabled: boolean;
 }
 
 export const TemplateSettingsPageView: FC<TemplateSettingsPageViewProps> = ({
@@ -23,6 +24,7 @@ export const TemplateSettingsPageView: FC<TemplateSettingsPageViewProps> = ({
   submitError,
   initialTouched,
   accessControlEnabled,
+  templatePoliciesEnabled,
 }) => {
   return (
     <>
@@ -38,6 +40,7 @@ export const TemplateSettingsPageView: FC<TemplateSettingsPageViewProps> = ({
         onCancel={onCancel}
         error={submitError}
         accessControlEnabled={accessControlEnabled}
+        templatePoliciesEnabled={templatePoliciesEnabled}
       />
     </>
   );

From 576837cea4256142443624a18ae5d6139523a94f Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 15:17:44 -0600
Subject: [PATCH 08/15] add story for not entitles

---
 .../TemplateSettingsPageView.stories.tsx                    | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
index 9313f92af19f7..86a2f9773f2fd 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
@@ -31,3 +31,9 @@ export const SaveTemplateSettingsError: Story = {
     },
   },
 };
+
+export const NoEntitlements: Story = {
+  args: {
+    accessControlEnabled: false,
+  },
+};

From a9922dc580041692f60a98bb05cab33630f186b6 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 17 Nov 2023 15:30:20 -0600
Subject: [PATCH 09/15] Fix stories

---
 .../TemplateSettingsPageView.stories.tsx                        | 2 ++
 site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
index 86a2f9773f2fd..23e7797bf9fc5 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPageView.stories.tsx
@@ -7,6 +7,8 @@ const meta: Meta<typeof TemplateSettingsPageView> = {
   component: TemplateSettingsPageView,
   args: {
     template: MockTemplate,
+    accessControlEnabled: true,
+    templatePoliciesEnabled: true,
   },
 };
 
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
index 51954c75d77c7..93c13c55cd794 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
@@ -43,6 +43,7 @@ export const WithTemplates: Story = {
         name: "template-without-icon",
         display_name: "No Icon",
         description: "This one has no icon",
+        icon: "",
       },
       {
         ...MockTemplate,
@@ -51,6 +52,7 @@ export const WithTemplates: Story = {
         description: "This one has no icon and is deprecated",
         deprecated: true,
         deprecation_message: "This template is so old, it's deprecated",
+        icon: "",
       },
       {
         ...MockTemplate,

From 7b647da59d75d959589a5e08307d1a37e663864e Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 08:16:23 -0600
Subject: [PATCH 10/15] remove extra hook

---
 site/src/components/Dashboard/DashboardProvider.tsx          | 5 -----
 .../TemplateGeneralSettingsPage/TemplateSettingsPage.tsx     | 5 +++--
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/site/src/components/Dashboard/DashboardProvider.tsx b/site/src/components/Dashboard/DashboardProvider.tsx
index 4df5be5946c88..4243c8b01effe 100644
--- a/site/src/components/Dashboard/DashboardProvider.tsx
+++ b/site/src/components/Dashboard/DashboardProvider.tsx
@@ -129,8 +129,3 @@ export const useTemplatePoliciesEnabled = (): boolean => {
     experiments.includes("template_update_policies")
   );
 };
-
-export const useAccessControlEntitled = (): boolean => {
-  const { entitlements } = useDashboard();
-  return entitlements.features.access_control.enabled;
-};
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
index 4cc9f7f3ca6d6..f933ad798b564 100644
--- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
+++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.tsx
@@ -11,7 +11,7 @@ import { TemplateSettingsPageView } from "./TemplateSettingsPageView";
 import { templateByNameKey } from "api/queries/templates";
 import { useOrganizationId } from "hooks";
 import {
-  useAccessControlEntitled,
+  useDashboard,
   useTemplatePoliciesEnabled,
 } from "components/Dashboard/DashboardProvider";
 
@@ -21,7 +21,8 @@ export const TemplateSettingsPage: FC = () => {
   const orgId = useOrganizationId();
   const { template } = useTemplateSettings();
   const queryClient = useQueryClient();
-  const accessControlEnabled = useAccessControlEntitled();
+  const { entitlements } = useDashboard();
+  const accessControlEnabled = entitlements.features.access_control.enabled;
   const templatePoliciesEnabled = useTemplatePoliciesEnabled();
 
   const {

From 143062ae6c5605836b91f0da24c0211a085aeb03 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 08:18:19 -0600
Subject: [PATCH 11/15] workspace alert to warning on deprecated

---
 site/src/pages/WorkspacePage/Workspace.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/src/pages/WorkspacePage/Workspace.tsx b/site/src/pages/WorkspacePage/Workspace.tsx
index 14f18642eaef5..d64cfdbccc156 100644
--- a/site/src/pages/WorkspacePage/Workspace.tsx
+++ b/site/src/pages/WorkspacePage/Workspace.tsx
@@ -329,7 +329,7 @@ export const Workspace: FC<React.PropsWithChildren<WorkspaceProps>> = ({
           )}
 
           {template?.deprecated && (
-            <Alert severity="error">
+            <Alert severity="warning">
               <AlertTitle>Workspace using deprecated template</AlertTitle>
               <AlertDetail>{template?.deprecation_message}</AlertDetail>
             </Alert>

From 00cc2b8033aae4320182d204a8c5e7cd0161a5ab Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 08:20:13 -0600
Subject: [PATCH 12/15] add params to getTemplates on FE

---
 site/src/api/api.ts                           | 11 ++++++++---
 site/src/api/queries/templates.ts             |  2 +-
 site/src/pages/WorkspacesPage/filter/menus.ts |  4 ++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/site/src/api/api.ts b/site/src/api/api.ts
index 48d2d5c34ae50..18443a1a796d6 100644
--- a/site/src/api/api.ts
+++ b/site/src/api/api.ts
@@ -220,16 +220,21 @@ export const getTemplate = async (
   return response.data;
 };
 
+
+export interface TemplateOptions {
+  readonly deprecated?: boolean;
+}
+
 export const getTemplates = async (
   organizationId: string,
-  deprecated?: boolean,
+  options?: TemplateOptions,
 ): Promise<TypesGen.Template[]> => {
   const params = {} as Record<string, string>;
-  if (deprecated !== undefined) {
+  if (options && options.deprecated !== undefined) {
     // Just want to check if it isn't undefined. If it has
     // a boolean value, convert it to a string and include
     // it as a param.
-    params["deprecated"] = String(deprecated);
+    params["deprecated"] = String(options.deprecated);
   }
 
   const response = await axios.get<TypesGen.Template[]>(
diff --git a/site/src/api/queries/templates.ts b/site/src/api/queries/templates.ts
index 092c0d0fed881..7efb13ec60a71 100644
--- a/site/src/api/queries/templates.ts
+++ b/site/src/api/queries/templates.ts
@@ -42,7 +42,7 @@ const getTemplatesQueryKey = (orgId: string, deprecated?: boolean) => [
 export const templates = (orgId: string, deprecated?: boolean) => {
   return {
     queryKey: getTemplatesQueryKey(orgId, deprecated),
-    queryFn: () => API.getTemplates(orgId, deprecated),
+    queryFn: () => API.getTemplates(orgId, {deprecated}),
   };
 };
 
diff --git a/site/src/pages/WorkspacesPage/filter/menus.ts b/site/src/pages/WorkspacesPage/filter/menus.ts
index 48696b53b25bd..3e805ad229451 100644
--- a/site/src/pages/WorkspacesPage/filter/menus.ts
+++ b/site/src/pages/WorkspacesPage/filter/menus.ts
@@ -18,7 +18,7 @@ export const useTemplateFilterMenu = ({
     id: "template",
     getSelectedOption: async () => {
       // Show all templates including deprecated
-      const templates = await getTemplates(orgId, undefined);
+      const templates = await getTemplates(orgId);
       const template = templates.find((template) => template.name === value);
       if (template) {
         return {
@@ -34,7 +34,7 @@ export const useTemplateFilterMenu = ({
     },
     getOptions: async (query) => {
       // Show all templates including deprecated
-      const templates = await getTemplates(orgId, undefined);
+      const templates = await getTemplates(orgId);
       const filteredTemplates = templates.filter(
         (template) =>
           template.name.toLowerCase().includes(query.toLowerCase()) ||

From cdf29452b854b9b65590b998228b2b6d98fa3dd2 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 08:54:06 -0600
Subject: [PATCH 13/15] add unit tests for agpl unsetting deprecated

---
 coderd/coderdtest/coderdtest.go          | 17 +++++++-
 coderd/database/dbauthz/accesscontrol.go | 24 ++++++++++-
 coderd/templates_test.go                 | 53 ++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
index 0410985492780..9d0f499a70d63 100644
--- a/coderd/coderdtest/coderdtest.go
+++ b/coderd/coderdtest/coderdtest.go
@@ -614,6 +614,21 @@ func CreateAnotherUserMutators(t testing.TB, client *codersdk.Client, organizati
 	return createAnotherUserRetry(t, client, organizationID, 5, roles, mutators...)
 }
 
+// AuthzUserSubject does not include the user's groups.
+func AuthzUserSubject(user codersdk.User) rbac.Subject {
+	roles := make(rbac.RoleNames, 0, len(user.Roles))
+	for _, r := range user.Roles {
+		roles = append(roles, r.Name)
+	}
+
+	return rbac.Subject{
+		ID:     user.ID.String(),
+		Roles:  roles,
+		Groups: []string{},
+		Scope:  rbac.ScopeAll,
+	}
+}
+
 func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationID uuid.UUID, retries int, roles []string, mutators ...func(r *codersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {
 	req := codersdk.CreateUserRequest{
 		Email:          namesgenerator.GetRandomName(10) + "@coder.com",
@@ -689,7 +704,7 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
 			siteRoles = append(siteRoles, r.Name)
 		}
 
-		_, err := client.UpdateUserRoles(context.Background(), user.ID.String(), codersdk.UpdateRoles{Roles: siteRoles})
+		user, err = client.UpdateUserRoles(context.Background(), user.ID.String(), codersdk.UpdateRoles{Roles: siteRoles})
 		require.NoError(t, err, "update site roles")
 
 		// Update org roles
diff --git a/coderd/database/dbauthz/accesscontrol.go b/coderd/database/dbauthz/accesscontrol.go
index 096676a43a1b5..0a9194c09a8a0 100644
--- a/coderd/database/dbauthz/accesscontrol.go
+++ b/coderd/database/dbauthz/accesscontrol.go
@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/google/uuid"
+	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/coderd/database"
 )
@@ -42,6 +43,27 @@ func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(t database.Templa
 	}
 }
 
-func (AGPLTemplateAccessControlStore) SetTemplateAccessControl(context.Context, database.Store, uuid.UUID, TemplateAccessControl) error {
+func (AGPLTemplateAccessControlStore) SetTemplateAccessControl(ctx context.Context, store database.Store, id uuid.UUID, opts TemplateAccessControl) error {
+	// AGPL is allowed to unset deprecated templates.
+	if opts.Deprecated == "" {
+		// This does require fetching again to ensure other fields are not
+		// changed.
+		tpl, err := store.GetTemplateByID(ctx, id)
+		if err != nil {
+			return xerrors.Errorf("get template: %w", err)
+		}
+
+		if tpl.Deprecated != "" {
+			err := store.UpdateTemplateAccessControlByID(ctx, database.UpdateTemplateAccessControlByIDParams{
+				ID:                   id,
+				RequireActiveVersion: tpl.RequireActiveVersion,
+				Deprecated:           opts.Deprecated,
+			})
+			if err != nil {
+				return xerrors.Errorf("update template access control: %w", err)
+			}
+		}
+	}
+
 	return nil
 }
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
index 23c144278495e..f8bb4e29da5cc 100644
--- a/coderd/templates_test.go
+++ b/coderd/templates_test.go
@@ -16,7 +16,9 @@ import (
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/schedule"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
@@ -539,6 +541,43 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Empty(t, updated.DeprecationMessage)
 	})
 
+	// AGPL cannot deprecate, but it can be unset
+	t.Run("AGPL_Unset_Deprecated", func(t *testing.T) {
+		t.Parallel()
+
+		owner, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: false})
+		user := coderdtest.CreateFirstUser(t, owner)
+		client, tplAdmin := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.RoleTemplateAdmin())
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		// nolint:gocritic // Setting up unit test data
+		err := db.UpdateTemplateAccessControlByID(dbauthz.As(ctx, coderdtest.AuthzUserSubject(tplAdmin)), database.UpdateTemplateAccessControlByIDParams{
+			ID:                   template.ID,
+			RequireActiveVersion: false,
+			Deprecated:           "Some deprecated message",
+		})
+		require.NoError(t, err)
+
+		// Check that it is deprecated
+		got, err := client.Template(ctx, template.ID)
+		require.NoError(t, err)
+		require.NotEmpty(t, got.DeprecationMessage, "template is deprecated to start")
+		require.True(t, got.Deprecated, "template is deprecated to start")
+
+		req := codersdk.UpdateTemplateMeta{
+			DeprecationMessage: ptr.Ref(""),
+		}
+
+		updated, err := client.UpdateTemplateMeta(ctx, template.ID, req)
+		require.NoError(t, err)
+		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
+		assert.False(t, updated.Deprecated)
+		assert.Empty(t, updated.DeprecationMessage)
+	})
+
 	t.Run("NoDefaultTTL", func(t *testing.T) {
 		t.Parallel()
 
@@ -566,6 +605,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 		require.NoError(t, err)
 		assert.Greater(t, updated.UpdatedAt, template.UpdatedAt)
 		assert.Equal(t, req.DefaultTTLMillis, updated.DefaultTTLMillis)
+		assert.Empty(t, updated.DeprecationMessage)
+		assert.False(t, updated.Deprecated)
 	})
 
 	t.Run("DefaultTTLTooLow", func(t *testing.T) {
@@ -592,6 +633,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, updated.UpdatedAt, template.UpdatedAt)
 		assert.Equal(t, updated.DefaultTTLMillis, template.DefaultTTLMillis)
+		assert.Empty(t, updated.DeprecationMessage)
+		assert.False(t, updated.Deprecated)
 	})
 
 	t.Run("MaxTTL", func(t *testing.T) {
@@ -657,6 +700,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 			require.EqualValues(t, 2, atomic.LoadInt64(&setCalled))
 			require.EqualValues(t, 0, got.DefaultTTLMillis)
 			require.Equal(t, maxTTL.Milliseconds(), got.MaxTTLMillis)
+			require.Empty(t, got.DeprecationMessage)
+			require.False(t, got.Deprecated)
 		})
 
 		t.Run("DefaultTTLBigger", func(t *testing.T) {
@@ -715,6 +760,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, defaultTTL.Milliseconds(), got.DefaultTTLMillis)
 			require.Zero(t, got.MaxTTLMillis)
+			require.Empty(t, got.DeprecationMessage)
+			require.False(t, got.Deprecated)
 		})
 	})
 
@@ -808,6 +855,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 			require.Zero(t, got.FailureTTLMillis)
 			require.Zero(t, got.TimeTilDormantMillis)
 			require.Zero(t, got.TimeTilDormantAutoDeleteMillis)
+			require.Empty(t, got.DeprecationMessage)
+			require.False(t, got.Deprecated)
 		})
 	})
 
@@ -1059,6 +1108,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, []string{"friday", "saturday"}, template.AutostopRequirement.DaysOfWeek)
 			require.EqualValues(t, 2, template.AutostopRequirement.Weeks)
+			require.Empty(t, template.DeprecationMessage)
+			require.False(t, template.Deprecated)
 		})
 
 		t.Run("Unset", func(t *testing.T) {
@@ -1169,6 +1220,8 @@ func TestPatchTemplateMeta(t *testing.T) {
 			require.NoError(t, err)
 			require.Empty(t, template.AutostopRequirement.DaysOfWeek)
 			require.EqualValues(t, 1, template.AutostopRequirement.Weeks)
+			require.Empty(t, template.DeprecationMessage)
+			require.False(t, template.Deprecated)
 		})
 	})
 }

From 8db1dd6e82b37d509b9e4ab4fe50b3c0e5fd3158 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 09:05:34 -0600
Subject: [PATCH 14/15] Add more enterprise test vectors

---
 enterprise/coderd/templates_test.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
index 3268739f2560f..3c141542fdfc7 100644
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@@ -126,6 +126,18 @@ func TestTemplates(t *testing.T) {
 			Name:       "foobar",
 		})
 		require.ErrorContains(t, err, "deprecated")
+
+		// Unset deprecated and try again
+		updated, err = client.UpdateTemplateMeta(ctx, template.ID, codersdk.UpdateTemplateMeta{DeprecationMessage: ptr.Ref("")})
+		require.NoError(t, err)
+		assert.False(t, updated.Deprecated)
+		assert.Empty(t, updated.DeprecationMessage)
+
+		_, err = client.CreateWorkspace(ctx, user.OrganizationID, codersdk.Me, codersdk.CreateWorkspaceRequest{
+			TemplateID: template.ID,
+			Name:       "foobar",
+		})
+		require.NoError(t, err)
 	})
 
 	t.Run("BlockDisablingAutoOffWithMaxTTL", func(t *testing.T) {
@@ -232,6 +244,8 @@ func TestTemplates(t *testing.T) {
 		template, err = anotherClient.Template(ctx, template.ID)
 		require.NoError(t, err)
 		require.Equal(t, []string{"monday", "saturday"}, template.AutostartRequirement.DaysOfWeek)
+		require.Empty(t, template.DeprecationMessage)
+		require.False(t, template.Deprecated)
 	})
 
 	t.Run("SetInvalidAutostartRequirement", func(t *testing.T) {
@@ -265,6 +279,8 @@ func TestTemplates(t *testing.T) {
 			},
 		})
 		require.Error(t, err)
+		require.Empty(t, template.DeprecationMessage)
+		require.False(t, template.Deprecated)
 	})
 
 	t.Run("SetAutostopRequirement", func(t *testing.T) {
@@ -309,6 +325,8 @@ func TestTemplates(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, []string{"monday", "saturday"}, template.AutostopRequirement.DaysOfWeek)
 		require.EqualValues(t, 3, template.AutostopRequirement.Weeks)
+		require.Empty(t, template.DeprecationMessage)
+		require.False(t, template.Deprecated)
 	})
 
 	t.Run("CleanupTTLs", func(t *testing.T) {
@@ -666,6 +684,8 @@ func TestTemplates(t *testing.T) {
 		template, err = anotherClient.Template(ctx, template.ID)
 		require.NoError(t, err)
 		require.Equal(t, updatedTemplate, template)
+		require.Empty(t, template.DeprecationMessage)
+		require.False(t, template.Deprecated)
 	})
 }
 

From 0b1c72062f3f88c1e3e7b8bde1df386614cc13b2 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Mon, 20 Nov 2023 09:07:47 -0600
Subject: [PATCH 15/15] formatting

---
 site/src/api/api.ts               | 1 -
 site/src/api/queries/templates.ts | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/site/src/api/api.ts b/site/src/api/api.ts
index 18443a1a796d6..56c0fff1c1d6e 100644
--- a/site/src/api/api.ts
+++ b/site/src/api/api.ts
@@ -220,7 +220,6 @@ export const getTemplate = async (
   return response.data;
 };
 
-
 export interface TemplateOptions {
   readonly deprecated?: boolean;
 }
diff --git a/site/src/api/queries/templates.ts b/site/src/api/queries/templates.ts
index 7efb13ec60a71..9fce3909c229c 100644
--- a/site/src/api/queries/templates.ts
+++ b/site/src/api/queries/templates.ts
@@ -42,7 +42,7 @@ const getTemplatesQueryKey = (orgId: string, deprecated?: boolean) => [
 export const templates = (orgId: string, deprecated?: boolean) => {
   return {
     queryKey: getTemplatesQueryKey(orgId, deprecated),
-    queryFn: () => API.getTemplates(orgId, {deprecated}),
+    queryFn: () => API.getTemplates(orgId, { deprecated }),
   };
 };