From 4c0c621f2a467d40bf9e54eacda343e18e65e893 Mon Sep 17 00:00:00 2001
From: Lukasz <CommanderK5@users.noreply.github.com>
Date: Wed, 18 Feb 2026 12:18:38 +0100
Subject: [PATCH] chore: bump bundled terraform to 1.14.5 (#22167)

Description:
This PR updates the bundled Terraform binary and related version pins
from 1.14.1 to 1.14.5 (base image, installer fallback, and CI/test
fixtures). Terraform is statically built with an embedded Go runtime.
Moving to 1.14.5 updates the embedded toolchain and is intended to
address Go stdlib CVEs reported by security scanning.

Notes:
- Change is version-only; no functional Coder logic changes.
- Backport-friendly: intended to be cherry-picked to release branches
after merge.
---
 .github/actions/setup-tf/action.yaml       | 2 +-
 dogfood/coder/Dockerfile                   | 4 ++--
 install.sh                                 | 2 +-
 provisioner/terraform/install.go           | 2 +-
 provisioner/terraform/testdata/version.txt | 2 +-
 scripts/Dockerfile.base                    | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/actions/setup-tf/action.yaml b/.github/actions/setup-tf/action.yaml
index 04074728ce..29f4771c61 100644
--- a/.github/actions/setup-tf/action.yaml
+++ b/.github/actions/setup-tf/action.yaml
@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.14.1
+        terraform_version: 1.14.5
         terraform_wrapper: false
diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/Dockerfile
index a2c8101c42..ed29666fc9 100644
--- a/dogfood/coder/Dockerfile
+++ b/dogfood/coder/Dockerfile
@@ -212,9 +212,9 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u
 	# Configure FIPS-compliant policies
 	update-crypto-policies --set FIPS
 
-# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.12.2.
+# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.14.5.
 # Installing the same version here to match.
-RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.1/terraform_1.14.1_linux_amd64.zip" && \
+RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" && \
 	unzip /tmp/terraform.zip -d /usr/local/bin && \
 	rm -f /tmp/terraform.zip && \
 	chmod +x /usr/local/bin/terraform && \
diff --git a/install.sh b/install.sh
index adc698668c..f32403d966 100755
--- a/install.sh
+++ b/install.sh
@@ -273,7 +273,7 @@ EOF
 main() {
 	MAINLINE=1
 	STABLE=0
-	TERRAFORM_VERSION="1.14.1"
+	TERRAFORM_VERSION="1.14.5"
 
 	if [ "${TRACE-}" ]; then
 		set -x
diff --git a/provisioner/terraform/install.go b/provisioner/terraform/install.go
index d6a9e74d90..2137e99cb9 100644
--- a/provisioner/terraform/install.go
+++ b/provisioner/terraform/install.go
@@ -22,7 +22,7 @@ var (
 	// when Terraform is not available on the system.
 	// NOTE: Keep this in sync with the version in scripts/Dockerfile.base.
 	// NOTE: Keep this in sync with the version in install.sh.
-	TerraformVersion = version.Must(version.NewVersion("1.14.1"))
+	TerraformVersion = version.Must(version.NewVersion("1.14.5"))
 
 	minTerraformVersion = version.Must(version.NewVersion("1.1.0"))
 	maxTerraformVersion = version.Must(version.NewVersion("1.14.9")) // use .9 to automatically allow patch releases
diff --git a/provisioner/terraform/testdata/version.txt b/provisioner/terraform/testdata/version.txt
index 63e799cf45..24a57f28a4 100644
--- a/provisioner/terraform/testdata/version.txt
+++ b/provisioner/terraform/testdata/version.txt
@@ -1 +1 @@
-1.14.1
+1.14.5
diff --git a/scripts/Dockerfile.base b/scripts/Dockerfile.base
index 9ee5d5ce7d..7892c8746e 100644
--- a/scripts/Dockerfile.base
+++ b/scripts/Dockerfile.base
@@ -27,7 +27,7 @@ RUN apk add --no-cache \
 # Terraform was disabled in the edge repo due to a build issue.
 # https://gitlab.alpinelinux.org/alpine/aports/-/commit/f3e263d94cfac02d594bef83790c280e045eba35
 # Using wget for now. Note that busybox unzip doesn't support streaming.
-RUN ARCH="$(arch)"; if [ "${ARCH}" == "x86_64" ]; then ARCH="amd64"; elif [ "${ARCH}" == "aarch64" ]; then ARCH="arm64"; elif [ "${ARCH}" == "armv7l" ]; then ARCH="arm"; fi; wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.1/terraform_1.14.1_linux_${ARCH}.zip" && \
+RUN ARCH="$(arch)"; if [ "${ARCH}" == "x86_64" ]; then ARCH="amd64"; elif [ "${ARCH}" == "aarch64" ]; then ARCH="arm64"; elif [ "${ARCH}" == "armv7l" ]; then ARCH="arm"; fi; wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_${ARCH}.zip" && \
 		busybox unzip /tmp/terraform.zip -d /usr/local/bin && \
 		rm -f /tmp/terraform.zip && \
 		chmod +x /usr/local/bin/terraform && \