From d6757a0396b8142374ca9462fd99931a3f3715cd Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Tue, 24 Jun 2025 06:55:21 -0500 Subject: [PATCH 1/2] chore: add permissions to autobuilder to run wsbuild --- coderd/database/dbauthz/dbauthz.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 50f175a69499d..12d5c0ba524ec 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -228,6 +228,8 @@ var ( Identifier: rbac.RoleIdentifier{Name: "autostart"}, DisplayName: "Autostart Daemon", Site: rbac.Permissions(map[string][]policy.Action{ + rbac.ResourceOrganizationMember.Type: {policy.ActionRead}, + rbac.ResourceFile.Type: {policy.ActionRead}, // Required to read terraform files rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead}, rbac.ResourceSystem.Type: {policy.WildcardSymbol}, rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate}, From f691657821b06b69fdc91c34e993eaf14dd90d0f Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Tue, 24 Jun 2025 06:58:01 -0500 Subject: [PATCH 2/2] fix prebuilds too --- coderd/database/dbauthz/dbauthz.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 12d5c0ba524ec..4ac2a14516b0b 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -445,6 +445,7 @@ var ( }, // Should be able to add the prebuilds system user as a member to any organization that needs prebuilds. rbac.ResourceOrganizationMember.Type: { + policy.ActionRead, policy.ActionCreate, }, // Needs to be able to assign roles to the system user in order to make it a member of an organization. @@ -458,6 +459,10 @@ var ( rbac.ResourceOrganization.Type: { policy.ActionRead, }, + // Required to read the terraform files of a template + rbac.ResourceFile.Type: { + policy.ActionRead, + }, }), }, }),