feat: Add external provisioner daemons (#4935)

* Start to port over provisioner daemons PR * Move to Enterprise * Begin adding tests for external registration * Move provisioner daemons query to enterprise * Move around provisioner daemons schema * Add tags to provisioner daemons * make gen * Add user local provisioner daemons * Add provisioner daemons * Add feature for external daemons * Add command to start a provisioner daemon * Add provisioner tags to template push and create * Rename migration files * Fix tests * Fix entitlements test * PR comments * Update migration * Fix FE types
2025-07-13 21:36:50 +00:00 · 2022-11-16 16:34:06 -06:00
parent 66d20cabac
commit b6703b11c6
51 changed files with 1095 additions and 372 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -90,7 +90,15 @@ func New(ctx context.Context, options *Options) (*API, error) {
 				r.Get("/", api.group)
 			})
 		})
-
+		r.Route("/organizations/{organization}/provisionerdaemons", func(r chi.Router) {
+			r.Use(
+				api.provisionerDaemonsEnabledMW,
+				apiKeyMiddleware,
+				httpmw.ExtractOrganizationParam(api.Database),
+			)
+			r.Get("/", api.provisionerDaemons)
+			r.Get("/serve", api.provisionerDaemonServe)
+		})
 		r.Route("/templates/{template}/acl", func(r chi.Router) {
 			r.Use(
 				api.templateRBACEnabledMW,
@ -100,7 +108,6 @@ func New(ctx context.Context, options *Options) (*API, error) {
 			r.Get("/", api.templateACL)
 			r.Patch("/", api.patchTemplateACL)
 		})
-
 		r.Route("/groups/{group}", func(r chi.Router) {
 			r.Use(
 				api.templateRBACEnabledMW,
@ -111,7 +118,6 @@ func New(ctx context.Context, options *Options) (*API, error) {
 			r.Patch("/", api.patchGroup)
 			r.Delete("/", api.deleteGroup)
 		})
-
 		r.Route("/workspace-quota", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
@ -222,12 +228,13 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 	defer api.entitlementsMu.Unlock()

 	entitlements, err := license.Entitlements(ctx, api.Database, api.Logger, len(api.replicaManager.All()), len(api.GitAuthConfigs), api.Keys, map[string]bool{
-		codersdk.FeatureAuditLog:         api.AuditLogging,
-		codersdk.FeatureBrowserOnly:      api.BrowserOnly,
-		codersdk.FeatureSCIM:             len(api.SCIMAPIKey) != 0,
-		codersdk.FeatureHighAvailability: api.DERPServerRelayAddress != "",
-		codersdk.FeatureMultipleGitAuth:  len(api.GitAuthConfigs) > 1,
-		codersdk.FeatureTemplateRBAC:     api.RBAC,
+		codersdk.FeatureAuditLog:                   api.AuditLogging,
+		codersdk.FeatureBrowserOnly:                api.BrowserOnly,
+		codersdk.FeatureSCIM:                       len(api.SCIMAPIKey) != 0,
+		codersdk.FeatureHighAvailability:           api.DERPServerRelayAddress != "",
+		codersdk.FeatureMultipleGitAuth:            len(api.GitAuthConfigs) > 1,
+		codersdk.FeatureTemplateRBAC:               api.RBAC,
+		codersdk.FeatureExternalProvisionerDaemons: true,
 	})
 	if err != nil {
 		return err
--- a/enterprise/coderd/coderd_test.go
+++ b/enterprise/coderd/coderd_test.go
@ -41,9 +41,10 @@ func TestEntitlements(t *testing.T) {
 		})
 		_ = coderdtest.CreateFirstUser(t, client)
 		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
-			UserLimit:    100,
-			AuditLog:     true,
-			TemplateRBAC: true,
+			UserLimit:                  100,
+			AuditLog:                   true,
+			TemplateRBAC:               true,
+			ExternalProvisionerDaemons: true,
 		})
 		res, err := client.Entitlements(context.Background())
 		require.NoError(t, err)
--- a/enterprise/coderd/coderdenttest/coderdenttest.go
+++ b/enterprise/coderd/coderdenttest/coderdenttest.go
@ -99,19 +99,20 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 }

 type LicenseOptions struct {
-	AccountType      string
-	AccountID        string
-	Trial            bool
-	AllFeatures      bool
-	GraceAt          time.Time
-	ExpiresAt        time.Time
-	UserLimit        int64
-	AuditLog         bool
-	BrowserOnly      bool
-	SCIM             bool
-	TemplateRBAC     bool
-	HighAvailability bool
-	MultipleGitAuth  bool
+	AccountType                string
+	AccountID                  string
+	Trial                      bool
+	AllFeatures                bool
+	GraceAt                    time.Time
+	ExpiresAt                  time.Time
+	UserLimit                  int64
+	AuditLog                   bool
+	BrowserOnly                bool
+	SCIM                       bool
+	TemplateRBAC               bool
+	HighAvailability           bool
+	MultipleGitAuth            bool
+	ExternalProvisionerDaemons bool
 }

 // AddLicense generates a new license with the options provided and inserts it.
@ -158,6 +159,11 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 		multipleGitAuth = 1
 	}

+	externalProvisionerDaemons := int64(0)
+	if options.ExternalProvisionerDaemons {
+		externalProvisionerDaemons = 1
+	}
+
 	c := &license.Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "test@testing.test",
@ -172,13 +178,14 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 		Version:        license.CurrentVersion,
 		AllFeatures:    options.AllFeatures,
 		Features: license.Features{
-			UserLimit:        options.UserLimit,
-			AuditLog:         auditLog,
-			BrowserOnly:      browserOnly,
-			SCIM:             scim,
-			HighAvailability: highAvailability,
-			TemplateRBAC:     rbacEnabled,
-			MultipleGitAuth:  multipleGitAuth,
+			UserLimit:                  options.UserLimit,
+			AuditLog:                   auditLog,
+			BrowserOnly:                browserOnly,
+			SCIM:                       scim,
+			HighAvailability:           highAvailability,
+			TemplateRBAC:               rbacEnabled,
+			MultipleGitAuth:            multipleGitAuth,
+			ExternalProvisionerDaemons: externalProvisionerDaemons,
 		},
 	}
 	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, c)
--- a/enterprise/coderd/coderdenttest/coderdenttest_test.go
+++ b/enterprise/coderd/coderdenttest/coderdenttest_test.go
@ -33,7 +33,8 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 	ctx, _ := testutil.Context(t)
 	admin := coderdtest.CreateFirstUser(t, client)
 	license := coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
-		TemplateRBAC: true,
+		TemplateRBAC:               true,
+		ExternalProvisionerDaemons: true,
 	})
 	group, err := client.CreateGroup(ctx, admin.OrganizationID, codersdk.CreateGroupRequest{
 		Name: "testgroup",
@ -47,6 +48,8 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 	a.URLParams["{groupName}"] = group.Name

 	skipRoutes, assertRoute := coderdtest.AGPLRoutes(a)
+	skipRoutes["GET:/api/v2/organizations/{organization}/provisionerdaemons/serve"] = "This route checks for RBAC dependent on input parameters!"
+
 	assertRoute["GET:/api/v2/entitlements"] = coderdtest.RouteCheck{
 		NoAuthorize: true,
 	}
@ -84,6 +87,14 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		AssertAction: rbac.ActionRead,
 		AssertObject: groupObj,
 	}
+	assertRoute["GET:/api/v2/organizations/{organization}/provisionerdaemons"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionRead,
+		AssertObject: rbac.ResourceProvisionerDaemon,
+	}
+	assertRoute["GET:/api/v2/organizations/{organization}/provisionerdaemons"] = coderdtest.RouteCheck{
+		AssertAction: rbac.ActionRead,
+		AssertObject: rbac.ResourceProvisionerDaemon,
+	}
 	assertRoute["GET:/api/v2/groups/{group}"] = coderdtest.RouteCheck{
 		AssertAction: rbac.ActionRead,
 		AssertObject: groupObj,
--- a/enterprise/coderd/license/license.go
+++ b/enterprise/coderd/license/license.go
@ -117,6 +117,12 @@ func Entitlements(
 				Enabled:     true,
 			}
 		}
+		if claims.Features.ExternalProvisionerDaemons > 0 {
+			entitlements.Features[codersdk.FeatureExternalProvisionerDaemons] = codersdk.Feature{
+				Entitlement: entitlement,
+				Enabled:     true,
+			}
+		}
 		if claims.AllFeatures {
 			allFeatures = true
 		}
@ -238,13 +244,14 @@ var (
 )

 type Features struct {
-	UserLimit        int64 `json:"user_limit"`
-	AuditLog         int64 `json:"audit_log"`
-	BrowserOnly      int64 `json:"browser_only"`
-	SCIM             int64 `json:"scim"`
-	TemplateRBAC     int64 `json:"template_rbac"`
-	HighAvailability int64 `json:"high_availability"`
-	MultipleGitAuth  int64 `json:"multiple_git_auth"`
+	UserLimit                  int64 `json:"user_limit"`
+	AuditLog                   int64 `json:"audit_log"`
+	BrowserOnly                int64 `json:"browser_only"`
+	SCIM                       int64 `json:"scim"`
+	TemplateRBAC               int64 `json:"template_rbac"`
+	HighAvailability           int64 `json:"high_availability"`
+	MultipleGitAuth            int64 `json:"multiple_git_auth"`
+	ExternalProvisionerDaemons int64 `json:"external_provisioner_daemons"`
 }

 type Claims struct {
--- a/enterprise/coderd/license/license_test.go
+++ b/enterprise/coderd/license/license_test.go
@ -20,12 +20,13 @@ import (
 func TestEntitlements(t *testing.T) {
 	t.Parallel()
 	all := map[string]bool{
-		codersdk.FeatureAuditLog:         true,
-		codersdk.FeatureBrowserOnly:      true,
-		codersdk.FeatureSCIM:             true,
-		codersdk.FeatureHighAvailability: true,
-		codersdk.FeatureTemplateRBAC:     true,
-		codersdk.FeatureMultipleGitAuth:  true,
+		codersdk.FeatureAuditLog:                   true,
+		codersdk.FeatureBrowserOnly:                true,
+		codersdk.FeatureSCIM:                       true,
+		codersdk.FeatureHighAvailability:           true,
+		codersdk.FeatureTemplateRBAC:               true,
+		codersdk.FeatureMultipleGitAuth:            true,
+		codersdk.FeatureExternalProvisionerDaemons: true,
 	}

 	t.Run("Defaults", func(t *testing.T) {
@ -61,13 +62,14 @@ func TestEntitlements(t *testing.T) {
 		db := databasefake.New()
 		db.InsertLicense(context.Background(), database.InsertLicenseParams{
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
-				UserLimit:        100,
-				AuditLog:         true,
-				BrowserOnly:      true,
-				SCIM:             true,
-				HighAvailability: true,
-				TemplateRBAC:     true,
-				MultipleGitAuth:  true,
+				UserLimit:                  100,
+				AuditLog:                   true,
+				BrowserOnly:                true,
+				SCIM:                       true,
+				HighAvailability:           true,
+				TemplateRBAC:               true,
+				MultipleGitAuth:            true,
+				ExternalProvisionerDaemons: true,
 			}),
 			Exp: time.Now().Add(time.Hour),
 		})
@ -84,14 +86,15 @@ func TestEntitlements(t *testing.T) {
 		db := databasefake.New()
 		db.InsertLicense(context.Background(), database.InsertLicenseParams{
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
-				UserLimit:        100,
-				AuditLog:         true,
-				BrowserOnly:      true,
-				SCIM:             true,
-				HighAvailability: true,
-				TemplateRBAC:     true,
-				GraceAt:          time.Now().Add(-time.Hour),
-				ExpiresAt:        time.Now().Add(time.Hour),
+				UserLimit:                  100,
+				AuditLog:                   true,
+				BrowserOnly:                true,
+				SCIM:                       true,
+				HighAvailability:           true,
+				TemplateRBAC:               true,
+				ExternalProvisionerDaemons: true,
+				GraceAt:                    time.Now().Add(-time.Hour),
+				ExpiresAt:                  time.Now().Add(time.Hour),
 			}),
 			Exp: time.Now().Add(time.Hour),
 		})
--- a/enterprise/coderd/licenses_test.go
+++ b/enterprise/coderd/licenses_test.go
@ -101,25 +101,27 @@ func TestGetLicense(t *testing.T) {
 		assert.Equal(t, int32(1), licenses[0].ID)
 		assert.Equal(t, "testing", licenses[0].Claims["account_id"])
 		assert.Equal(t, map[string]interface{}{
-			codersdk.FeatureUserLimit:        json.Number("0"),
-			codersdk.FeatureAuditLog:         json.Number("1"),
-			codersdk.FeatureSCIM:             json.Number("1"),
-			codersdk.FeatureBrowserOnly:      json.Number("1"),
-			codersdk.FeatureHighAvailability: json.Number("0"),
-			codersdk.FeatureTemplateRBAC:     json.Number("1"),
-			codersdk.FeatureMultipleGitAuth:  json.Number("0"),
+			codersdk.FeatureUserLimit:                  json.Number("0"),
+			codersdk.FeatureAuditLog:                   json.Number("1"),
+			codersdk.FeatureSCIM:                       json.Number("1"),
+			codersdk.FeatureBrowserOnly:                json.Number("1"),
+			codersdk.FeatureHighAvailability:           json.Number("0"),
+			codersdk.FeatureTemplateRBAC:               json.Number("1"),
+			codersdk.FeatureMultipleGitAuth:            json.Number("0"),
+			codersdk.FeatureExternalProvisionerDaemons: json.Number("0"),
 		}, licenses[0].Claims["features"])
 		assert.Equal(t, int32(2), licenses[1].ID)
 		assert.Equal(t, "testing2", licenses[1].Claims["account_id"])
 		assert.Equal(t, true, licenses[1].Claims["trial"])
 		assert.Equal(t, map[string]interface{}{
-			codersdk.FeatureUserLimit:        json.Number("200"),
-			codersdk.FeatureAuditLog:         json.Number("1"),
-			codersdk.FeatureSCIM:             json.Number("1"),
-			codersdk.FeatureBrowserOnly:      json.Number("1"),
-			codersdk.FeatureHighAvailability: json.Number("0"),
-			codersdk.FeatureTemplateRBAC:     json.Number("0"),
-			codersdk.FeatureMultipleGitAuth:  json.Number("0"),
+			codersdk.FeatureUserLimit:                  json.Number("200"),
+			codersdk.FeatureAuditLog:                   json.Number("1"),
+			codersdk.FeatureSCIM:                       json.Number("1"),
+			codersdk.FeatureBrowserOnly:                json.Number("1"),
+			codersdk.FeatureHighAvailability:           json.Number("0"),
+			codersdk.FeatureTemplateRBAC:               json.Number("0"),
+			codersdk.FeatureMultipleGitAuth:            json.Number("0"),
+			codersdk.FeatureExternalProvisionerDaemons: json.Number("0"),
 		}, licenses[1].Claims["features"])
 	})
 }
--- a/enterprise/coderd/provisionerdaemons.go
+++ b/enterprise/coderd/provisionerdaemons.go
@ -0,0 +1,245 @@
+package coderd
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/hashicorp/yamux"
+	"github.com/moby/moby/pkg/namesgenerator"
+	"golang.org/x/xerrors"
+	"nhooyr.io/websocket"
+	"storj.io/drpc/drpcmux"
+	"storj.io/drpc/drpcserver"
+
+	"cdr.dev/slog"
+
+	"github.com/coder/coder/coderd"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/provisionerdserver"
+	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisionerd/proto"
+)
+
+func (api *API) provisionerDaemonsEnabledMW(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		api.entitlementsMu.RLock()
+		epd := api.entitlements.Features[codersdk.FeatureExternalProvisionerDaemons].Enabled
+		api.entitlementsMu.RUnlock()
+
+		if !epd {
+			httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
+				Message: "External provisioner daemons is an Enterprise feature. Contact sales!",
+			})
+			return
+		}
+
+		next.ServeHTTP(rw, r)
+	})
+}
+
+func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceProvisionerDaemon.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+	daemons, err := api.Database.GetProvisionerDaemons(ctx)
+	if errors.Is(err, sql.ErrNoRows) {
+		err = nil
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching provisioner daemons.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	if daemons == nil {
+		daemons = []database.ProvisionerDaemon{}
+	}
+	daemons, err = coderd.AuthorizeFilter(api.AGPL.HTTPAuth, r, rbac.ActionRead, daemons)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching provisioner daemons.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	apiDaemons := make([]codersdk.ProvisionerDaemon, 0)
+	for _, daemon := range daemons {
+		apiDaemons = append(apiDaemons, convertProvisionerDaemon(daemon))
+	}
+	httpapi.Write(ctx, rw, http.StatusOK, apiDaemons)
+}
+
+// Serves the provisioner daemon protobuf API over a WebSocket.
+func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request) {
+	tags := map[string]string{}
+	if r.URL.Query().Has("tag") {
+		for _, tag := range r.URL.Query()["tag"] {
+			parts := strings.SplitN(tag, "=", 2)
+			if len(parts) < 2 {
+				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+					Message: fmt.Sprintf("Invalid format for tag %q. Key and value must be separated with =.", tag),
+				})
+				return
+			}
+			tags[parts[0]] = parts[1]
+		}
+	}
+	if !r.URL.Query().Has("provisioner") {
+		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+			Message: "The provisioner query parameter must be specified.",
+		})
+		return
+	}
+
+	provisionersMap := map[codersdk.ProvisionerType]struct{}{}
+	for _, provisioner := range r.URL.Query()["provisioner"] {
+		switch provisioner {
+		case string(codersdk.ProvisionerTypeEcho):
+			provisionersMap[codersdk.ProvisionerTypeEcho] = struct{}{}
+		case string(codersdk.ProvisionerTypeTerraform):
+			provisionersMap[codersdk.ProvisionerTypeTerraform] = struct{}{}
+		default:
+			httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+				Message: fmt.Sprintf("Unknown provisioner type %q", provisioner),
+			})
+			return
+		}
+	}
+
+	// Any authenticated user can create provisioner daemons scoped
+	// for jobs that they own, but only authorized users can create
+	// globally scoped provisioners that attach to all jobs.
+	apiKey := httpmw.APIKey(r)
+	tags = provisionerdserver.MutateTags(apiKey.UserID, tags)
+
+	if tags[provisionerdserver.TagScope] == provisionerdserver.ScopeOrganization {
+		if !api.AGPL.Authorize(r, rbac.ActionCreate, rbac.ResourceProvisionerDaemon) {
+			httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
+				Message: "You aren't allowed to create provisioner daemons for the organization.",
+			})
+			return
+		}
+	}
+
+	provisioners := make([]database.ProvisionerType, 0)
+	for p := range provisionersMap {
+		switch p {
+		case codersdk.ProvisionerTypeTerraform:
+			provisioners = append(provisioners, database.ProvisionerTypeTerraform)
+		case codersdk.ProvisionerTypeEcho:
+			provisioners = append(provisioners, database.ProvisionerTypeEcho)
+		}
+	}
+
+	name := namesgenerator.GetRandomName(1)
+	daemon, err := api.Database.InsertProvisionerDaemon(r.Context(), database.InsertProvisionerDaemonParams{
+		ID:           uuid.New(),
+		CreatedAt:    database.Now(),
+		Name:         name,
+		Provisioners: provisioners,
+		Tags:         tags,
+	})
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error writing provisioner daemon.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	rawTags, err := json.Marshal(daemon.Tags)
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error marshaling daemon tags.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	api.AGPL.WebsocketWaitMutex.Lock()
+	api.AGPL.WebsocketWaitGroup.Add(1)
+	api.AGPL.WebsocketWaitMutex.Unlock()
+	defer api.AGPL.WebsocketWaitGroup.Done()
+
+	conn, err := websocket.Accept(rw, r, &websocket.AcceptOptions{
+		// Need to disable compression to avoid a data-race.
+		CompressionMode: websocket.CompressionDisabled,
+	})
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Internal error accepting websocket connection.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	// Align with the frame size of yamux.
+	conn.SetReadLimit(256 * 1024)
+
+	// Multiplexes the incoming connection using yamux.
+	// This allows multiple function calls to occur over
+	// the same connection.
+	config := yamux.DefaultConfig()
+	config.LogOutput = io.Discard
+	session, err := yamux.Server(websocket.NetConn(r.Context(), conn, websocket.MessageBinary), config)
+	if err != nil {
+		_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("multiplex server: %s", err))
+		return
+	}
+	mux := drpcmux.New()
+	err = proto.DRPCRegisterProvisionerDaemon(mux, &provisionerdserver.Server{
+		AccessURL:    api.AccessURL,
+		ID:           daemon.ID,
+		Database:     api.Database,
+		Pubsub:       api.Pubsub,
+		Provisioners: daemon.Provisioners,
+		Telemetry:    api.Telemetry,
+		Logger:       api.Logger.Named(fmt.Sprintf("provisionerd-%s", daemon.Name)),
+		Tags:         rawTags,
+	})
+	if err != nil {
+		_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("drpc register provisioner daemon: %s", err))
+		return
+	}
+	server := drpcserver.NewWithOptions(mux, drpcserver.Options{
+		Log: func(err error) {
+			if xerrors.Is(err, io.EOF) {
+				return
+			}
+			api.Logger.Debug(r.Context(), "drpc server error", slog.Error(err))
+		},
+	})
+	err = server.Serve(r.Context(), session)
+	if err != nil && !xerrors.Is(err, io.EOF) {
+		api.Logger.Debug(r.Context(), "provisioner daemon disconnected", slog.Error(err))
+		_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("serve: %s", err))
+		return
+	}
+	_ = conn.Close(websocket.StatusGoingAway, "")
+}
+
+func convertProvisionerDaemon(daemon database.ProvisionerDaemon) codersdk.ProvisionerDaemon {
+	result := codersdk.ProvisionerDaemon{
+		ID:        daemon.ID,
+		CreatedAt: daemon.CreatedAt,
+		UpdatedAt: daemon.UpdatedAt,
+		Name:      daemon.Name,
+		Tags:      daemon.Tags,
+	}
+	for _, provisionerType := range daemon.Provisioners {
+		result.Provisioners = append(result.Provisioners, codersdk.ProvisionerType(provisionerType))
+	}
+	return result
+}
--- a/enterprise/coderd/provisionerdaemons_test.go
+++ b/enterprise/coderd/provisionerdaemons_test.go
@ -0,0 +1,139 @@
+package coderd_test
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/coderd/provisionerdserver"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/enterprise/coderd/coderdenttest"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+)
+
+func TestProvisionerDaemonServe(t *testing.T) {
+	t.Parallel()
+	t.Run("NoLicense", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		_, err := client.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
+			codersdk.ProvisionerTypeEcho,
+		}, map[string]string{})
+		require.Error(t, err)
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+
+	t.Run("Organization", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			ExternalProvisionerDaemons: true,
+		})
+		srv, err := client.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
+			codersdk.ProvisionerTypeEcho,
+		}, map[string]string{})
+		require.NoError(t, err)
+		srv.DRPCConn().Close()
+	})
+
+	t.Run("OrganizationNoPerms", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			ExternalProvisionerDaemons: true,
+		})
+		another := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		_, err := another.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
+			codersdk.ProvisionerTypeEcho,
+		}, map[string]string{
+			provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
+		})
+		require.Error(t, err)
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+
+	t.Run("UserLocal", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			ExternalProvisionerDaemons: true,
+		})
+		closer := coderdtest.NewExternalProvisionerDaemon(t, client, user.OrganizationID, map[string]string{
+			provisionerdserver.TagScope: provisionerdserver.ScopeUser,
+		})
+		defer closer.Close()
+
+		authToken := uuid.NewString()
+		data, err := echo.Tar(&echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionPlan: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "example",
+							Type: "aws_instance",
+							Agents: []*proto.Agent{{
+								Id:   uuid.NewString(),
+								Name: "example",
+							}},
+						}},
+					},
+				},
+			}},
+			ProvisionApply: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "example",
+							Type: "aws_instance",
+							Agents: []*proto.Agent{{
+								Id:   uuid.NewString(),
+								Name: "example",
+								Auth: &proto.Agent_Token{
+									Token: authToken,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		require.NoError(t, err)
+		file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, data)
+		require.NoError(t, err)
+
+		version, err := client.CreateTemplateVersion(context.Background(), user.OrganizationID, codersdk.CreateTemplateVersionRequest{
+			Name:          "example",
+			StorageMethod: codersdk.ProvisionerStorageMethodFile,
+			FileID:        file.ID,
+			Provisioner:   codersdk.ProvisionerTypeEcho,
+			ProvisionerTags: map[string]string{
+				provisionerdserver.TagScope: provisionerdserver.ScopeUser,
+			},
+		})
+		require.NoError(t, err)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		another := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		_ = closer.Close()
+		closer = coderdtest.NewExternalProvisionerDaemon(t, another, user.OrganizationID, map[string]string{
+			provisionerdserver.TagScope: provisionerdserver.ScopeUser,
+		})
+		defer closer.Close()
+		workspace := coderdtest.CreateWorkspace(t, another, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	})
+}