From c8b8cf4137e617d1c237df7b82ac3302ce15bfe4 Mon Sep 17 00:00:00 2001
From: Spike Curtis <spike@coder.com>
Date: Wed, 2 Apr 2025 11:53:43 +0400
Subject: [PATCH] chore: deprecate and lint for ResourceSystem

---
 coderd/rbac/object_gen.go         | 3 +++
 coderd/rbac/policy/policy.go      | 6 ++++++
 scripts/typegen/rbacobject.gotmpl | 1 +
 3 files changed, 10 insertions(+)

diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
index f135f262deb97..7c0933c4241b0 100644
--- a/coderd/rbac/object_gen.go
+++ b/coderd/rbac/object_gen.go
@@ -242,6 +242,9 @@ var (
 	//  - "ActionDelete" :: delete system resources
 	//  - "ActionRead" :: view system resources
 	//  - "ActionUpdate" :: update system resources
+	// DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become
+	//             an unmanaged collection of things that don't relate to one another. We can't effectively enforce
+	//             least privilege access control when unrelated resources are grouped together.
 	ResourceSystem = Object{
 		Type: "system",
 	}
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
index 801bbfebf30a5..5b661243dc127 100644
--- a/coderd/rbac/policy/policy.go
+++ b/coderd/rbac/policy/policy.go
@@ -33,6 +33,8 @@ type PermissionDefinition struct {
 	// should represent. The key in the actions map is the verb to use
 	// in the rbac policy.
 	Actions map[Action]ActionDefinition
+	// Comment is additional text to include in the generated object comment.
+	Comment string
 }
 
 type ActionDefinition struct {
@@ -203,6 +205,10 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionUpdate: actDef("update system resources"),
 			ActionDelete: actDef("delete system resources"),
 		},
+		Comment: `
+	// DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become
+	//             an unmanaged collection of things that don't relate to one another. We can't effectively enforce
+	//             least privilege access control when unrelated resources are grouped together.`,
 	},
 	"api_key": {
 		Actions: map[Action]ActionDefinition{
diff --git a/scripts/typegen/rbacobject.gotmpl b/scripts/typegen/rbacobject.gotmpl
index 89bcbf1ee8d96..ee89a8801eaca 100644
--- a/scripts/typegen/rbacobject.gotmpl
+++ b/scripts/typegen/rbacobject.gotmpl
@@ -16,6 +16,7 @@ var (
 		{{- range $action, $value := .Actions }}
 		//  - "{{ actionEnum $action }}" :: {{ $value.Description }}
 		{{- end }}
+		{{- .Comment }}
 		Resource{{ $Name }} = Object {
 			Type: "{{ $element.Type }}",
 		}