diff --git a/cli/server.go b/cli/server.go
index 2b3e78165c..89a10de73c 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -1183,6 +1183,12 @@ func newProvisionerDaemon(
 		return nil, xerrors.Errorf("mkdir %q: %w", cacheDir, err)
 	}
 
+	tfDir := filepath.Join(cacheDir, "terraform")
+	err = os.MkdirAll(tfDir, 0o700)
+	if err != nil {
+		return nil, xerrors.Errorf("mkdir terraform dir: %w", err)
+	}
+
 	tracer := coderAPI.TracerProvider.Tracer(tracing.TracerName)
 	terraformClient, terraformServer := provisionersdk.MemTransportPipe()
 	wg.Add(1)
@@ -1201,7 +1207,7 @@ func newProvisionerDaemon(
 			ServeOptions: &provisionersdk.ServeOptions{
 				Listener: terraformServer,
 			},
-			CachePath: cacheDir,
+			CachePath: tfDir,
 			Logger:    logger,
 			Tracer:    tracer,
 		})
@@ -1213,9 +1219,10 @@ func newProvisionerDaemon(
 		}
 	}()
 
-	tempDir, err := os.MkdirTemp("", "provisionerd")
+	workDir := filepath.Join(cacheDir, "work")
+	err = os.MkdirAll(workDir, 0o700)
 	if err != nil {
-		return nil, err
+		return nil, xerrors.Errorf("mkdir work dir: %w", err)
 	}
 
 	provisioners := provisionerd.Provisioners{
@@ -1259,7 +1266,7 @@ func newProvisionerDaemon(
 		UpdateInterval:      time.Second,
 		ForceCancelInterval: cfg.Provisioner.ForceCancelInterval.Value(),
 		Provisioners:        provisioners,
-		WorkDirectory:       tempDir,
+		WorkDirectory:       workDir,
 		TracerProvider:      coderAPI.TracerProvider,
 		Metrics:             &metrics,
 	}), nil