feat: use preview to compute workspace tags from terraform (#18720)

If using dynamic parameters, workspace tags are extracted using
`coder/preview`.

coderd/dynamicparameters/render.go

@@ -243,7 +243,28 @@ func (r *dynamicRenderer) getWorkspaceOwnerData(ctx context.Context, ownerID uui
 		return nil // already fetched
 	}
 
-	user, err := r.db.GetUserByID(ctx, ownerID)
+	owner, err := WorkspaceOwner(ctx, r.db, r.data.templateVersion.OrganizationID, ownerID)
+	if err != nil {
+		return err
+	}
+
+	r.currentOwner = owner
+	return nil
+}
+
+func (r *dynamicRenderer) Close() {
+	r.once.Do(r.close)
+}
+
+func ProvisionerVersionSupportsDynamicParameters(version string) bool {
+	major, minor, err := apiversion.Parse(version)
+	// If the api version is not valid or less than 1.6, we need to use the static parameters
+	useStaticParams := err != nil || major < 1 || (major == 1 && minor < 6)
+	return !useStaticParams
+}
+
+func WorkspaceOwner(ctx context.Context, db database.Store, org uuid.UUID, ownerID uuid.UUID) (*previewtypes.WorkspaceOwner, error) {
+	user, err := db.GetUserByID(ctx, ownerID)
 	if err != nil {
 		// If the user failed to read, we also try to read the user from their
 		// organization member. You only need to be able to read the organization member
@@ -252,37 +273,37 @@ func (r *dynamicRenderer) getWorkspaceOwnerData(ctx context.Context, ownerID uui
 		// Only the terraform files can therefore leak more information than the
 		// caller should have access to. All this info should be public assuming you can
 		// read the user though.
-		mem, err := database.ExpectOne(r.db.OrganizationMembers(ctx, database.OrganizationMembersParams{
-			OrganizationID: r.data.templateVersion.OrganizationID,
+		mem, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
+			OrganizationID: org,
 			UserID:         ownerID,
 			IncludeSystem:  true,
 		}))
 		if err != nil {
-			return xerrors.Errorf("fetch user: %w", err)
+			return nil, xerrors.Errorf("fetch user: %w", err)
 		}
 
 		// Org member fetched, so use the provisioner context to fetch the user.
 		//nolint:gocritic // Has the correct permissions, and matches the provisioning flow.
-		user, err = r.db.GetUserByID(dbauthz.AsProvisionerd(ctx), mem.OrganizationMember.UserID)
+		user, err = db.GetUserByID(dbauthz.AsProvisionerd(ctx), mem.OrganizationMember.UserID)
 		if err != nil {
-			return xerrors.Errorf("fetch user: %w", err)
+			return nil, xerrors.Errorf("fetch user: %w", err)
 		}
 	}
 
 	// nolint:gocritic // This is kind of the wrong query to use here, but it
 	// matches how the provisioner currently works. We should figure out
 	// something that needs less escalation but has the correct behavior.
-	row, err := r.db.GetAuthorizationUserRoles(dbauthz.AsProvisionerd(ctx), ownerID)
+	row, err := db.GetAuthorizationUserRoles(dbauthz.AsProvisionerd(ctx), ownerID)
 	if err != nil {
-		return xerrors.Errorf("user roles: %w", err)
+		return nil, xerrors.Errorf("user roles: %w", err)
 	}
 	roles, err := row.RoleNames()
 	if err != nil {
-		return xerrors.Errorf("expand roles: %w", err)
+		return nil, xerrors.Errorf("expand roles: %w", err)
 	}
 	ownerRoles := make([]previewtypes.WorkspaceOwnerRBACRole, 0, len(roles))
 	for _, it := range roles {
-		if it.OrganizationID != uuid.Nil && it.OrganizationID != r.data.templateVersion.OrganizationID {
+		if it.OrganizationID != uuid.Nil && it.OrganizationID != org {
 			continue
 		}
 		var orgID string
@@ -298,28 +319,28 @@ func (r *dynamicRenderer) getWorkspaceOwnerData(ctx context.Context, ownerID uui
 	// The correct public key has to be sent. This will not be leaked
 	// unless the template leaks it.
 	// nolint:gocritic
-	key, err := r.db.GetGitSSHKey(dbauthz.AsProvisionerd(ctx), ownerID)
+	key, err := db.GetGitSSHKey(dbauthz.AsProvisionerd(ctx), ownerID)
 	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-		return xerrors.Errorf("ssh key: %w", err)
+		return nil, xerrors.Errorf("ssh key: %w", err)
 	}
 
 	// The groups need to be sent to preview. These groups are not exposed to the
 	// user, unless the template does it through the parameters. Regardless, we need
 	// the correct groups, and a user might not have read access.
 	// nolint:gocritic
-	groups, err := r.db.GetGroups(dbauthz.AsProvisionerd(ctx), database.GetGroupsParams{
-		OrganizationID: r.data.templateVersion.OrganizationID,
+	groups, err := db.GetGroups(dbauthz.AsProvisionerd(ctx), database.GetGroupsParams{
+		OrganizationID: org,
 		HasMemberID:    ownerID,
 	})
 	if err != nil {
-		return xerrors.Errorf("groups: %w", err)
+		return nil, xerrors.Errorf("groups: %w", err)
 	}
 	groupNames := make([]string, 0, len(groups))
 	for _, it := range groups {
 		groupNames = append(groupNames, it.Group.Name)
 	}
 
-	r.currentOwner = &previewtypes.WorkspaceOwner{
+	return &previewtypes.WorkspaceOwner{
 		ID:           user.ID.String(),
 		Name:         user.Username,
 		FullName:     user.Name,
@@ -328,17 +349,5 @@ func (r *dynamicRenderer) getWorkspaceOwnerData(ctx context.Context, ownerID uui
 		RBACRoles:    ownerRoles,
 		SSHPublicKey: key.PublicKey,
 		Groups:       groupNames,
-	}
-	return nil
-}
-
-func (r *dynamicRenderer) Close() {
-	r.once.Do(r.close)
-}
-
-func ProvisionerVersionSupportsDynamicParameters(version string) bool {
-	major, minor, err := apiversion.Parse(version)
-	// If the api version is not valid or less than 1.6, we need to use the static parameters
-	useStaticParams := err != nil || major < 1 || (major == 1 && minor < 6)
-	return !useStaticParams
+	}, nil
 }