From e6bbd8c7c72323518eb432be8b267ee8a3b6f674 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 19:47:44 +0500
Subject: [PATCH 1/4] build(deps): Bump golang.org/x/mod from 0.24.0 to 0.25.0
 (#411)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index fcb25b1..370fd5f 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
-	golang.org/x/mod v0.24.0
+	golang.org/x/mod v0.25.0
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 )
 
diff --git a/go.sum b/go.sum
index 31e8334..ff0ed9c 100644
--- a/go.sum
+++ b/go.sum
@@ -231,8 +231,8 @@ golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXy
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=

From 0ce611a8d9fdba7955ebc7a3fe51d9d394758dc8 Mon Sep 17 00:00:00 2001
From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 20:43:57 +0500
Subject: [PATCH 2/4] docs: clarify cron attribute format for coder_script
 resource (#409)

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
---
 docs/resources/script.md                    | 19 ++++--
 examples/resources/coder_script/resource.tf | 17 ++++-
 provider/script.go                          | 35 ++++++++--
 provider/script_test.go                     | 72 +++++++++++++++++++++
 4 files changed, 130 insertions(+), 13 deletions(-)

diff --git a/docs/resources/script.md b/docs/resources/script.md
index 22ac1b5..9058fce 100644
--- a/docs/resources/script.md
+++ b/docs/resources/script.md
@@ -43,15 +43,26 @@ resource "coder_script" "code-server" {
   })
 }
 
-resource "coder_script" "nightly_sleep_reminder" {
+resource "coder_script" "nightly_update" {
   agent_id     = coder_agent.dev.agent_id
   display_name = "Nightly update"
   icon         = "/icon/database.svg"
-  cron         = "0 22 * * *"
+  cron         = "0 0 22 * * *" # Run at 22:00 (10 PM) every day
   script       = <<EOF
     #!/bin/sh
     echo "Running nightly update"
-    sudo apt-get install
+    sudo apt-get update
+  EOF
+}
+
+resource "coder_script" "every_5_minutes" {
+  agent_id     = coder_agent.dev.agent_id
+  display_name = "Health check"
+  icon         = "/icon/heart.svg"
+  cron         = "0 */5 * * * *" # Run every 5 minutes
+  script       = <<EOF
+    #!/bin/sh
+    echo "Health check at $(date)"
   EOF
 }
 
@@ -78,7 +89,7 @@ resource "coder_script" "shutdown" {
 
 ### Optional
 
-- `cron` (String) The cron schedule to run the script on. This is a cron expression.
+- `cron` (String) The cron schedule to run the script on. This uses a 6-field cron expression format: `seconds minutes hours day-of-month month day-of-week`. Note that this differs from the standard Unix 5-field format by including seconds as the first field. Examples: `"0 0 22 * * *"` (daily at 10 PM), `"0 */5 * * * *"` (every 5 minutes), `"30 0 9 * * 1-5"` (weekdays at 9:30 AM).
 - `icon` (String) A URL to an icon that will display in the dashboard. View built-in icons [here](https://github.com/coder/coder/tree/main/site/static/icon). Use a built-in icon with `"${data.coder_workspace.me.access_url}/icon/<path>"`.
 - `log_path` (String) The path of a file to write the logs to. If relative, it will be appended to tmp.
 - `run_on_start` (Boolean) This option defines whether or not the script should run when the agent starts. The script should exit when it is done to signal that the agent is ready.
diff --git a/examples/resources/coder_script/resource.tf b/examples/resources/coder_script/resource.tf
index b7fced3..8b3fa66 100644
--- a/examples/resources/coder_script/resource.tf
+++ b/examples/resources/coder_script/resource.tf
@@ -28,15 +28,26 @@ resource "coder_script" "code-server" {
   })
 }
 
-resource "coder_script" "nightly_sleep_reminder" {
+resource "coder_script" "nightly_update" {
   agent_id     = coder_agent.dev.agent_id
   display_name = "Nightly update"
   icon         = "/icon/database.svg"
-  cron         = "0 22 * * *"
+  cron         = "0 0 22 * * *" # Run at 22:00 (10 PM) every day
   script       = <<EOF
     #!/bin/sh
     echo "Running nightly update"
-    sudo apt-get install
+    sudo apt-get update
+  EOF
+}
+
+resource "coder_script" "every_5_minutes" {
+  agent_id     = coder_agent.dev.agent_id
+  display_name = "Health check"
+  icon         = "/icon/heart.svg"
+  cron         = "0 */5 * * * *" # Run every 5 minutes
+  script       = <<EOF
+    #!/bin/sh
+    echo "Health check at $(date)"
   EOF
 }
 
diff --git a/provider/script.go b/provider/script.go
index df436ea..23ddec6 100644
--- a/provider/script.go
+++ b/provider/script.go
@@ -3,6 +3,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -13,6 +14,32 @@ import (
 
 var ScriptCRONParser = cron.NewParser(cron.Second | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.DowOptional | cron.Descriptor)
 
+// ValidateCronExpression validates a cron expression and provides helpful warnings for common mistakes
+func ValidateCronExpression(cronExpr string) (warnings []string, errors []error) {
+	// Check if it looks like a 5-field Unix cron expression
+	fields := strings.Fields(cronExpr)
+	if len(fields) == 5 {
+		// Try to parse as standard Unix cron (without seconds)
+		unixParser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.DowOptional | cron.Descriptor)
+		if _, err := unixParser.Parse(cronExpr); err == nil {
+			// It's a valid 5-field expression, provide a helpful warning
+			warnings = append(warnings, fmt.Sprintf(
+				"The cron expression '%s' appears to be in Unix 5-field format. "+
+					"Coder uses 6-field format (seconds minutes hours day month day-of-week). "+
+					"Consider prefixing with '0 ' to run at the start of each minute: '0 %s'",
+				cronExpr, cronExpr))
+		}
+	}
+
+	// Validate with the actual 6-field parser
+	_, err := ScriptCRONParser.Parse(cronExpr)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%s is not a valid cron expression: %w", cronExpr, err))
+	}
+
+	return warnings, errors
+}
+
 func scriptResource() *schema.Resource {
 	return &schema.Resource{
 		SchemaVersion: 1,
@@ -72,17 +99,13 @@ func scriptResource() *schema.Resource {
 				ForceNew:    true,
 				Type:        schema.TypeString,
 				Optional:    true,
-				Description: "The cron schedule to run the script on. This is a cron expression.",
+				Description: "The cron schedule to run the script on. This uses a 6-field cron expression format: `seconds minutes hours day-of-month month day-of-week`. Note that this differs from the standard Unix 5-field format by including seconds as the first field. Examples: `\"0 0 22 * * *\"` (daily at 10 PM), `\"0 */5 * * * *\"` (every 5 minutes), `\"30 0 9 * * 1-5\"` (weekdays at 9:30 AM).",
 				ValidateFunc: func(i interface{}, _ string) ([]string, []error) {
 					v, ok := i.(string)
 					if !ok {
 						return []string{}, []error{fmt.Errorf("got type %T instead of string", i)}
 					}
-					_, err := ScriptCRONParser.Parse(v)
-					if err != nil {
-						return []string{}, []error{fmt.Errorf("%s is not a valid cron expression: %w", v, err)}
-					}
-					return nil, nil
+					return ValidateCronExpression(v)
 				},
 			},
 			"start_blocks_login": {
diff --git a/provider/script_test.go b/provider/script_test.go
index 37f1a81..6480837 100644
--- a/provider/script_test.go
+++ b/provider/script_test.go
@@ -8,6 +8,8 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/coder/terraform-provider-coder/v2/provider"
 )
 
 func TestScript(t *testing.T) {
@@ -124,3 +126,73 @@ func TestScriptStartBlocksLoginRequiresRunOnStart(t *testing.T) {
 		}},
 	})
 }
+
+func TestValidateCronExpression(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name           string
+		cronExpr       string
+		expectWarnings bool
+		expectErrors   bool
+		warningContains string
+	}{
+		{
+			name:           "valid 6-field expression",
+			cronExpr:       "0 0 22 * * *",
+			expectWarnings: false,
+			expectErrors:   false,
+		},
+		{
+			name:           "valid 6-field expression with seconds",
+			cronExpr:       "30 0 9 * * 1-5",
+			expectWarnings: false,
+			expectErrors:   false,
+		},
+		{
+			name:            "5-field Unix format - should warn",
+			cronExpr:        "0 22 * * *",
+			expectWarnings:  true,
+			expectErrors:    false,
+			warningContains: "appears to be in Unix 5-field format",
+		},
+		{
+			name:            "5-field every 5 minutes - should warn",
+			cronExpr:        "*/5 * * * *",
+			expectWarnings:  true,
+			expectErrors:    false,
+			warningContains: "Consider prefixing with '0 '",
+		},
+		{
+			name:         "invalid expression",
+			cronExpr:     "invalid",
+			expectErrors: true,
+		},
+		{
+			name:         "too many fields",
+			cronExpr:     "0 0 0 0 0 0 0",
+			expectErrors: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			warnings, errors := provider.ValidateCronExpression(tt.cronExpr)
+
+			if tt.expectWarnings {
+				require.NotEmpty(t, warnings, "Expected warnings but got none")
+				if tt.warningContains != "" {
+					require.Contains(t, warnings[0], tt.warningContains)
+				}
+			} else {
+				require.Empty(t, warnings, "Expected no warnings but got: %v", warnings)
+			}
+
+			if tt.expectErrors {
+				require.NotEmpty(t, errors, "Expected errors but got none")
+			} else {
+				require.Empty(t, errors, "Expected no errors but got: %v", errors)
+			}
+		})
+	}
+}

From 6a6f740e9e86524f57b392a4a5af7398dd416cc9 Mon Sep 17 00:00:00 2001
From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 21:02:05 +0500
Subject: [PATCH 3/4] Fix coder_script agent_id reference typos (#418)

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
---
 docs/resources/script.md                    | 8 ++++----
 examples/resources/coder_script/resource.tf | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/resources/script.md b/docs/resources/script.md
index 9058fce..21bfaec 100644
--- a/docs/resources/script.md
+++ b/docs/resources/script.md
@@ -22,7 +22,7 @@ resource "coder_agent" "dev" {
 }
 
 resource "coder_script" "dotfiles" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Dotfiles"
   icon         = "/icon/dotfiles.svg"
   run_on_start = true
@@ -33,7 +33,7 @@ resource "coder_script" "dotfiles" {
 }
 
 resource "coder_script" "code-server" {
-  agent_id           = coder_agent.dev.agent_id
+  agent_id           = coder_agent.dev.id
   display_name       = "code-server"
   icon               = "/icon/code.svg"
   run_on_start       = true
@@ -44,7 +44,7 @@ resource "coder_script" "code-server" {
 }
 
 resource "coder_script" "nightly_update" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Nightly update"
   icon         = "/icon/database.svg"
   cron         = "0 0 22 * * *" # Run at 22:00 (10 PM) every day
@@ -56,7 +56,7 @@ resource "coder_script" "nightly_update" {
 }
 
 resource "coder_script" "every_5_minutes" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Health check"
   icon         = "/icon/heart.svg"
   cron         = "0 */5 * * * *" # Run every 5 minutes
diff --git a/examples/resources/coder_script/resource.tf b/examples/resources/coder_script/resource.tf
index 8b3fa66..53c9dfb 100644
--- a/examples/resources/coder_script/resource.tf
+++ b/examples/resources/coder_script/resource.tf
@@ -7,7 +7,7 @@ resource "coder_agent" "dev" {
 }
 
 resource "coder_script" "dotfiles" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Dotfiles"
   icon         = "/icon/dotfiles.svg"
   run_on_start = true
@@ -18,7 +18,7 @@ resource "coder_script" "dotfiles" {
 }
 
 resource "coder_script" "code-server" {
-  agent_id           = coder_agent.dev.agent_id
+  agent_id           = coder_agent.dev.id
   display_name       = "code-server"
   icon               = "/icon/code.svg"
   run_on_start       = true
@@ -29,7 +29,7 @@ resource "coder_script" "code-server" {
 }
 
 resource "coder_script" "nightly_update" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Nightly update"
   icon         = "/icon/database.svg"
   cron         = "0 0 22 * * *" # Run at 22:00 (10 PM) every day
@@ -41,7 +41,7 @@ resource "coder_script" "nightly_update" {
 }
 
 resource "coder_script" "every_5_minutes" {
-  agent_id     = coder_agent.dev.agent_id
+  agent_id     = coder_agent.dev.id
   display_name = "Health check"
   icon         = "/icon/heart.svg"
   cron         = "0 */5 * * * *" # Run every 5 minutes

From f239e51ecbafcb7184e9965a1303fd62f8deb4b6 Mon Sep 17 00:00:00 2001
From: "blink-so[bot]" <211532188+blink-so[bot]@users.noreply.github.com>
Date: Mon, 30 Jun 2025 12:41:17 +0500
Subject: [PATCH 4/4] Mark tokens as sensitive in data sources (#416)

* Mark tokens as sensitive in data sources

Mark the following attributes as sensitive to prevent them from being
logged or displayed in Terraform output:

- data.coder_workspace_owner.me.oidc_access_token
- data.coder_workspace_owner.me.session_token
- data.coder_external_auth.example.access_token

This follows the same pattern as ssh_private_key and agent token
which are already marked as sensitive.

Fixes #266

Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>

* Update documentation for sensitive token attributes

Regenerate documentation to reflect that oidc_access_token, session_token,
and access_token are now marked as sensitive in the schema.

Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>

---------

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: matifali <10648092+matifali@users.noreply.github.com>
---
 docs/data-sources/external_auth.md   | 2 +-
 docs/data-sources/workspace_owner.md | 4 ++--
 provider/externalauth.go             | 1 +
 provider/workspace_owner.go          | 2 ++
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md
index e4089f2..d1e6d64 100644
--- a/docs/data-sources/external_auth.md
+++ b/docs/data-sources/external_auth.md
@@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" {
 
 ### Read-Only
 
-- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
+- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
index 2a912e1..f16480e 100644
--- a/docs/data-sources/workspace_owner.md
+++ b/docs/data-sources/workspace_owner.md
@@ -52,9 +52,9 @@ resource "coder_env" "git_author_email" {
 - `id` (String) The UUID of the workspace owner.
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
-- `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
-- `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
+- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
 - `ssh_public_key` (String) The user's generated SSH public key.
 
diff --git a/provider/externalauth.go b/provider/externalauth.go
index 915a21a..b278ecc 100644
--- a/provider/externalauth.go
+++ b/provider/externalauth.go
@@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
 				Computed:    true,
+				Sensitive:   true,
 			},
 			"optional": {
 				Type:        schema.TypeBool,
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
index 078047f..109b0b9 100644
--- a/provider/workspace_owner.go
+++ b/provider/workspace_owner.go
@@ -113,6 +113,7 @@ func workspaceOwnerDataSource() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
+				Sensitive:   true,
 			},
 			"oidc_access_token": {
 				Type:     schema.TypeString,
@@ -120,6 +121,7 @@ func workspaceOwnerDataSource() *schema.Resource {
 				Description: "A valid OpenID Connect access token of the workspace owner. " +
 					"This is only available if the workspace owner authenticated with OpenID Connect. " +
 					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
 			},
 			"login_type": {
 				Type:        schema.TypeString,