mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Seth Shelnutt
dfe986b2b0
Build Terraform from source during the IronBank image build instead of downloading pre-built binaries from HashiCorp. This controls the Go toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3 Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform binary. No upstream Terraform release is compiled with Go 1.25.9+; all use Go 1.25.8. Building from source with GOTOOLCHAIN=go1.25.9 (read from go.mod) is the only path forward without waiting for an upstream toolchain bump. ### Changes - **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary with Terraform 1.14.5 source tarball (matches `install.go`). Update terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add `TERRAFORM_VERSION` build arg. - **build_ironbank.sh**: Download Terraform source, compile with the project's Go toolchain (1.25.9), package as terraform.zip. Add `go` to dependencies. Update base image to UBI9. - **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove python3-urllib3 to address CVE-2026-44431. Refs ENT-1 > [!NOTE] > Generated by Coder Agents <details> <summary>Implementation context (Coder Agents generated)</summary> ### Go toolchain analysis | Component | Before | After | |-----------|--------|-------| | Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Go 1.25.9 (v1.14.5 built from source) | | terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) | | Coder binary | Go 1.25.9 | Go 1.25.9 (unchanged) | ### Related PRs - #25219 — main - #25250 — release/2.33 - #25259 — release/2.32 </details>