fix(scripts/ironbank): build Terraform from source with Go 1.25.9+ (#25259)

## Summary

Fixes the bundled Terraform binary in IronBank images being compiled
with an older Go toolchain that exposes 9 CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9.

## Problem

No upstream Terraform release is yet compiled with Go 1.25.9+:
- Terraform 1.14.5 (used by provisioner): compiled with **Go 1.25.6**
- Terraform 1.15.2 (latest stable): compiled with **Go 1.25.8**
- The previous IronBank manifest referenced Terraform 1.3.7, compiled
with Go ~1.19

## Fix

The IronBank build script now compiles Terraform **from source** using
the same Go toolchain as Coder (>= 1.25.9), ensuring all CVEs in the Go
stdlib are addressed.

### Changes

**`scripts/ironbank/build_ironbank.sh`**:
- Builds Terraform 1.14.5 from source instead of downloading a
precompiled binary
- Adds `go`, `zip`, and `git` as build dependencies
- Reads `TERRAFORM_VERSION` from `hardening_manifest.yaml`

**`scripts/ironbank/hardening_manifest.yaml`**:
- Updated all versions to match release/2.32 (was severely outdated):
  - Coder: 0.15.3 -> 2.32.1
  - Terraform: 1.3.7 -> 1.14.5 (built from source)
  - Provider: 0.6.10 -> 2.15.0
- Replaced precompiled Terraform binary URL with source tarball
reference
- Added `TERRAFORM_VERSION` build arg for the build script

<details>
<summary>Decision log</summary>

- **Why build from source?** Neither the latest Terraform 1.14.5 (Go
1.25.6) nor 1.15.2 (Go 1.25.8) is compiled with Go 1.25.9+. Building
from source with our Go toolchain is the only way to address the CVEs
without waiting for an upstream release.
- **Why not bump to Terraform 1.15.x?** The provisioner on release/2.32
has `maxTerraformVersion = 1.14.9`. Bumping to 1.15.x would require
provisioner changes, which is risky on a release branch.
- **Why update the entire manifest?** The manifest was pinned to Coder
0.15.3, Terraform 1.3.7, and provider 0.6.10, all severely outdated and
inconsistent with the release/2.32 branch.

</details>

> Generated by Coder Agents. [Issue
ENT-23](https://linear.app/codercom/issue/ENT-23)

scripts/ironbank/build_ironbank.sh

@@ -34,7 +34,7 @@ if [[ "$image_tag" == "" ]]; then
 fi
 
 # Check dependencies
-dependencies docker sha256sum yq
+dependencies docker sha256sum yq go zip git
 if [[ $(yq --version) != *" v4."* ]]; then
 	error "yq version 4 is required"
 fi
@@ -62,10 +62,31 @@ execrelative ../archive.sh \
 	--output "$tmpdir/coder.tar.gz" \
 	"$input_file"
 
+# Build Terraform from source so the binary is compiled with the same Go
+# toolchain as Coder (>= 1.25.9), avoiding CVEs present in older toolchains.
+terraform_version="$(yq e '.args.TERRAFORM_VERSION' "$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml")"
+if [[ -z "$terraform_version" || "$terraform_version" == "null" ]]; then
+	error "TERRAFORM_VERSION not found in hardening_manifest.yaml"
+fi
+log "Building Terraform $terraform_version from source with $(go version)..."
+terraform_srcdir="$(mktemp -d)"
+trap 'rm -rf "$terraform_srcdir" "$tmpdir"' EXIT
+git clone --depth 1 --branch "v${terraform_version}" https://github.com/hashicorp/terraform.git "$terraform_srcdir"
+pushd "$terraform_srcdir"
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -o terraform .
+popd
+(
+	cd "$terraform_srcdir"
+	zip "$tmpdir/terraform.zip" terraform
+)
+rm -rf "$terraform_srcdir"
+log "Terraform $terraform_version built successfully."
+
 # Download all resources in the hardening_manifest.yaml file except for
-# coder.tar.gz (which we will make ourselves).
+# coder.tar.gz (which we build ourselves) and terraform-src.tar.gz (we build
+# Terraform from source above).
 manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
-resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
+resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz" and .filename != "terraform-src.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
 while read -r line; do
 	filename="$(echo "$line" | cut -f1)"
 	url="$(echo "$line" | cut -f2)"

scripts/ironbank/hardening_manifest.yaml

@@ -7,13 +7,16 @@ name: "coder/coder-enterprise/coder-service-2"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dso.mil
 tags:
-  - "0.15.3"
+  - "2.32.1"
   - "latest"
 
 # Build args passed to Dockerfile ARGs
 args:
   # Needs to be kept in sync with the resource below.
-  TERRAFORM_CODER_PROVIDER_VERSION: "0.6.10"
+  TERRAFORM_CODER_PROVIDER_VERSION: "2.15.0"
+  # Terraform version to build from source. Must match TerraformVersion in
+  # provisioner/terraform/install.go.
+  TERRAFORM_VERSION: "1.14.5"
 
 # Docker image labels
 labels:
@@ -26,34 +29,36 @@ labels:
   org.opencontainers.image.url: "https://coder.com/docs"
   # Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "Coder Technologies"
-  org.opencontainers.image.version: "0.15.3"
+  org.opencontainers.image.version: "2.32.1"
   # Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "remote, workspaces"
 
 # List of resources to make available to the offline build context
 resources:
   # Coder binary
-  - url: "https://github.com/coder/coder/releases/download/v0.15.3/coder_0.15.3_linux_amd64.tar.gz"
+  - url: "https://github.com/coder/coder/releases/download/v2.32.1/coder_2.32.1_linux_amd64.tar.gz"
     filename: "coder.tar.gz"
     validation:
       type: sha256
-      value: 2c88555777f1d9cc77a8f049093f4002472dc43d52b026e6784ef477bdced4a2
-  # Terraform binary, bundled inside of Coder to support air-gapped installs.
-  - url: https://releases.hashicorp.com/terraform/1.3.7/terraform_1.3.7_linux_amd64.zip
-    filename: "terraform.zip"
+      value: TO_BE_UPDATED_ON_RELEASE
+  # Terraform source, built from source with Go >= 1.25.9 to address CVEs in
+  # older Go toolchains. The build_ironbank.sh script compiles this from source
+  # rather than using a precompiled binary.
+  - url: https://github.com/hashicorp/terraform/archive/refs/tags/v1.14.5.tar.gz
+    filename: "terraform-src.tar.gz"
     validation:
       type: sha256
-      value: b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
+      value: ac3faee7b1d301a4d12fe6b7f33b1ba57a183e080a2442f6f1466a30f257ba45
   # Coder Terraform provider, bundled inside of Coder to support air-gapped
   # installs.
   #
   # The version of this provider needs to be kept in sync with the
   # TERRAFORM_CODER_PROVIDER_VERSION build arg.
-  - url: https://github.com/coder/terraform-provider-coder/releases/download/v0.6.10/terraform-provider-coder_0.6.10_linux_amd64.zip
+  - url: https://github.com/coder/terraform-provider-coder/releases/download/v2.15.0/terraform-provider-coder_2.15.0_linux_amd64.zip
     filename: "terraform-provider-coder.zip"
     validation:
       type: sha256
-      value: 4c2a16010621e146251f6fb5e27105dde9213d85ca8f3c8866c3f5a4159b81b0
+      value: eb0de36ba625d187dce45a24ad9e724bafff821fb466d014cc7d9a02d2d72309
 
 # List of project maintainers
 maintainers: