By default, the Coder server runs[built-in provisioner daemons](../cli/server.md#provisioner-daemons), which execute`terraform` during workspace and template builds. However, there are sometimes benefits to running external provisioner daemons:

},

{

"title":"Templates",

"description":"Learn about templates, whichdefine the infrastructureunderlying workspaces",

"description":"Templatesdefine the infrastructurefor workspaces",

"path":"./templates/index.md",

"icon_path":"./images/icons/picture.svg",

"children": [

{

"title":"Templates & Terraform",

"description":"Learn what makes up a template",

"path":"./templates/concepts.md",

"title":"Working with templates",

"description":"Creating, editing, and updating templates",

"path":"./templates/creating.md"

},

{

"title":"Your first template",

"description":"A tutorial for creating and editing your first template",

"path":"./templates/tutorial.md"

},

{

"title":"Guided tour",

"description":"Create a template from scratch",

"path":"./templates/tour.md"

},

{

"title":"Setting up templates",

"description":"Best practices for writing templates",

"path":"./templates/best-practices.md",

"children": [

{

"title":"Parameters",

"description":"Use parameters to customize templates",

"path":"./templates/parameters.md",

"icon_path":"./images/icons/code.svg"

"title":"Change management",

"description":"Versioning templates with git and CI",

"path":"./templates/change-management.md",

"icon_path":"./images/icons/git.svg"

},

{

"title":"Terraform Modules",

"description":"Reuse code across Coder templates",

"path":"./templates/modules.md"

"title":"Provider authentication",

"description":"Authenticate the provisioner",

"path":"./templates/authentication.md",

"icon_path":"./images/icons/key.svg"

},

{

"title":"Agent Metadata",

"description":"Learn how to expose live agent information to users",

"path":"./templates/agent-metadata.md",

"icon_path":"./images/icons/table-rows.svg"

"title":"Resource persistence",

"description":"How resource persistence works in Coder",

"path":"./templates/resource-persistence.md",

"icon_path":"./images/icons/infinity.svg"

},

{

"title":"Resource Metadata",

"description":"Learn how to expose resource data to users",

"path":"./templates/resource-metadata.md",

"icon_path":"./images/icons/table-rows.svg"

"title":"Terraform modules",

"description":"Reuse code across Coder templates",

"path":"./templates/modules.md"

}

]

},

{

"title":"Best Practices",

"description":"Best practices for writing/managing templates",

"path":"./templates/best-practices.md",

"title":"Customizing templates",

"description":"Give information and options to workspace users",

"path":"./templates/customizing.md",

"children": [

{

"title":"Provider Authentication",

"description":"Learn how to authenticate the provisioner",

"path":"./templates/authentication.md",

"icon_path":"./images/icons/key.svg"

"title":"Agent metadata",

"description":"Show operational metrics in the workspace",

"path":"./templates/agent-metadata.md"

},

{

"title":"Resource Persistence",

"description":"Learn how resource persistence works in Coder",

"path":"./templates/resource-persistence.md",

"icon_path":"./images/icons/infinity.svg"

"title":"Resource metadata",

"description":"Show information in the workspace about template resources",

"path":"./templates/resource-metadata.md"

},

{

"title":"Change Management",

"description":"Learn how to source-control templates with git and CI",

"path":"./templates/change-management.md",

"icon_path":"./images/icons/git.svg"

"title":"Parameters",

"description":"Prompt the user for additional information about a workspace",

"path":"./templates/parameters.md"

}

]

},

{

"title":"Open in Coder",

"description":"Learn how to add an\"Open in Coder\" button to your repos",

"description":"Add an\"Open in Coder\" button to your repos",

"path":"./templates/open-in-coder.md",

"icon_path":"./images/icons/key.svg"

},

{

"title":"Docker inWorkspaces",

"description":"Usedocker inside containerized templates",

"title":"Docker inworkspaces",

"description":"UseDocker inside containerized templates",

"path":"./templates/docker-in-workspaces.md",

"icon_path":"./images/icons/docker.svg"

},

"description":"Use devcontainers in workspaces",

"path":"./templates/devcontainers.md",

"state":"alpha"

},

{

"title":"Troubleshooting templates",

"description":"Fix common template problems",

"path":"./templates/troubleshooting.md"

}

]

},


With Agent Metadata, template admins can expose operational metrics from

their workspaces to their users. It is the dynamic complement of[Resource Metadata](./resource-metadata.md).

You can show live operational metrics to workspace users with agent

metadata. It is the dynamic complement of[Resource

Metadata](./resource-metadata.md).

See the[Terraform reference](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent#metadata).

You specify agent metadata in the

[`coder_agent`](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent).

All of these examples use[heredoc strings](https://developer.hashicorp.com/terraform/language/expressions/strings#heredoc-strings) for the script declaration. With heredoc strings, you

can script without messy escape codes, just as if you were working in your terminal.

All of these examples use[heredoc

strings](https://developer.hashicorp.com/terraform/language/expressions/strings#heredoc-strings)

for the script declaration. With heredoc strings, you can script

without messy escape codes, just as if you were working in your

terminal.

Some of the below examples use the[`coder stat`](../cli/stat.md) command.

This is useful for determining CPU/memory usage inside a container, which

can be tricky otherwise.

Some of the examples use the[`coder stat`](../cli/stat.md) command.

This is useful for determining CPU and memory usage of the VM or

container that the workspace is running in, which is more accurate

than resource usage about the workspace's host.

Here's a standard set of metadata snippets for Linux agents:

You can also show agent metadata for information about the workspace's host.

[top](https://linux.die.net/man/1/top) is available in most Linux

distributions and provides virtual memory, CPU and IO statistics. Running`top`

produces output that looks like:

distributions and provides virtual memory, CPU and IO statistics.

Running`top`produces output that looks like:

[vmstat](https://linux.die.net/man/8/vmstat) is available in most Linux

distributions and provides virtual memory, CPU and IO statistics. Running`vmstat`

produces output that looks like:

[vmstat](https://linux.die.net/man/8/vmstat) is available in most

Linuxdistributions and provides virtual memory, CPU and IO

statistics. Running`vmstat`produces output that looks like:

[dstat](https://linux.die.net/man/1/dstat) is considerably more parseable

than`vmstat` but often not included in base images. It is easily installed by

most package managers under the name`dstat`. The output of running`dstat 1 1` looks

like:

[dstat](https://linux.die.net/man/1/dstat) is considerably more

parseablethan`vmstat` but often not included in base images. It is

easily installed bymost package managers under the name`dstat`. The

output of running`dstat 1 1` lookslike:

Agent metadata can generate a significant write load and overwhelm your

database if you're not careful. The approximate writes per second can be

calculated using the formula:

Agent metadata can generate a significant write load and overwhelm

your Coderdatabase if you're not careful. The approximate writes per

second can becalculated using the formula:

- each with 6 metadata snippets

- with an average interval of 4 seconds

You can expect`(10 * 6 * 2) / 4` or 30 writes per second.

You can expect`(10 * 6 * 2) / 4`, or 30 writes per second.

One of the writes is to the`UNLOGGED``workspace_agent_metadata` table and

the other to the`NOTIFY` query that enables live stats streaming in the UI.

One of the writes is to the`UNLOGGED``workspace_agent_metadata`

table and the other to the`NOTIFY` query that enables live stats

streaming in the UI.

</p>

</blockquote>

Coder's provisioner process needs to authenticate with cloud provider APIs to provision

workspaces. You can either pass credentials to the provisioner as parameters or execute Coder

in an environment that is authenticated with the cloud provider.

The Coder server's

[provisioner](https://registry.terraform.io/providers/coder/coder/latest/docs/data-sources/provisioner)

process needs to authenticate with other provider APIs to provision

workspaces. There are two approaches to do this:

We encourage the latter where supported. This approach simplifies the template, keeps cloud

provider credentials out of Coder's database (making it a less valuable target for attackers),

and is compatible with agent-based authentication schemes (that handle credential rotation

and/or ensure the credentials are not written to disk).

- Pass credentials to the provisioner as parameters.

- Preferred: Execute the Coder server in an environment that is

authenticated with the provider.

Cloud providers for which the Terraform provider supports authenticated environments include

We encourage the latter approach where supported:

- Simplifies the template.

- Keeps provider credentials out of Coder's database, making it

a less valuable target for attackers.

- Compatible with agent-based authentication schemes, which handle

credential rotation or ensure the credentials are not written to disk.

Generally, you can set up an environment to provide credentials to

Coder in these ways:

- A well-known location on disk. For example,`~/.aws/credentials` for

AWS on POSIX systems.

- Environment variables.

It is usually sufficient to authenticate using the CLI or SDK for the

provider before running Coder, but check the Terraform provider's

documentation for details.

These platforms have Terraform providers that support authenticated

environments:

-[Google Cloud](https://registry.terraform.io/providers/hashicorp/google/latest/docs)

-[Amazon Web Services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)

-[Microsoft Azure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)

-[Kubernetes](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs)

Additional providers may be supported; check the

[documentation of the Terraform provider](https://registry.terraform.io/browse/providers) for

details.

The way these generally work is via the credentials being available to Coder either in some

well-known location on disk (e.g.`~/.aws/credentials` for AWS on posix systems), or via

environment variables. It is usually sufficient to authenticate using the CLI or SDK for the

cloud provider before running Coder for this to work, but check the Terraform provider

documentation for details.

Other providers might also support authenticated environments. Check

the[documentation of the Terraform

provider](https://registry.terraform.io/browse/providers) for details.

Templates are very flexible

We recommend a few ways to manage workspace resources, authentication,

and versioning.

<children>

</children>

We recommend source controlling your templates as you would other code.[Install Coder](../install/) in CI/CD pipelines to push new template versions.

We recommend source-controlling your templates as you would other

code. You can[install Coder](../install/) in CI/CD pipelines to push new

template versions.

#Install the Coder CLI

shorter max token lifetime](../cli/server.md#--max-token-lifetime).