fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.9+ (#25267)

Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.

On v2.29.x, both the Coder binary and the Terraform binary were compiled
with Go 1.25.8. The Coder binary's Go toolchain upgrade is handled
separately via go.mod changes. This commit addresses the Terraform
binary by building from source.

### Changes
- **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary
with Terraform 1.14.5 source tarball (matches `install.go`). Update
terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add
`TERRAFORM_VERSION` build arg.
- **build_ironbank.sh**: Download Terraform source, compile with the
project's Go toolchain, package as terraform.zip. Add `go` to
dependencies. Update base image to UBI9.
- **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove
python3-urllib3 to address CVE-2026-44431.

Refs ENT-48

> [!NOTE]
> Generated by Coder Agents

<details>
<summary>Implementation context (Coder Agents generated)</summary>

### Note on v2.29.x
v2.29.x is more severely affected than later branches: both the Coder
binary AND the Terraform binary were compiled with Go 1.25.8. The Coder
binary go.mod upgrade to 1.25.9+ is tracked separately (ENT-48). This PR
addresses the Terraform binary component.

### Go toolchain analysis
| Component | Before | After |
|-----------|--------|-------|
| Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Built from source
with project Go toolchain |
| terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) |
| Coder binary | Go 1.25.8 | Go 1.25.8 (unchanged by this PR) |

### Related PRs
- #25219 — main
- #25250 — release/2.33
- #25259 — release/2.32

</details>

scripts/ironbank/build_ironbank.sh

@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 
 # This script builds the ironbank Docker image of Coder containing the given
-# binary. Other dependencies will be automatically downloaded and cached.
+# binary. Terraform is built from source to control the Go toolchain version.
+# Other dependencies will be automatically downloaded and cached.
 #
 # Usage: ./build_ironbank.sh --target image_tag path/to/coder
 
@@ -34,7 +35,7 @@ if [[ "$image_tag" == "" ]]; then
 fi
 
 # Check dependencies
-dependencies docker sha256sum yq
+dependencies docker go sha256sum yq
 if [[ $(yq --version) != *" v4."* ]]; then
 	error "yq version 4 is required"
 fi
@@ -63,9 +64,10 @@ execrelative ../archive.sh \
 	"$input_file"
 
 # Download all resources in the hardening_manifest.yaml file except for
-# coder.tar.gz (which we will make ourselves).
+# coder.tar.gz (which we will make ourselves) and terraform-src.tar.gz
+# (which is handled separately below).
 manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
-resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
+resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz" and .filename != "terraform-src.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
 while read -r line; do
 	filename="$(echo "$line" | cut -f1)"
 	url="$(echo "$line" | cut -f2)"
@@ -87,6 +89,63 @@ while read -r line; do
 	popd
 done <<<"$resources"
 
+# Build Terraform from source to control the Go toolchain version.
+# This ensures the bundled Terraform binary uses Go 1.25.9+ to address
+# Go stdlib CVEs that affect pre-built HashiCorp binaries.
+terraform_src="$(yq e '.resources[] | select(.filename == "terraform-src.tar.gz") | [.url, .validation.value] | @tsv' "$manifest_path")"
+if [[ -n "$terraform_src" ]]; then
+	terraform_src_url="$(echo "$terraform_src" | cut -f1)"
+	terraform_src_sha256="$(echo "$terraform_src" | cut -f2)"
+
+	pushd "$(dirname "${BASH_SOURCE[0]}")"
+	terraform_src_cache=".terraform-src.tar.gz.${terraform_src_sha256}"
+	if [[ ! -f "$terraform_src_cache" ]]; then
+		log "Downloading Terraform source"
+		curl -sSL "$terraform_src_url" -o "$terraform_src_cache"
+	fi
+
+	sum="$(sha256sum "$terraform_src_cache" | cut -d' ' -f1)"
+	if [[ "$sum" != "$terraform_src_sha256" ]]; then
+		rm "$terraform_src_cache"
+		error "Downloaded Terraform source has hash $sum, but expected $terraform_src_sha256"
+	fi
+	popd
+
+	# Extract and build Terraform from source.
+	terraform_build_dir="$(mktemp -d)"
+	trap 'rm -rf "$tmpdir" "$terraform_build_dir"' EXIT
+	pushd "$(dirname "${BASH_SOURCE[0]}")"
+	tar -xzf "$terraform_src_cache" -C "$terraform_build_dir" --strip-components=1
+	popd
+
+	# Read the Go version from the Coder project's go.mod to ensure we use
+	# the same toolchain version for all binaries in the image.
+	coder_go_version="$(head -5 "$(dirname "${BASH_SOURCE[0]}")/../../go.mod" | grep '^go ' | awk '{print $2}')"
+	log "Building Terraform from source with Go ${coder_go_version}"
+
+	pushd "$terraform_build_dir"
+	GOTOOLCHAIN="go${coder_go_version}" CGO_ENABLED=0 \
+		go build \
+		-trimpath \
+		-ldflags="-s -w -X 'github.com/hashicorp/terraform/version.dev=no'" \
+		-o "$tmpdir/terraform" .
+	popd
+
+	# Verify the compiled binary uses the expected Go toolchain.
+	built_go_version="$(go version "$tmpdir/terraform" | grep -oP 'go[0-9]+\.[0-9]+\.[0-9]+')"
+	log "Terraform built with ${built_go_version}"
+
+	# Package as terraform.zip for the Dockerfile.
+	pushd "$tmpdir"
+	zip terraform.zip terraform
+	rm terraform
+	popd
+
+	rm -rf "$terraform_build_dir"
+else
+	error "terraform-src.tar.gz resource not found in hardening_manifest.yaml"
+fi
+
 terraform_coder_provider_version="$(yq e '.args.TERRAFORM_CODER_PROVIDER_VERSION' "$manifest_path")"
 if [[ "$terraform_coder_provider_version" == "" ]]; then
 	error "TERRAFORM_CODER_PROVIDER_VERSION not found in hardening_manifest.yaml"

scripts/ironbank/hardening_manifest.yaml

@@ -13,7 +13,9 @@ tags:
 # Build args passed to Dockerfile ARGs
 args:
   # Needs to be kept in sync with the resource below.
-  TERRAFORM_CODER_PROVIDER_VERSION: "0.6.10"
+  TERRAFORM_CODER_PROVIDER_VERSION: "2.13.1"
+  # Terraform version to build from source (matches install.go).
+  TERRAFORM_VERSION: "1.14.5"
 
 # Docker image labels
 labels:
@@ -38,22 +40,23 @@ resources:
     validation:
       type: sha256
       value: 2c88555777f1d9cc77a8f049093f4002472dc43d52b026e6784ef477bdced4a2
-  # Terraform binary, bundled inside of Coder to support air-gapped installs.
-  - url: https://releases.hashicorp.com/terraform/1.3.7/terraform_1.3.7_linux_amd64.zip
-    filename: "terraform.zip"
+  # Terraform source, built from source during the image build to control the
+  # Go toolchain version used for the bundled Terraform binary.
+  - url: https://github.com/hashicorp/terraform/archive/refs/tags/v1.14.5.tar.gz
+    filename: "terraform-src.tar.gz"
     validation:
       type: sha256
-      value: b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
+      value: ac3faee7b1d301a4d12fe6b7f33b1ba57a183e080a2442f6f1466a30f257ba45
   # Coder Terraform provider, bundled inside of Coder to support air-gapped
   # installs.
   #
   # The version of this provider needs to be kept in sync with the
   # TERRAFORM_CODER_PROVIDER_VERSION build arg.
-  - url: https://github.com/coder/terraform-provider-coder/releases/download/v0.6.10/terraform-provider-coder_0.6.10_linux_amd64.zip
+  - url: https://github.com/coder/terraform-provider-coder/releases/download/v2.13.1/terraform-provider-coder_2.13.1_linux_amd64.zip
     filename: "terraform-provider-coder.zip"
     validation:
       type: sha256
-      value: 4c2a16010621e146251f6fb5e27105dde9213d85ca8f3c8866c3f5a4159b81b0
+      value: 04e38e4e37c89b78401c7689ade07a708635340138974bc12840920deed24c1b
 
 # List of project maintainers
 maintainers: