coder · dannykopping · May 14, 2025 · Apr 25, 2025 · Apr 25, 2025 · Apr 25, 2025
diff --git a/cli/testdata/coder_provisioner_list_--output_json.golden b/cli/testdata/coder_provisioner_list_--output_json.golden
@@ -7,7 +7,7 @@
     "last_seen_at": "====[timestamp]=====",
     "name": "test",
     "version": "v0.0.0-devel",
-    "api_version": "1.4",
+    "api_version": "1.5",
     "provisioners": [
       "echo"
     ],

diff --git a/coderd/prebuilds/api.go b/coderd/prebuilds/api.go
@@ -32,7 +32,7 @@ type ReconciliationOrchestrator interface {
 	// TrackResourceReplacement handles a pathological situation whereby a terraform resource is replaced due to drift,
 	// which can obviate the whole point of pre-provisioning a prebuilt workspace.
 	// See more detail at https://coder.com/docs/admin/templates/extending-templates/prebuilt-workspaces.md#preventing-resource-replacement.
-	TrackResourceReplacement(ctx context.Context, workspaceID, buildID, claimantID uuid.UUID, replacements []*sdkproto.ResourceReplacement)
+	TrackResourceReplacement(ctx context.Context, workspaceID, buildID uuid.UUID, replacements []*sdkproto.ResourceReplacement)
 }
 
 type Reconciler interface {

diff --git a/coderd/prebuilds/noop.go b/coderd/prebuilds/noop.go
@@ -13,7 +13,7 @@ type NoopReconciler struct{}
 
 func (NoopReconciler) Run(context.Context)         {}
 func (NoopReconciler) Stop(context.Context, error) {}
-func (NoopReconciler) TrackResourceReplacement(context.Context, uuid.UUID, uuid.UUID, uuid.UUID, []*sdkproto.ResourceReplacement) {
+func (NoopReconciler) TrackResourceReplacement(context.Context, uuid.UUID, uuid.UUID, []*sdkproto.ResourceReplacement) {
 }
 func (NoopReconciler) ReconcileAll(context.Context) error { return nil }
 func (NoopReconciler) SnapshotState(context.Context, database.Store) (*GlobalSnapshot, error) {

diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -620,11 +620,6 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 			}
 		}
 
-		var prebuildClaimedForUserID string
-		if input.PrebuildClaimedByUser != uuid.Nil {
-			prebuildClaimedForUserID = input.PrebuildClaimedByUser.String()
-		}
-
 		protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{
 			WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
 				WorkspaceBuildId:      workspaceBuild.ID.String(),
@@ -654,7 +649,7 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 					WorkspaceOwnerLoginType:       string(owner.LoginType),
 					WorkspaceOwnerRbacRoles:       ownerRbacRoles,
 					IsPrebuild:                    input.IsPrebuild,
-					PrebuildClaimForUserId:        prebuildClaimedForUserID,
+					IsPrebuildClaim:               input.IsPrebuildClaim,
 				},
 				LogLevel: input.LogLevel,
 			},
@@ -1736,7 +1731,7 @@ func (s *server) CompleteJob(ctx context.Context, completed *proto.CompletedJob)
 			orchestrator := s.PrebuildsOrchestrator.Load()
 			if resourceReplacements := completed.GetWorkspaceBuild().GetResourceReplacements(); orchestrator != nil && len(resourceReplacements) > 0 {
 				// Fire and forget.
-				go (*orchestrator).TrackResourceReplacement(context.Background(), workspace.ID, workspaceBuild.ID, input.PrebuildClaimedByUser, resourceReplacements)
+				go (*orchestrator).TrackResourceReplacement(context.Background(), workspace.ID, workspaceBuild.ID, resourceReplacements)
 			}
 		}
 
@@ -2489,11 +2484,11 @@ type TemplateVersionImportJob struct {
 
 // WorkspaceProvisionJob is the payload for the "workspace_provision" job type.
 type WorkspaceProvisionJob struct {
-	WorkspaceBuildID      uuid.UUID `json:"workspace_build_id"`
-	DryRun                bool      `json:"dry_run"`
-	IsPrebuild            bool      `json:"is_prebuild,omitempty"`
-	PrebuildClaimedByUser uuid.UUID `json:"prebuild_claimed_by,omitempty"`
-	LogLevel              string    `json:"log_level,omitempty"`
+	WorkspaceBuildID uuid.UUID `json:"workspace_build_id"`
+	DryRun           bool      `json:"dry_run"`
+	IsPrebuild       bool      `json:"is_prebuild,omitempty"`
+	IsPrebuildClaim  bool      `json:"is_prebuild_claim,omitempty"`
+	LogLevel         string    `json:"log_level,omitempty"`
 }
 
 // TemplateVersionDryRunJob is the payload for the "template_version_dry_run" job type.

diff --git a/coderd/provisionerdserver/provisionerdserver_test.go b/coderd/provisionerdserver/provisionerdserver_test.go
@@ -1798,9 +1798,9 @@ func TestCompleteJob(t *testing.T) {
 			Input: must(json.Marshal(provisionerdserver.WorkspaceProvisionJob{
 				WorkspaceBuildID: build.ID,
 
+				IsPrebuild: false,
 				// Mark the job as a prebuilt workspace claim.
-				PrebuildClaimedByUser: uuid.New(),
-				IsPrebuild:            false,
+				IsPrebuildClaim: true,
 			})),
 			OrganizationID: pd.OrganizationID,
 		})
@@ -1847,7 +1847,7 @@ type mockPrebuildsOrchestrator struct {
 	done         chan struct{}
 }
 
-func (m *mockPrebuildsOrchestrator) TrackResourceReplacement(_ context.Context, _, _, _ uuid.UUID, replacements []*sdkproto.ResourceReplacement) {
+func (m *mockPrebuildsOrchestrator) TrackResourceReplacement(_ context.Context, _, _ uuid.UUID, replacements []*sdkproto.ResourceReplacement) {
 	m.replacements = replacements
 	m.done <- struct{}{}
 }

diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -713,7 +713,7 @@ func createWorkspace(
 			builder = builder.TemplateVersionPresetID(req.TemplateVersionPresetID)
 		}
 		if claimedWorkspace != nil {
-			builder = builder.MarkPrebuildClaimedBy(owner.ID)
+			builder = builder.MarkPrebuildClaim()
 		}
 
 		if req.EnableDynamicParameters && api.Experiments.Enabled(codersdk.ExperimentDynamicParameters) {

diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
@@ -76,8 +76,7 @@ type Builder struct {
 	parameterValues                      *[]string
 	templateVersionPresetParameterValues []database.TemplateVersionPresetParameter
 
-	prebuild          bool
-	prebuildClaimedBy uuid.UUID
+	prebuild, prebuildClaim bool
 
 	verifyNoLegacyParametersOnce bool
 }
@@ -174,15 +173,17 @@ func (b Builder) RichParameterValues(p []codersdk.WorkspaceBuildParameter) Build
 	return b
 }
 
+// MarkPrebuild indicates that a prebuilt workspace is being built.
 func (b Builder) MarkPrebuild() Builder {
 	// nolint: revive
 	b.prebuild = true
 	return b
 }
 
-func (b Builder) MarkPrebuildClaimedBy(userID uuid.UUID) Builder {
+// MarkPrebuildClaim indicates that a prebuilt workspace is being claimed.
+func (b Builder) MarkPrebuildClaim() Builder {
 	// nolint: revive
-	b.prebuildClaimedBy = userID
+	b.prebuildClaim = true
 	return b
 }
 
@@ -322,10 +323,10 @@ func (b *Builder) buildTx(authFunc func(action policy.Action, object rbac.Object
 
 	workspaceBuildID := uuid.New()
 	input, err := json.Marshal(provisionerdserver.WorkspaceProvisionJob{
-		WorkspaceBuildID:      workspaceBuildID,
-		LogLevel:              b.logLevel,
-		IsPrebuild:            b.prebuild,
-		PrebuildClaimedByUser: b.prebuildClaimedBy,
+		WorkspaceBuildID: workspaceBuildID,
+		LogLevel:         b.logLevel,
+		IsPrebuild:       b.prebuild,
+		IsPrebuildClaim:  b.prebuildClaim,
 	})
 	if err != nil {
 		return nil, nil, nil, BuildError{

diff --git a/enterprise/coderd/prebuilds/reconcile.go b/enterprise/coderd/prebuilds/reconcile.go
@@ -630,21 +630,21 @@ func (c *StoreReconciler) provision(
 	return nil
 }
 
-func (c *StoreReconciler) TrackResourceReplacement(ctx context.Context, workspaceID, buildID, claimantID uuid.UUID, replacements []*sdkproto.ResourceReplacement) {
+func (c *StoreReconciler) TrackResourceReplacement(ctx context.Context, workspaceID, buildID uuid.UUID, replacements []*sdkproto.ResourceReplacement) {
 	// Set authorization context since this may be called in the background (i.e. with a bare context).
 	// nolint:gocritic // Necessary to query all the required data.
 	ctx = dbauthz.AsSystemRestricted(ctx)
 	// Since this may be called in a fire-and-forget fashion, we need to give up at some point.
 	trackCtx, trackCancel := context.WithTimeout(ctx, time.Minute)
 	defer trackCancel()
 
-	if err := c.trackResourceReplacement(trackCtx, workspaceID, buildID, claimantID, replacements); err != nil {
+	if err := c.trackResourceReplacement(trackCtx, workspaceID, buildID, replacements); err != nil {
 		c.logger.Error(ctx, "failed to track resource replacement", slog.Error(err))
 	}
 }
 
 // nolint:revive // Shut up it's fine.
-func (c *StoreReconciler) trackResourceReplacement(ctx context.Context, workspaceID, buildID, claimantID uuid.UUID, replacements []*sdkproto.ResourceReplacement) error {
+func (c *StoreReconciler) trackResourceReplacement(ctx context.Context, workspaceID, buildID uuid.UUID, replacements []*sdkproto.ResourceReplacement) error {
 	if err := ctx.Err(); err != nil {
 		return err
 	}
@@ -677,9 +677,9 @@ func (c *StoreReconciler) trackResourceReplacement(ctx context.Context, workspac
 		return xerrors.Errorf("fetch template preset for template version ID %q: %w", prebuild.TemplateVersionID.String(), err)
 	}
 
-	claimant, err := c.store.GetUserByID(ctx, claimantID)
+	claimant, err := c.store.GetUserByID(ctx, workspace.OwnerID) // At this point, the workspace is owned by the new owner.
 	if err != nil {
-		return xerrors.Errorf("fetch claimant %q: %w", claimantID.String(), err)
+		return xerrors.Errorf("fetch claimant %q: %w", workspace.OwnerID.String(), err)
 	}
 
 	// Use the claiming build here (not prebuild) because both should be equivalent, and we might as well spot inconsistencies now.

diff --git a/enterprise/coderd/prebuilds/reconcile_test.go b/enterprise/coderd/prebuilds/reconcile_test.go
@@ -979,7 +979,7 @@ func TestTrackResourceReplacement(t *testing.T) {
 	}))
 
 	// When: a claim occurred and resource replacements are detected (_how_ is out of scope of this test).
-	reconciler.TrackResourceReplacement(ctx, prebuiltWorkspace.ID, prebuild.ID, userID, []*sdkproto.ResourceReplacement{
+	reconciler.TrackResourceReplacement(ctx, prebuiltWorkspace.ID, prebuild.ID, []*sdkproto.ResourceReplacement{
 		{
 			Resource: "docker_container[0]",
 			Paths:    []string{"env", "image"},

diff --git a/go.mod b/go.mod
@@ -101,7 +101,7 @@ require (
 	github.com/coder/quartz v0.1.3
 	github.com/coder/retry v1.5.1
 	github.com/coder/serpent v0.10.0
-	github.com/coder/terraform-provider-coder/v2 v2.4.0
+	github.com/coder/terraform-provider-coder/v2 v2.4.1
 	github.com/coder/websocket v1.8.13
 	github.com/coder/wgtunnel v0.1.13-0.20240522110300-ade90dfb2da0
 	github.com/coreos/go-oidc/v3 v3.14.1

diff --git a/go.sum b/go.sum
@@ -921,8 +921,8 @@ github.com/coder/tailscale v1.1.1-0.20250422090654-5090e715905e h1:nope/SZfoLB9M
 github.com/coder/tailscale v1.1.1-0.20250422090654-5090e715905e/go.mod h1:1ggFFdHTRjPRu9Yc1yA7nVHBYB50w9Ce7VIXNqcW6Ko=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e h1:JNLPDi2P73laR1oAclY6jWzAbucf70ASAvf5mh2cME0=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI=
-github.com/coder/terraform-provider-coder/v2 v2.4.0 h1:uuFmF03IyahAZLXEukOdmvV9hGfUMJSESD8+G5wkTcM=
-github.com/coder/terraform-provider-coder/v2 v2.4.0/go.mod h1:2kaBpn5k9ZWtgKq5k4JbkVZG9DzEqR4mJSmpdshcO+s=
+github.com/coder/terraform-provider-coder/v2 v2.4.1 h1:+HxLJVENJ+kvGhibQ0jbr8Evi6M857d9691ytxNbv90=
+github.com/coder/terraform-provider-coder/v2 v2.4.1/go.mod h1:2kaBpn5k9ZWtgKq5k4JbkVZG9DzEqR4mJSmpdshcO+s=
 github.com/coder/trivy v0.0.0-20250409153844-e6b004bc465a h1:yryP7e+IQUAArlycH4hQrjXQ64eRNbxsV5/wuVXHgME=
 github.com/coder/trivy v0.0.0-20250409153844-e6b004bc465a/go.mod h1:dDvq9axp3kZsT63gY2Znd1iwzfqDq3kXbQnccIrjRYY=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=

diff --git a/provisioner/terraform/executor.go b/provisioner/terraform/executor.go
@@ -315,7 +315,7 @@ func (e *executor) plan(ctx, killCtx context.Context, env, vars []string, logr l
 	// When a prebuild claim attempt is made, log a warning if a resource is due to be replaced, since this will obviate
 	// the point of prebuilding if the expensive resource is replaced once claimed!
 	var (
-		isPrebuildClaimAttempt = !destroy && metadata.GetPrebuildClaimForUserId() != ""
+		isPrebuildClaimAttempt = !destroy && metadata.GetIsPrebuildClaim()
 		resReps                []*proto.ResourceReplacement
 	)
 	if repsFromPlan := findResourceReplacements(plan); len(repsFromPlan) > 0 {

diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go
@@ -270,6 +270,9 @@ func provisionEnv(
 	if metadata.GetIsPrebuild() {
 		env = append(env, provider.IsPrebuildEnvironmentVariable()+"=true")
 	}
+	if metadata.GetIsPrebuildClaim() {
+		env = append(env, provider.IsPrebuildClaimEnvironmentVariable()+"=true")
+	}
 
 	for key, value := range provisionersdk.AgentScriptEnv() {
 		env = append(env, key+"="+value)

diff --git a/provisioner/terraform/provision_test.go b/provisioner/terraform/provision_test.go
@@ -25,6 +25,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
+
 	"github.com/coder/coder/v2/codersdk/drpc"
 	"github.com/coder/coder/v2/provisioner/terraform"
 	"github.com/coder/coder/v2/provisionersdk"
@@ -977,7 +978,7 @@ func TestProvision(t *testing.T) {
 					required_providers {
 					  coder = {
 						source  = "coder/coder"
-						version = "2.3.0-pre2"
+						version = ">= 2.4.1"
 					  }
 					}
 				}
@@ -994,7 +995,8 @@ func TestProvision(t *testing.T) {
 			},
 			Request: &proto.PlanRequest{
 				Metadata: &proto.Metadata{
-					IsPrebuild: true,
+					IsPrebuild:      true,
+					IsPrebuildClaim: false,
 				},
 			},
 			Response: &proto.PlanComplete{
@@ -1008,6 +1010,45 @@ func TestProvision(t *testing.T) {
 				}},
 			},
 		},
+		{
+			Name: "is-prebuild-claim",
+			Files: map[string]string{
+				"main.tf": `terraform {
+					required_providers {
+					  coder = {
+						source  = "coder/coder"
+						version = ">= 2.4.1"
+					  }
+					}
+				}
+				data "coder_workspace" "me" {}
+				resource "null_resource" "example" {}
+				resource "coder_metadata" "example" {
+					resource_id = null_resource.example.id
+					item {
+						key = "is_prebuild_claim"
+						value = data.coder_workspace.me.is_prebuild_claim
+					}
+				}
+				`,
+			},
+			Request: &proto.PlanRequest{
+				Metadata: &proto.Metadata{
+					IsPrebuild:      false,
+					IsPrebuildClaim: true,
+				},
+			},
+			Response: &proto.PlanComplete{
+				Resources: []*proto.Resource{{
+					Name: "example",
+					Type: "null_resource",
+					Metadata: []*proto.Resource_Metadata{{
+						Key:   "is_prebuild_claim",
+						Value: "true",
+					}},
+				}},
+			},
+		},
 	}
 
 	// Remove unused cache dirs before running tests.

@@ -12,12 +12,17 @@ import "github.com/coder/coder/v2/apiversion"
 //
 // API v1.4:
 //   - Add new field named `devcontainers` in the Agent.
+//
+// API v1.5:
+//   - Add new field named `is_prebuild_claim` in the Metadata message.
 const (
 	CurrentMajor = 1
-	CurrentMinor = 4
+	CurrentMinor = 5
 )
 
 // CurrentVersion is the current provisionerd API version.
 // Breaking changes to the provisionerd API **MUST** increment
 // CurrentMajor above.
+// Non-breaking changes to the provisionerd API **MUST** increment
+// CurrentMinor above.
 var CurrentVersion = apiversion.New(CurrentMajor, CurrentMinor)
@@ -298,9 +298,9 @@ message Metadata {
     string workspace_build_id = 17;
     string workspace_owner_login_type =  18;
     repeated Role workspace_owner_rbac_roles = 19;
-    bool is_prebuild = 20;
-    string running_workspace_agent_token = 21;
-    string prebuild_claim_for_user_id = 22;
+    bool is_prebuild = 20;                     // Indicates that a prebuilt workspace is being built.
+    string running_workspace_agent_token = 21; // Preserves the running agent token of a prebuilt workspace so it can reinitialize.
+    bool is_prebuild_claim = 22;               // Indicates that a prebuilt workspace is being claimed.
 }
 
 // Config represents execution configuration shared by all subsequent requests in the Session