From 08f0eaaf3b106b0594fbdddd9f5f7ee03fa51048 Mon Sep 17 00:00:00 2001
From: Garrett Delfosse <garrett@coder.com>
Date: Thu, 12 Dec 2024 09:28:49 -0500
Subject: [PATCH] feat: add new scaletest infrastructure (#15573)

Closes https://github.com/coder/internal/issues/148

This has been validated to have working proxies with the `small`
scenario.

- [x] multi-region gcp infrastructure
- [x] use cloudflare provider to automate dns entries
- [x]  automate proxy registration
- [x] multi-regional proxies
- [x] move scenarios into locals

This excludes the infrastructure for `cert-manager` and `otel-collector`
and those will be included in followup PRs.
---
 scaletest/terraform/action/cf_dns.tf          |   8 +
 .../terraform/action/coder_helm_values.tftpl  | 105 ++++++++++++
 scaletest/terraform/action/coder_proxies.tf   | 102 +++++++++++
 scaletest/terraform/action/coder_templates.tf | 160 ++++++++++++++++++
 scaletest/terraform/action/gcp_clusters.tf    | 146 ++++++++++++++++
 scaletest/terraform/action/gcp_db.tf          |  89 ++++++++++
 scaletest/terraform/action/gcp_project.tf     |  27 +++
 scaletest/terraform/action/gcp_vpc.tf         |  42 +++++
 scaletest/terraform/action/k8s_coder_asia.tf  | 104 ++++++++++++
 .../terraform/action/k8s_coder_europe.tf      | 104 ++++++++++++
 .../terraform/action/k8s_coder_primary.tf     | 124 ++++++++++++++
 scaletest/terraform/action/main.tf            | 123 ++++++++++++++
 scaletest/terraform/action/scenarios.tf       | 106 ++++++++++++
 scaletest/terraform/action/vars.tf            |  87 ++++++++++
 14 files changed, 1327 insertions(+)
 create mode 100644 scaletest/terraform/action/cf_dns.tf
 create mode 100644 scaletest/terraform/action/coder_helm_values.tftpl
 create mode 100644 scaletest/terraform/action/coder_proxies.tf
 create mode 100644 scaletest/terraform/action/coder_templates.tf
 create mode 100644 scaletest/terraform/action/gcp_clusters.tf
 create mode 100644 scaletest/terraform/action/gcp_db.tf
 create mode 100644 scaletest/terraform/action/gcp_project.tf
 create mode 100644 scaletest/terraform/action/gcp_vpc.tf
 create mode 100644 scaletest/terraform/action/k8s_coder_asia.tf
 create mode 100644 scaletest/terraform/action/k8s_coder_europe.tf
 create mode 100644 scaletest/terraform/action/k8s_coder_primary.tf
 create mode 100644 scaletest/terraform/action/main.tf
 create mode 100644 scaletest/terraform/action/scenarios.tf
 create mode 100644 scaletest/terraform/action/vars.tf

diff --git a/scaletest/terraform/action/cf_dns.tf b/scaletest/terraform/action/cf_dns.tf
new file mode 100644
index 0000000000..eaaff28ce0
--- /dev/null
+++ b/scaletest/terraform/action/cf_dns.tf
@@ -0,0 +1,8 @@
+resource "cloudflare_record" "coder" {
+  for_each = local.deployments
+  zone_id  = var.cloudflare_zone_id
+  name     = each.value.subdomain
+  content  = google_compute_address.coder[each.key].address
+  type     = "A"
+  ttl      = 3600
+}
diff --git a/scaletest/terraform/action/coder_helm_values.tftpl b/scaletest/terraform/action/coder_helm_values.tftpl
new file mode 100644
index 0000000000..7de0c598a1
--- /dev/null
+++ b/scaletest/terraform/action/coder_helm_values.tftpl
@@ -0,0 +1,105 @@
+coder:
+  workspaceProxy: ${workspace_proxy}
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: "cloud.google.com/gke-nodepool"
+            operator: "In"
+            values: ["${node_pool}"]
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          topologyKey: "kubernetes.io/hostname"
+          labelSelector:
+            matchExpressions:
+            - key:      "app.kubernetes.io/instance"
+              operator: "In"
+              values:   ["${release_name}"]
+  env:
+    %{~ if workspace_proxy ~}
+    - name: "CODER_ACCESS_URL"
+      value: "${access_url}"
+    - name: CODER_PRIMARY_ACCESS_URL
+      value: "${primary_url}"
+    - name: CODER_PROXY_SESSION_TOKEN
+      valueFrom:
+        secretKeyRef:
+          key: token
+          name: "${proxy_token}"
+    %{~ endif ~}
+    %{~ if provisionerd ~}
+    - name: "CODER_URL"
+      value: "${access_url}"
+    - name: "CODER_PROVISIONERD_TAGS"
+      value: "scope=organization"
+    - name: "CODER_CONFIG_DIR"
+      value: "/tmp/config"
+    %{~ endif ~}
+    %{~ if !workspace_proxy && !provisionerd ~}
+    - name: "CODER_ACCESS_URL"
+      value: "${access_url}"
+    - name: "CODER_PG_CONNECTION_URL"
+      valueFrom:
+        secretKeyRef:
+          name: "${db_secret}"
+          key: url
+    - name: "CODER_PROVISIONER_DAEMONS"
+      value: "0"
+    - name: CODER_PROVISIONER_DAEMON_PSK
+      valueFrom:
+        secretKeyRef:
+          key: psk
+          name: "${provisionerd_psk}"
+    - name: "CODER_PROMETHEUS_COLLECT_AGENT_STATS"
+      value: "true"
+    - name: "CODER_PROMETHEUS_COLLECT_DB_METRICS"
+      value: "true"
+    - name: "CODER_PPROF_ENABLE"
+      value: "true"
+    %{~ endif ~}
+    - name: "CODER_CACHE_DIRECTORY"
+      value: "/tmp/coder"
+    - name: "CODER_TELEMETRY_ENABLE"
+      value: "false"
+    - name: "CODER_LOGGING_HUMAN"
+      value: "/dev/null"
+    - name: "CODER_LOGGING_STACKDRIVER"
+      value: "/dev/stderr"
+    - name: "CODER_PROMETHEUS_ENABLE"
+      value: "true"
+    - name: "CODER_VERBOSE"
+      value: "true"
+    - name: "CODER_EXPERIMENTS"
+      value: "${experiments}"
+    - name: "CODER_DANGEROUS_DISABLE_RATE_LIMITS"
+      value: "true"
+  image:
+    repo: ${image_repo}
+    tag: ${image_tag}
+  replicaCount: "${replicas}"
+  resources:
+    requests:
+      cpu: "${cpu_request}"
+      memory: "${mem_request}"
+    limits:
+      cpu: "${cpu_limit}"
+      memory: "${mem_limit}"
+  securityContext:
+    readOnlyRootFilesystem: true
+  %{~ if !provisionerd ~}
+  service:
+    enable: true
+    sessionAffinity: None
+    loadBalancerIP: "${ip_address}"
+  %{~ endif ~}
+  volumeMounts:
+  - mountPath: "/tmp"
+    name: cache
+    readOnly: false
+  volumes:
+  - emptyDir:
+      sizeLimit: 1024Mi
+    name: cache
diff --git a/scaletest/terraform/action/coder_proxies.tf b/scaletest/terraform/action/coder_proxies.tf
new file mode 100644
index 0000000000..6af3ef82bb
--- /dev/null
+++ b/scaletest/terraform/action/coder_proxies.tf
@@ -0,0 +1,102 @@
+data "http" "coder_healthy" {
+  url = local.deployments.primary.url
+  // Wait up to 5 minutes for DNS to propagate
+  retry {
+    attempts     = 30
+    min_delay_ms = 10000
+  }
+
+  lifecycle {
+    postcondition {
+      condition     = self.status_code == 200
+      error_message = "${self.url} returned an unhealthy status code"
+    }
+  }
+
+  depends_on = [helm_release.coder_primary, cloudflare_record.coder["primary"]]
+}
+
+resource "null_resource" "api_key" {
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+set -e
+
+curl '${local.deployments.primary.url}/api/v2/users/first' \
+  --data-raw $'{"email":"${local.coder_admin_email}","password":"${local.coder_admin_password}","username":"${local.coder_admin_user}","name":"${local.coder_admin_full_name}","trial":false}' \
+  --insecure --silent --output /dev/null
+
+session_token=$(curl '${local.deployments.primary.url}/api/v2/users/login' \
+  --data-raw $'{"email":"${local.coder_admin_email}","password":"${local.coder_admin_password}"}' \
+  --insecure --silent | jq -r .session_token)
+
+echo -n $${session_token} > ${path.module}/.coderv2/session_token
+
+api_key=$(curl '${local.deployments.primary.url}/api/v2/users/me/keys/tokens' \
+  -H "Coder-Session-Token: $${session_token}" \
+  --data-raw '{"token_name":"terraform","scope":"all"}' \
+  --insecure --silent | jq -r .key)
+
+echo -n $${api_key} > ${path.module}/.coderv2/api_key
+EOF
+  }
+
+  depends_on = [data.http.coder_healthy]
+}
+
+data "local_file" "api_key" {
+  filename   = "${path.module}/.coderv2/api_key"
+  depends_on = [null_resource.api_key]
+}
+
+resource "null_resource" "license" {
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+curl '${local.deployments.primary.url}/api/v2/licenses' \
+  -H "Coder-Session-Token: ${trimspace(data.local_file.api_key.content)}" \
+  --data-raw '{"license":"${var.coder_license}"}' \
+  --insecure --silent --output /dev/null
+EOF
+  }
+}
+
+resource "null_resource" "europe_proxy_token" {
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+curl '${local.deployments.primary.url}/api/v2/workspaceproxies' \
+  -H "Coder-Session-Token: ${trimspace(data.local_file.api_key.content)}" \
+  --data-raw '{"name":"europe","display_name":"Europe","icon":"/emojis/1f950.png"}' \
+  --insecure --silent \
+  | jq -r .proxy_token > ${path.module}/.coderv2/europe_proxy_token
+EOF
+  }
+
+  depends_on = [null_resource.license]
+}
+
+data "local_file" "europe_proxy_token" {
+  filename   = "${path.module}/.coderv2/europe_proxy_token"
+  depends_on = [null_resource.europe_proxy_token]
+}
+
+resource "null_resource" "asia_proxy_token" {
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+curl '${local.deployments.primary.url}/api/v2/workspaceproxies' \
+  -H "Coder-Session-Token: ${trimspace(data.local_file.api_key.content)}" \
+  --data-raw '{"name":"asia","display_name":"Asia","icon":"/emojis/1f35b.png"}' \
+  --insecure --silent \
+  | jq -r .proxy_token > ${path.module}/.coderv2/asia_proxy_token
+EOF
+  }
+
+  depends_on = [null_resource.license]
+}
+
+data "local_file" "asia_proxy_token" {
+  filename   = "${path.module}/.coderv2/asia_proxy_token"
+  depends_on = [null_resource.asia_proxy_token]
+}
diff --git a/scaletest/terraform/action/coder_templates.tf b/scaletest/terraform/action/coder_templates.tf
new file mode 100644
index 0000000000..c2334a488a
--- /dev/null
+++ b/scaletest/terraform/action/coder_templates.tf
@@ -0,0 +1,160 @@
+resource "local_file" "kubernetes_template" {
+  filename = "${path.module}/.coderv2/templates/kubernetes/main.tf"
+  content  = <<EOF
+    terraform {
+      required_providers {
+        coder = {
+          source  = "coder/coder"
+          version = "~> 0.23.0"
+        }
+        kubernetes = {
+          source  = "hashicorp/kubernetes"
+          version = "~> 2.30"
+        }
+      }
+    }
+
+    provider "coder" {}
+
+    provider "kubernetes" {
+      config_path = null # always use host
+    }
+
+    data "coder_workspace" "me" {}
+    data "coder_workspace_owner" "me" {}
+
+    resource "coder_agent" "main" {
+      os                     = "linux"
+      arch                   = "amd64"
+    }
+
+    resource "kubernetes_pod" "main" {
+      count = data.coder_workspace.me.start_count
+      metadata {
+        name      = "coder-$${lower(data.coder_workspace_owner.me.name)}-$${lower(data.coder_workspace.me.name)}"
+        namespace = "${local.coder_namespace}"
+        labels = {
+          "app.kubernetes.io/name"     = "coder-workspace"
+          "app.kubernetes.io/instance" = "coder-workspace-$${lower(data.coder_workspace_owner.me.name)}-$${lower(data.coder_workspace.me.name)}"
+        }
+      }
+      spec {
+        security_context {
+          run_as_user = "1000"
+          fs_group    = "1000"
+        }
+        container {
+          name              = "dev"
+          image             = "${var.workspace_image}"
+          image_pull_policy = "Always"
+          command           = ["sh", "-c", coder_agent.main.init_script]
+          security_context {
+            run_as_user = "1000"
+          }
+          env {
+            name  = "CODER_AGENT_TOKEN"
+            value = coder_agent.main.token
+          }
+          resources {
+            requests = {
+              "cpu"    = "${local.scenarios[var.scenario].workspaces.cpu_request}"
+              "memory" = "${local.scenarios[var.scenario].workspaces.mem_request}"
+            }
+            limits = {
+              "cpu"    = "${local.scenarios[var.scenario].workspaces.cpu_limit}"
+              "memory" = "${local.scenarios[var.scenario].workspaces.mem_limit}"
+            }
+          }
+        }
+
+        affinity {
+          node_affinity {
+            required_during_scheduling_ignored_during_execution {
+              node_selector_term {
+                match_expressions {
+                  key = "cloud.google.com/gke-nodepool"
+                  operator = "In"
+                  values = ["${google_container_node_pool.node_pool["primary_workspaces"].name}","${google_container_node_pool.node_pool["europe_workspaces"].name}","${google_container_node_pool.node_pool["asia_workspaces"].name}"]
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  EOF
+}
+
+resource "kubernetes_config_map" "template" {
+  provider = kubernetes.primary
+
+  metadata {
+    name      = "coder-template"
+    namespace = kubernetes_namespace.coder_primary.metadata.0.name
+  }
+
+  data = {
+    "main.tf" = local_file.kubernetes_template.content
+  }
+}
+
+resource "kubernetes_job" "push_template" {
+  provider = kubernetes.primary
+
+  metadata {
+    name      = "${var.name}-push-template"
+    namespace = kubernetes_namespace.coder_primary.metadata.0.name
+    labels = {
+      "app.kubernetes.io/name" = "${var.name}-push-template"
+    }
+  }
+  spec {
+    completions = 1
+    template {
+      metadata {}
+      spec {
+        affinity {
+          node_affinity {
+            required_during_scheduling_ignored_during_execution {
+              node_selector_term {
+                match_expressions {
+                  key      = "cloud.google.com/gke-nodepool"
+                  operator = "In"
+                  values   = ["${google_container_node_pool.node_pool["primary_misc"].name}"]
+                }
+              }
+            }
+          }
+        }
+        container {
+          name  = "cli"
+          image = "${var.coder_image_repo}:${var.coder_image_tag}"
+          command = [
+            "/opt/coder",
+            "--verbose",
+            "--url=${local.deployments.primary.url}",
+            "--token=${trimspace(data.local_file.api_key.content)}",
+            "templates",
+            "push",
+            "--directory=/home/coder/template",
+            "--yes",
+            "kubernetes"
+          ]
+          volume_mount {
+            name       = "coder-template"
+            mount_path = "/home/coder/template/main.tf"
+            sub_path   = "main.tf"
+          }
+        }
+        volume {
+          name = "coder-template"
+          config_map {
+            name = kubernetes_config_map.template.metadata.0.name
+          }
+        }
+        restart_policy = "Never"
+      }
+    }
+  }
+  wait_for_completion = true
+}
diff --git a/scaletest/terraform/action/gcp_clusters.tf b/scaletest/terraform/action/gcp_clusters.tf
new file mode 100644
index 0000000000..5ca3bac3f7
--- /dev/null
+++ b/scaletest/terraform/action/gcp_clusters.tf
@@ -0,0 +1,146 @@
+data "google_compute_default_service_account" "default" {
+  project    = var.project_id
+  depends_on = [google_project_service.api["compute.googleapis.com"]]
+}
+
+locals {
+  deployments = {
+    primary = {
+      subdomain = "${var.name}-scaletest"
+      url       = "http://${var.name}-scaletest.${var.cloudflare_domain}"
+      region    = "us-east1"
+      zone      = "us-east1-c"
+      cidr      = "10.200.0.0/24"
+    }
+    europe = {
+      subdomain = "${var.name}-europe-scaletest"
+      url       = "http://${var.name}-europe-scaletest.${var.cloudflare_domain}"
+      region    = "europe-west1"
+      zone      = "europe-west1-b"
+      cidr      = "10.201.0.0/24"
+    }
+    asia = {
+      subdomain = "${var.name}-asia-scaletest"
+      url       = "http://${var.name}-asia-scaletest.${var.cloudflare_domain}"
+      region    = "asia-southeast1"
+      zone      = "asia-southeast1-a"
+      cidr      = "10.202.0.0/24"
+    }
+  }
+  node_pools = {
+    primary_coder = {
+      name    = "coder"
+      cluster = "primary"
+    }
+    primary_workspaces = {
+      name    = "workspaces"
+      cluster = "primary"
+    }
+    primary_misc = {
+      name    = "misc"
+      cluster = "primary"
+    }
+    europe_coder = {
+      name    = "coder"
+      cluster = "europe"
+    }
+    europe_workspaces = {
+      name    = "workspaces"
+      cluster = "europe"
+    }
+    europe_misc = {
+      name    = "misc"
+      cluster = "europe"
+    }
+    asia_coder = {
+      name    = "coder"
+      cluster = "asia"
+    }
+    asia_workspaces = {
+      name    = "workspaces"
+      cluster = "asia"
+    }
+    asia_misc = {
+      name    = "misc"
+      cluster = "asia"
+    }
+  }
+}
+
+resource "google_container_cluster" "cluster" {
+  for_each                  = local.deployments
+  name                      = "${var.name}-${each.key}"
+  location                  = each.value.zone
+  project                   = var.project_id
+  network                   = google_compute_network.vpc.name
+  subnetwork                = google_compute_subnetwork.subnet[each.key].name
+  networking_mode           = "VPC_NATIVE"
+  default_max_pods_per_node = 256
+  ip_allocation_policy { # Required with networking_mode=VPC_NATIVE
+
+  }
+  release_channel {
+    # Setting release channel as STABLE can cause unexpected cluster upgrades.
+    channel = "UNSPECIFIED"
+  }
+  initial_node_count       = 1
+  remove_default_node_pool = true
+
+  network_policy {
+    enabled = true
+  }
+  depends_on = [
+    google_project_service.api["container.googleapis.com"]
+  ]
+  monitoring_config {
+    enable_components = ["SYSTEM_COMPONENTS"]
+    managed_prometheus {
+      enabled = false
+    }
+  }
+  workload_identity_config {
+    workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
+  }
+
+
+  lifecycle {
+    ignore_changes = [
+      maintenance_policy,
+      release_channel,
+      remove_default_node_pool
+    ]
+  }
+}
+
+resource "google_container_node_pool" "node_pool" {
+  for_each   = local.node_pools
+  name       = each.value.name
+  location   = local.deployments[each.value.cluster].zone
+  project    = var.project_id
+  cluster    = google_container_cluster.cluster[each.value.cluster].name
+  node_count = local.scenarios[var.scenario][each.value.name].nodepool_size
+  node_config {
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+      "https://www.googleapis.com/auth/trace.append",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/servicecontrol",
+    ]
+    disk_size_gb    = 100
+    machine_type    = local.scenarios[var.scenario][each.value.name].machine_type
+    image_type      = "cos_containerd"
+    service_account = data.google_compute_default_service_account.default.email
+    tags            = ["gke-node", "${var.project_id}-gke"]
+    labels = {
+      env = var.project_id
+    }
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
+  }
+  lifecycle {
+    ignore_changes = [management[0].auto_repair, management[0].auto_upgrade, timeouts]
+  }
+}
diff --git a/scaletest/terraform/action/gcp_db.tf b/scaletest/terraform/action/gcp_db.tf
new file mode 100644
index 0000000000..0443fa771f
--- /dev/null
+++ b/scaletest/terraform/action/gcp_db.tf
@@ -0,0 +1,89 @@
+resource "google_sql_database_instance" "db" {
+  name                = "${var.name}-coder"
+  project             = var.project_id
+  region              = local.deployments.primary.region
+  database_version    = "POSTGRES_14"
+  deletion_protection = false
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier              = local.scenarios[var.scenario].cloudsql.tier
+    activation_policy = "ALWAYS"
+    availability_type = "ZONAL"
+
+    location_preference {
+      zone = local.deployments.primary.zone
+    }
+
+    database_flags {
+      name  = "max_connections"
+      value = local.scenarios[var.scenario].cloudsql.max_connections
+    }
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.vpc.id
+    }
+
+    insights_config {
+      query_insights_enabled  = true
+      query_string_length     = 1024
+      record_application_tags = false
+      record_client_address   = false
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [deletion_protection, timeouts]
+  }
+}
+
+resource "google_sql_database" "coder" {
+  project  = var.project_id
+  instance = google_sql_database_instance.db.id
+  name     = "${var.name}-coder"
+  # required for postgres, otherwise db fails to delete
+  deletion_policy = "ABANDON"
+  lifecycle {
+    ignore_changes = [deletion_policy]
+  }
+}
+
+resource "random_password" "coder_postgres_password" {
+  length = 12
+}
+
+resource "random_password" "prometheus_postgres_password" {
+  length = 12
+}
+
+resource "google_sql_user" "coder" {
+  project  = var.project_id
+  instance = google_sql_database_instance.db.id
+  name     = "${var.name}-coder"
+  type     = "BUILT_IN"
+  password = random_password.coder_postgres_password.result
+  # required for postgres, otherwise user fails to delete
+  deletion_policy = "ABANDON"
+  lifecycle {
+    ignore_changes = [deletion_policy, password]
+  }
+}
+
+resource "google_sql_user" "prometheus" {
+  project  = var.project_id
+  instance = google_sql_database_instance.db.id
+  name     = "${var.name}-prometheus"
+  type     = "BUILT_IN"
+  password = random_password.prometheus_postgres_password.result
+  # required for postgres, otherwise user fails to delete
+  deletion_policy = "ABANDON"
+  lifecycle {
+    ignore_changes = [deletion_policy, password]
+  }
+}
+
+locals {
+  coder_db_url = "postgres://${google_sql_user.coder.name}:${urlencode(random_password.coder_postgres_password.result)}@${google_sql_database_instance.db.private_ip_address}/${google_sql_database.coder.name}?sslmode=disable"
+}
diff --git a/scaletest/terraform/action/gcp_project.tf b/scaletest/terraform/action/gcp_project.tf
new file mode 100644
index 0000000000..1073a621c3
--- /dev/null
+++ b/scaletest/terraform/action/gcp_project.tf
@@ -0,0 +1,27 @@
+locals {
+  project_apis = [
+    "cloudtrace",
+    "compute",
+    "container",
+    "logging",
+    "monitoring",
+    "servicemanagement",
+    "servicenetworking",
+    "sqladmin",
+    "stackdriver",
+    "storage-api",
+  ]
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_project_service" "api" {
+  for_each = toset(local.project_apis)
+  project  = data.google_project.project.project_id
+  service  = "${each.value}.googleapis.com"
+
+  disable_dependent_services = false
+  disable_on_destroy         = false
+}
diff --git a/scaletest/terraform/action/gcp_vpc.tf b/scaletest/terraform/action/gcp_vpc.tf
new file mode 100644
index 0000000000..c9fd412aa3
--- /dev/null
+++ b/scaletest/terraform/action/gcp_vpc.tf
@@ -0,0 +1,42 @@
+
+resource "google_compute_network" "vpc" {
+  project                 = var.project_id
+  name                    = var.name
+  auto_create_subnetworks = "false"
+  depends_on = [
+    google_project_service.api["compute.googleapis.com"]
+  ]
+}
+
+resource "google_compute_subnetwork" "subnet" {
+  for_each      = local.deployments
+  name          = "${var.name}-${each.key}"
+  project       = var.project_id
+  region        = each.value.region
+  network       = google_compute_network.vpc.name
+  ip_cidr_range = each.value.cidr
+}
+
+resource "google_compute_address" "coder" {
+  for_each     = local.deployments
+  project      = var.project_id
+  region       = each.value.region
+  name         = "${var.name}-${each.key}-coder"
+  address_type = "EXTERNAL"
+  network_tier = "PREMIUM"
+}
+
+resource "google_compute_global_address" "sql_peering" {
+  project       = var.project_id
+  name          = "${var.name}-sql-peering"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = google_compute_network.vpc.id
+}
+
+resource "google_service_networking_connection" "private_vpc_connection" {
+  network                 = google_compute_network.vpc.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.sql_peering.name]
+}
diff --git a/scaletest/terraform/action/k8s_coder_asia.tf b/scaletest/terraform/action/k8s_coder_asia.tf
new file mode 100644
index 0000000000..2d22173498
--- /dev/null
+++ b/scaletest/terraform/action/k8s_coder_asia.tf
@@ -0,0 +1,104 @@
+resource "kubernetes_namespace" "coder_asia" {
+  provider = kubernetes.asia
+
+  metadata {
+    name = local.coder_namespace
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_default_service_account]
+  }
+
+  depends_on = [google_container_node_pool.node_pool["asia_misc"]]
+}
+
+resource "kubernetes_secret" "provisionerd_psk_asia" {
+  provider = kubernetes.asia
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-provisioner-psk"
+    namespace = kubernetes_namespace.coder_asia.metadata.0.name
+  }
+  data = {
+    psk = random_password.provisionerd_psk.result
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "kubernetes_secret" "proxy_token_asia" {
+  provider = kubernetes.asia
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-proxy-token"
+    namespace = kubernetes_namespace.coder_asia.metadata.0.name
+  }
+  data = {
+    token = trimspace(data.local_file.asia_proxy_token.content)
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "helm_release" "coder_asia" {
+  provider = helm.asia
+
+  repository = local.coder_helm_repo
+  chart      = local.coder_helm_chart
+  name       = local.coder_release_name
+  version    = var.coder_chart_version
+  namespace  = kubernetes_namespace.coder_asia.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = true,
+    provisionerd     = false,
+    primary_url      = local.deployments.primary.url,
+    proxy_token      = kubernetes_secret.proxy_token_asia.metadata.0.name,
+    db_secret        = null,
+    ip_address       = google_compute_address.coder["asia"].address,
+    provisionerd_psk = null,
+    access_url       = local.deployments.asia.url,
+    node_pool        = google_container_node_pool.node_pool["asia_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].coder.replicas,
+    cpu_request      = local.scenarios[var.scenario].coder.cpu_request,
+    mem_request      = local.scenarios[var.scenario].coder.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].coder.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].coder.mem_limit,
+  })]
+}
+
+resource "helm_release" "provisionerd_asia" {
+  provider = helm.asia
+
+  repository = local.coder_helm_repo
+  chart      = local.provisionerd_helm_chart
+  name       = local.provisionerd_release_name
+  version    = var.provisionerd_chart_version
+  namespace  = kubernetes_namespace.coder_asia.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = false,
+    provisionerd     = true,
+    primary_url      = null,
+    proxy_token      = null,
+    db_secret        = null,
+    ip_address       = null,
+    provisionerd_psk = kubernetes_secret.provisionerd_psk_asia.metadata.0.name,
+    access_url       = local.deployments.primary.url,
+    node_pool        = google_container_node_pool.node_pool["asia_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].provisionerd.replicas,
+    cpu_request      = local.scenarios[var.scenario].provisionerd.cpu_request,
+    mem_request      = local.scenarios[var.scenario].provisionerd.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].provisionerd.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].provisionerd.mem_limit,
+  })]
+}
diff --git a/scaletest/terraform/action/k8s_coder_europe.tf b/scaletest/terraform/action/k8s_coder_europe.tf
new file mode 100644
index 0000000000..bb6140aef7
--- /dev/null
+++ b/scaletest/terraform/action/k8s_coder_europe.tf
@@ -0,0 +1,104 @@
+resource "kubernetes_namespace" "coder_europe" {
+  provider = kubernetes.europe
+
+  metadata {
+    name = local.coder_namespace
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_default_service_account]
+  }
+
+  depends_on = [google_container_node_pool.node_pool["europe_misc"]]
+}
+
+resource "kubernetes_secret" "provisionerd_psk_europe" {
+  provider = kubernetes.europe
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-provisioner-psk"
+    namespace = kubernetes_namespace.coder_europe.metadata.0.name
+  }
+  data = {
+    psk = random_password.provisionerd_psk.result
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "kubernetes_secret" "proxy_token_europe" {
+  provider = kubernetes.europe
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-proxy-token"
+    namespace = kubernetes_namespace.coder_europe.metadata.0.name
+  }
+  data = {
+    token = trimspace(data.local_file.europe_proxy_token.content)
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "helm_release" "coder_europe" {
+  provider = helm.europe
+
+  repository = local.coder_helm_repo
+  chart      = local.coder_helm_chart
+  name       = local.coder_release_name
+  version    = var.coder_chart_version
+  namespace  = kubernetes_namespace.coder_europe.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = true,
+    provisionerd     = false,
+    primary_url      = local.deployments.primary.url,
+    proxy_token      = kubernetes_secret.proxy_token_europe.metadata.0.name,
+    db_secret        = null,
+    ip_address       = google_compute_address.coder["europe"].address,
+    provisionerd_psk = null,
+    access_url       = local.deployments.europe.url,
+    node_pool        = google_container_node_pool.node_pool["europe_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].coder.replicas,
+    cpu_request      = local.scenarios[var.scenario].coder.cpu_request,
+    mem_request      = local.scenarios[var.scenario].coder.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].coder.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].coder.mem_limit,
+  })]
+}
+
+resource "helm_release" "provisionerd_europe" {
+  provider = helm.europe
+
+  repository = local.coder_helm_repo
+  chart      = local.provisionerd_helm_chart
+  name       = local.provisionerd_release_name
+  version    = var.provisionerd_chart_version
+  namespace  = kubernetes_namespace.coder_europe.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = false,
+    provisionerd     = true,
+    primary_url      = null,
+    proxy_token      = null,
+    db_secret        = null,
+    ip_address       = null,
+    provisionerd_psk = kubernetes_secret.provisionerd_psk_europe.metadata.0.name,
+    access_url       = local.deployments.primary.url,
+    node_pool        = google_container_node_pool.node_pool["europe_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].provisionerd.replicas,
+    cpu_request      = local.scenarios[var.scenario].provisionerd.cpu_request,
+    mem_request      = local.scenarios[var.scenario].provisionerd.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].provisionerd.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].provisionerd.mem_limit,
+  })]
+}
diff --git a/scaletest/terraform/action/k8s_coder_primary.tf b/scaletest/terraform/action/k8s_coder_primary.tf
new file mode 100644
index 0000000000..68dc7fc80a
--- /dev/null
+++ b/scaletest/terraform/action/k8s_coder_primary.tf
@@ -0,0 +1,124 @@
+data "google_client_config" "default" {}
+
+locals {
+  coder_admin_email         = "admin@coder.com"
+  coder_admin_full_name     = "Coder Admin"
+  coder_admin_user          = "coder"
+  coder_admin_password      = "SomeSecurePassword!"
+  coder_helm_repo           = "https://helm.coder.com/v2"
+  coder_helm_chart          = "coder"
+  coder_namespace           = "coder"
+  coder_release_name        = "${var.name}-coder"
+  provisionerd_helm_chart   = "coder-provisioner"
+  provisionerd_release_name = "${var.name}-provisionerd"
+
+}
+
+resource "random_password" "provisionerd_psk" {
+  length = 26
+}
+
+resource "kubernetes_namespace" "coder_primary" {
+  provider = kubernetes.primary
+
+  metadata {
+    name = local.coder_namespace
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_default_service_account]
+  }
+
+  depends_on = [google_container_node_pool.node_pool["primary_misc"]]
+}
+
+resource "kubernetes_secret" "coder_db" {
+  provider = kubernetes.primary
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-db-url"
+    namespace = kubernetes_namespace.coder_primary.metadata.0.name
+  }
+  data = {
+    url = local.coder_db_url
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "kubernetes_secret" "provisionerd_psk_primary" {
+  provider = kubernetes.primary
+
+  type = "Opaque"
+  metadata {
+    name      = "coder-provisioner-psk"
+    namespace = kubernetes_namespace.coder_primary.metadata.0.name
+  }
+  data = {
+    psk = random_password.provisionerd_psk.result
+  }
+  lifecycle {
+    ignore_changes = [timeouts, wait_for_service_account_token]
+  }
+}
+
+resource "helm_release" "coder_primary" {
+  provider = helm.primary
+
+  repository = local.coder_helm_repo
+  chart      = local.coder_helm_chart
+  name       = local.coder_release_name
+  version    = var.coder_chart_version
+  namespace  = kubernetes_namespace.coder_primary.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = false,
+    provisionerd     = false,
+    primary_url      = null,
+    proxy_token      = null,
+    db_secret        = kubernetes_secret.coder_db.metadata.0.name,
+    ip_address       = google_compute_address.coder["primary"].address,
+    provisionerd_psk = kubernetes_secret.provisionerd_psk_primary.metadata.0.name,
+    access_url       = local.deployments.primary.url,
+    node_pool        = google_container_node_pool.node_pool["primary_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].coder.replicas,
+    cpu_request      = local.scenarios[var.scenario].coder.cpu_request,
+    mem_request      = local.scenarios[var.scenario].coder.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].coder.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].coder.mem_limit,
+  })]
+}
+
+resource "helm_release" "provisionerd_chart" {
+  provider = helm.primary
+
+  repository = local.coder_helm_repo
+  chart      = local.provisionerd_helm_chart
+  name       = local.provisionerd_release_name
+  version    = var.provisionerd_chart_version
+  namespace  = kubernetes_namespace.coder_primary.metadata.0.name
+  values = [templatefile("${path.module}/coder_helm_values.tftpl", {
+    workspace_proxy  = false,
+    provisionerd     = true,
+    primary_url      = null,
+    proxy_token      = null,
+    db_secret        = null,
+    ip_address       = null,
+    provisionerd_psk = kubernetes_secret.provisionerd_psk_primary.metadata.0.name,
+    access_url       = local.deployments.primary.url,
+    node_pool        = google_container_node_pool.node_pool["primary_coder"].name,
+    release_name     = local.coder_release_name,
+    experiments      = var.coder_experiments,
+    image_repo       = var.coder_image_repo,
+    image_tag        = var.coder_image_tag,
+    replicas         = local.scenarios[var.scenario].provisionerd.replicas,
+    cpu_request      = local.scenarios[var.scenario].provisionerd.cpu_request,
+    mem_request      = local.scenarios[var.scenario].provisionerd.mem_request,
+    cpu_limit        = local.scenarios[var.scenario].provisionerd.cpu_limit,
+    mem_limit        = local.scenarios[var.scenario].provisionerd.mem_limit,
+  })]
+}
diff --git a/scaletest/terraform/action/main.tf b/scaletest/terraform/action/main.tf
new file mode 100644
index 0000000000..57a294710c
--- /dev/null
+++ b/scaletest/terraform/action/main.tf
@@ -0,0 +1,123 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.36"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.5"
+    }
+
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20"
+    }
+
+    // We use the kubectl provider to apply Custom Resources.
+    // The kubernetes provider requires the CRD is already present 
+    // and would require a separate apply step beforehand.
+    // https://github.com/hashicorp/terraform-provider-kubernetes/issues/1367
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = ">= 2.0.0"
+    }
+
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.9"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+
+  required_version = "~> 1.9.0"
+}
+
+provider "google" {
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_api_token
+}
+
+provider "kubernetes" {
+  alias                  = "primary"
+  host                   = "https://${google_container_cluster.cluster["primary"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["primary"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+}
+
+provider "kubernetes" {
+  alias                  = "europe"
+  host                   = "https://${google_container_cluster.cluster["europe"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["europe"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+}
+
+provider "kubernetes" {
+  alias                  = "asia"
+  host                   = "https://${google_container_cluster.cluster["asia"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["asia"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+}
+
+provider "kubectl" {
+  alias                  = "primary"
+  host                   = "https://${google_container_cluster.cluster["primary"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["primary"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+  load_config_file       = false
+}
+
+provider "kubectl" {
+  alias                  = "europe"
+  host                   = "https://${google_container_cluster.cluster["europe"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["europe"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+  load_config_file       = false
+}
+
+provider "kubectl" {
+  alias                  = "asia"
+  host                   = "https://${google_container_cluster.cluster["asia"].endpoint}"
+  cluster_ca_certificate = base64decode(google_container_cluster.cluster["asia"].master_auth.0.cluster_ca_certificate)
+  token                  = data.google_client_config.default.access_token
+  load_config_file       = false
+}
+
+provider "helm" {
+  alias = "primary"
+  kubernetes {
+    host                   = "https://${google_container_cluster.cluster["primary"].endpoint}"
+    cluster_ca_certificate = base64decode(google_container_cluster.cluster["primary"].master_auth.0.cluster_ca_certificate)
+    token                  = data.google_client_config.default.access_token
+  }
+}
+
+provider "helm" {
+  alias = "europe"
+  kubernetes {
+    host                   = "https://${google_container_cluster.cluster["europe"].endpoint}"
+    cluster_ca_certificate = base64decode(google_container_cluster.cluster["europe"].master_auth.0.cluster_ca_certificate)
+    token                  = data.google_client_config.default.access_token
+  }
+}
+
+provider "helm" {
+  alias = "asia"
+  kubernetes {
+    host                   = "https://${google_container_cluster.cluster["asia"].endpoint}"
+    cluster_ca_certificate = base64decode(google_container_cluster.cluster["asia"].master_auth.0.cluster_ca_certificate)
+    token                  = data.google_client_config.default.access_token
+  }
+}
diff --git a/scaletest/terraform/action/scenarios.tf b/scaletest/terraform/action/scenarios.tf
new file mode 100644
index 0000000000..996c449d28
--- /dev/null
+++ b/scaletest/terraform/action/scenarios.tf
@@ -0,0 +1,106 @@
+locals {
+  scenarios = {
+    small = {
+      coder = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-4"
+        replicas      = 1
+        cpu_request   = "1000m"
+        mem_request   = "6Gi"
+        cpu_limit     = "2000m"
+        mem_limit     = "12Gi"
+      }
+      provisionerd = {
+        replicas    = 1
+        cpu_request = "100m"
+        mem_request = "1Gi"
+        cpu_limit   = "1000m"
+        mem_limit   = "1Gi"
+      }
+      workspaces = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-4"
+        cpu_request   = "100m"
+        mem_request   = "128Mi"
+        cpu_limit     = "100m"
+        mem_limit     = "128Mi"
+      }
+      misc = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-4"
+      }
+      cloudsql = {
+        tier            = "db-f1-micro"
+        max_connections = 500
+      }
+    }
+    medium = {
+      coder = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-8"
+        replicas      = 1
+        cpu_request   = "3000m"
+        mem_request   = "12Gi"
+        cpu_limit     = "6000m"
+        mem_limit     = "24Gi"
+      }
+      provisionerd = {
+        replicas    = 1
+        cpu_request = "100m"
+        mem_request = "1Gi"
+        cpu_limit   = "1000m"
+        mem_limit   = "1Gi"
+      }
+      workspaces = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-8"
+        cpu_request   = "100m"
+        mem_request   = "128Mi"
+        cpu_limit     = "100m"
+        mem_limit     = "128Mi"
+      }
+      misc = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-4"
+      }
+      cloudsql = {
+        tier            = "db-custom-1-3840"
+        max_connections = 500
+      }
+    }
+    large = {
+      coder = {
+        nodepool_size = 3
+        machine_type  = "t2d-standard-8"
+        replicas      = 3
+        cpu_request   = "1000m"
+        mem_request   = "6Gi"
+        cpu_limit     = "2000m"
+        mem_limit     = "12Gi"
+      }
+      provisionerd = {
+        replicas    = 1
+        cpu_request = "100m"
+        mem_request = "1Gi"
+        cpu_limit   = "1000m"
+        mem_limit   = "1Gi"
+      }
+      workspaces = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-8"
+        cpu_request   = "100m"
+        mem_request   = "128Mi"
+        cpu_limit     = "100m"
+        mem_limit     = "128Mi"
+      }
+      misc = {
+        nodepool_size = 1
+        machine_type  = "t2d-standard-4"
+      }
+      cloudsql = {
+        tier            = "db-custom-2-7680"
+        max_connections = 500
+      }
+    }
+  }
+}
diff --git a/scaletest/terraform/action/vars.tf b/scaletest/terraform/action/vars.tf
new file mode 100644
index 0000000000..264110e239
--- /dev/null
+++ b/scaletest/terraform/action/vars.tf
@@ -0,0 +1,87 @@
+variable "name" {
+  description = "The name all resources will be prefixed with"
+}
+
+variable "scenario" {
+  description = "The scenario to deploy"
+  validation {
+    condition     = contains(["small", "medium", "large"], var.scenario)
+    error_message = "Scenario must be one of small, medium, or large"
+  }
+}
+
+// GCP
+variable "project_id" {
+  description = "The project in which to provision resources"
+}
+
+variable "k8s_version" {
+  description = "Kubernetes version to provision."
+  default     = "1.24"
+}
+
+// Cloudflare
+variable "cloudflare_api_token" {
+  description = "Cloudflare API token."
+  sensitive   = true
+}
+
+variable "cloudflare_email" {
+  description = "Cloudflare email address."
+  sensitive   = true
+}
+
+variable "cloudflare_domain" {
+  description = "Cloudflare coder domain."
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID."
+}
+
+// Coder
+variable "coder_license" {
+  description = "Coder license key."
+  sensitive   = true
+}
+
+variable "coder_chart_version" {
+  description = "Version of the Coder Helm chart to install. Defaults to latest."
+  default     = null
+}
+
+variable "coder_image_tag" {
+  description = "Tag to use for Coder image."
+  default     = "latest"
+}
+
+variable "coder_image_repo" {
+  description = "Repository to use for Coder image."
+  default     = "ghcr.io/coder/coder"
+}
+
+variable "coder_experiments" {
+  description = "Coder Experiments to enable."
+  default     = ""
+}
+
+// Workspaces
+variable "workspace_image" {
+  description = "Image and tag to use for workspaces."
+  default     = "docker.io/codercom/enterprise-minimal:ubuntu"
+}
+
+variable "provisionerd_chart_version" {
+  description = "Version of the Provisionerd Helm chart to install. Defaults to latest."
+  default     = null
+}
+
+variable "provisionerd_image_repo" {
+  description = "Repository to use for Provisionerd image."
+  default     = "ghcr.io/coder/coder"
+}
+
+variable "provisionerd_image_tag" {
+  description = "Tag to use for Provisionerd image."
+  default     = "latest"
+}