feat(agent): add api_key_scope to control agent token permissions

Change-Id: I90dd87756b47b589bf0a363e22de70d2cffd44fa
Signed-off-by: Thomas Kosiewski <[email protected]>

Author: ThomasK33

.envrc

@@ -0,0 +1,7 @@
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
+fi
+
+nix_direnv_manual_reload
+
+use flake .

.gitignore

@@ -36,3 +36,6 @@ website/vendor
 
 # Binary
 terraform-provider-coder
+
+# direnv
+.direnv

docs/resources/agent.md

@@ -17,9 +17,10 @@ data "coder_workspace" "me" {
 }
 
 resource "coder_agent" "dev" {
-  os   = "linux"
-  arch = "amd64"
-  dir  = "/workspace"
+  os            = "linux"
+  arch          = "amd64"
+  dir           = "/workspace"
+  api_key_scope = "all"
   display_apps {
     vscode          = true
     vscode_insiders = false
@@ -71,6 +72,7 @@ resource "kubernetes_pod" "dev" {
 
 ### Optional
 
+- `api_key_scope` (String) Controls what API routes the agent token can access. Options: 'all' (full access) or 'no_user_data' (blocks /external-auth, /gitsshkey, and /gitauth routes)
 - `auth` (String) The authentication type the agent will use. Must be one of: `"token"`, `"google-instance-identity"`, `"aws-instance-identity"`, `"azure-instance-identity"`.
 - `connection_timeout` (Number) Time in seconds until the agent is marked as timed out when a connection with the server cannot be established. A value of zero never marks the agent as timed out.
 - `dir` (String) The starting directory when a user creates a shell session. Defaults to `"$HOME"`.

examples/resources/coder_agent/resource.tf

@@ -2,9 +2,10 @@ data "coder_workspace" "me" {
 }
 
 resource "coder_agent" "dev" {
-  os   = "linux"
-  arch = "amd64"
-  dir  = "/workspace"
+  os            = "linux"
+  arch          = "amd64"
+  dir           = "/workspace"
+  api_key_scope = "all"
   display_apps {
     vscode          = true
     vscode_insiders = false

flake.lock

@@ -2,11 +2,11 @@
   description = "Terraform provider for Coder";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils, ... }:
+  outputs = { nixpkgs, flake-utils, ... }:
     flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = import nixpkgs {
@@ -21,7 +21,7 @@
           name = "devShell";
           buildInputs = with pkgs; [
             terraform
-            go_1_20
+            go_1_24
           ];
         };
       }

flake.nix

@@ -80,6 +80,17 @@ func agentResource() *schema.Resource {
 			return nil
 		},
 		Schema: map[string]*schema.Schema{
+			"api_key_scope": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "all",
+				ForceNew:    true,
+				Description: "Controls what API routes the agent token can access. Options: 'all' (full access) or 'no_user_data' (blocks /external-auth, /gitsshkey, and /gitauth routes)",
+				ValidateFunc: validation.StringInSlice([]string{
+					"all",
+					"no_user_data",
+				}, false),
+			},
 			"init_script": {
 				Type:        schema.TypeString,
 				Computed:    true,

provider/agent.go

@@ -709,5 +709,96 @@ func TestAgent_DisplayApps(t *testing.T) {
 			}},
 		})
 	})
+}
+
+// TestAgent_APIKeyScope tests valid states/transitions and invalid values for api_key_scope.
+func TestAgent_APIKeyScope(t *testing.T) {
+	t.Parallel()
+
+	t.Run("ValidTransitions", func(t *testing.T) {
+		t.Parallel()
+
+		resourceName := "coder_agent.test_scope_valid"
 
+		resource.Test(t, resource.TestCase{
+			ProviderFactories: coderFactory(),
+			IsUnitTest:        true,
+			Steps: []resource.TestStep{
+				// Step 1: Default value
+				{
+					Config: `
+						provider "coder" {
+							url = "https://example.com"
+						}
+						resource "coder_agent" "test_scope_valid" {
+							os   = "linux"
+							arch = "amd64"
+							# api_key_scope is omitted, should default to "default"
+						}
+					`,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(resourceName, "api_key_scope", "all"),
+					),
+				},
+				// Step 2: Explicit "default"
+				{
+					Config: `
+						provider "coder" {
+							url = "https://example.com"
+						}
+						resource "coder_agent" "test_scope_valid" {
+							os              = "linux"
+							arch            = "amd64"
+							api_key_scope   = "all"
+						}
+					`,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(resourceName, "api_key_scope", "all"),
+					),
+				},
+				// Step 3: Explicit "no_user_data"
+				{
+					Config: `
+						provider "coder" {
+							url = "https://example.com"
+						}
+						resource "coder_agent" "test_scope_valid" {
+							os              = "linux"
+							arch            = "amd64"
+							api_key_scope   = "no_user_data"
+						}
+					`,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(resourceName, "api_key_scope", "no_user_data"),
+					),
+				},
+			},
+		})
+	})
+
+	t.Run("InvalidValue", func(t *testing.T) {
+		t.Parallel()
+
+		resource.Test(t, resource.TestCase{
+			ProviderFactories: coderFactory(),
+			IsUnitTest:        true,
+			Steps: []resource.TestStep{
+				// Step 1: Invalid value check
+				{
+					Config: `
+						provider "coder" {
+							url = "https://example.com"
+						}
+						resource "coder_agent" "test_scope_invalid" { // Use unique name
+							os              = "linux"
+							arch            = "amd64"
+							api_key_scope   = "invalid-scope"
+						}
+					`,
+					ExpectError: regexp.MustCompile(`expected api_key_scope to be one of \["all" "no_user_data"\], got invalid-scope`),
+					PlanOnly:    true,
+				},
+			},
+		})
+	})
 }