feat(provisioner): add support for workspace_owner_rbac_roles (#16407)

Part of https://github.com/coder/terraform-provider-coder/pull/330

Adds support for the coder_workspace_owner.rbac_roles attribute

coderd/provisionerdserver/provisionerdserver.go

@@ -594,6 +594,19 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 			})
 		}
 
+		roles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
+		if err != nil {
+			return nil, failJob(fmt.Sprintf("get owner authorization roles: %s", err))
+		}
+		ownerRbacRoles := []*sdkproto.Role{}
+		for _, role := range roles.Roles {
+			if s.OrganizationID == uuid.Nil {
+				ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: ""})
+				continue
+			}
+			ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: s.OrganizationID.String()})
+		}
+
 		protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{
 			WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
 				WorkspaceBuildId:      workspaceBuild.ID.String(),
@@ -621,6 +634,7 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 					WorkspaceOwnerSshPrivateKey:   ownerSSHPrivateKey,
 					WorkspaceBuildId:              workspaceBuild.ID.String(),
 					WorkspaceOwnerLoginType:       string(owner.LoginType),
+					WorkspaceOwnerRbacRoles:       ownerRbacRoles,
 				},
 				LogLevel: input.LogLevel,
 			},

coderd/provisionerdserver/provisionerdserver_test.go

@@ -377,6 +377,7 @@ func TestAcquireJob(t *testing.T) {
 						WorkspaceOwnerSshPrivateKey:   sshKey.PrivateKey,
 						WorkspaceBuildId:              build.ID.String(),
 						WorkspaceOwnerLoginType:       string(user.LoginType),
+						WorkspaceOwnerRbacRoles:       []*sdkproto.Role{{Name: "member", OrgId: pd.OrganizationID.String()}},
 					},
 				},
 			})

provisioner/terraform/provision.go

@@ -242,6 +242,11 @@ func provisionEnv(
 		return nil, xerrors.Errorf("marshal owner groups: %w", err)
 	}
 
+	ownerRbacRoles, err := json.Marshal(metadata.GetWorkspaceOwnerRbacRoles())
+	if err != nil {
+		return nil, xerrors.Errorf("marshal owner rbac roles: %w", err)
+	}
+
 	env = append(env,
 		"CODER_AGENT_URL="+metadata.GetCoderUrl(),
 		"CODER_WORKSPACE_TRANSITION="+strings.ToLower(metadata.GetWorkspaceTransition().String()),
@@ -254,6 +259,7 @@ func provisionEnv(
 		"CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY="+metadata.GetWorkspaceOwnerSshPublicKey(),
 		"CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY="+metadata.GetWorkspaceOwnerSshPrivateKey(),
 		"CODER_WORKSPACE_OWNER_LOGIN_TYPE="+metadata.GetWorkspaceOwnerLoginType(),
+		"CODER_WORKSPACE_OWNER_RBAC_ROLES="+string(ownerRbacRoles),
 		"CODER_WORKSPACE_ID="+metadata.GetWorkspaceId(),
 		"CODER_WORKSPACE_OWNER_ID="+metadata.GetWorkspaceOwnerId(),
 		"CODER_WORKSPACE_OWNER_SESSION_TOKEN="+metadata.GetWorkspaceOwnerSessionToken(),

provisioner/terraform/provision_test.go

@@ -764,6 +764,53 @@ func TestProvision(t *testing.T) {
 				}},
 			},
 		},
+		{
+			Name:       "workspace-owner-rbac-roles",
+			SkipReason: "field will be added in provider version 2.2.0",
+			Files: map[string]string{
+				"main.tf": `terraform {
+					required_providers {
+					  coder = {
+						source  = "coder/coder"
+						version = "2.2.0"
+					  }
+					}
+				}
+
+				resource "null_resource" "example" {}
+				data "coder_workspace_owner" "me" {}
+				resource "coder_metadata" "example" {
+					resource_id = null_resource.example.id
+					item {
+						key = "rbac_roles_name"
+						value = data.coder_workspace_owner.me.rbac_roles[0].name
+					}
+					item {
+						key = "rbac_roles_org_id"
+						value = data.coder_workspace_owner.me.rbac_roles[0].org_id
+					}
+				}
+				`,
+			},
+			Request: &proto.PlanRequest{
+				Metadata: &proto.Metadata{
+					WorkspaceOwnerRbacRoles: []*proto.Role{{Name: "member", OrgId: ""}},
+				},
+			},
+			Response: &proto.PlanComplete{
+				Resources: []*proto.Resource{{
+					Name: "example",
+					Type: "null_resource",
+					Metadata: []*proto.Resource_Metadata{{
+						Key:   "rbac_roles_name",
+						Value: "member",
+					}, {
+						Key:   "rbac_roles_org_id",
+						Value: "",
+					}},
+				}},
+			},
+		},
 	}
 
 	for _, testCase := range testCases {

provisionersdk/proto/provisioner.proto

@@ -255,6 +255,11 @@ enum WorkspaceTransition {
     DESTROY = 2;
 }
 
+message Role {
+    string name = 1;
+    string org_id = 2;
+}
+
 // Metadata is information about a workspace used in the execution of a build
 message Metadata {
     string coder_url = 1;
@@ -275,6 +280,7 @@ message Metadata {
     string workspace_owner_ssh_private_key = 16;
     string workspace_build_id = 17;
     string workspace_owner_login_type =  18;
+    repeated Role workspace_owner_rbac_roles =  19;
 }
 
 // Config represents execution configuration shared by all subsequent requests in the Session

site/e2e/provisionerGenerated.ts

@@ -269,6 +269,11 @@ export interface Module {
   key: string;
 }
 
+export interface Role {
+  name: string;
+  orgId: string;
+}
+
 /** Metadata is information about a workspace used in the execution of a build */
 export interface Metadata {
   coderUrl: string;
@@ -289,6 +294,7 @@ export interface Metadata {
   workspaceOwnerSshPrivateKey: string;
   workspaceBuildId: string;
   workspaceOwnerLoginType: string;
+  workspaceOwnerRbacRoles: Role[];
 }
 
 /** Config represents execution configuration shared by all subsequent requests in the Session */
@@ -905,6 +911,18 @@ export const Module = {
   },
 };
 
+export const Role = {
+  encode(message: Role, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer {
+    if (message.name !== "") {
+      writer.uint32(10).string(message.name);
+    }
+    if (message.orgId !== "") {
+      writer.uint32(18).string(message.orgId);
+    }
+    return writer;
+  },
+};
+
 export const Metadata = {
   encode(message: Metadata, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer {
     if (message.coderUrl !== "") {
@@ -961,6 +979,9 @@ export const Metadata = {
     if (message.workspaceOwnerLoginType !== "") {
       writer.uint32(146).string(message.workspaceOwnerLoginType);
     }
+    for (const v of message.workspaceOwnerRbacRoles) {
+      Role.encode(v!, writer.uint32(154).fork()).ldelim();
+    }
     return writer;
   },
 };