Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Autostop builds of dormant workspaces fail if the workspace template includes agents without a

count  = data.coder_workspace.me.start_count

field.

This occurs because workspace_dormant is a separate RBAC resource than regular workspaces, and the Provisioner Daemon subject doesn't have permission to create agents on dormant workspaces. It seems that we (incorrectly) assumed that since dormant workspaces can only be stopped, not started, that we would not need to create agents. However, there is nothing in the data model actually preventing the creation of agents on stop builds, so autostops of dormant workspaces can get into a failure loop.

Relevant Log Output

error: complete job: execute transaction: insert provisioner job: insert agent: unauthorized: rbac: forbidden

Expected Behavior

Autostop builds of dormant workspaces should succeed, even with coder_agent resources.

Steps to Reproduce

1. Create a template with a coder_agent and no count.
2. Start the workspace with an autostop
3. Mark the workspace dormant while still started
4. Allow an automatic stop build

Environment

• Coder version: 2.28, likely introduced by 3e7ff9d

Additional Context

No response