mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
coder-tasks[bot]
868fa09195
Build Terraform from source during the IronBank image build instead of downloading pre-built binaries from HashiCorp. This controls the Go toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3 Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform binary. No upstream Terraform release (including 1.14.9 and 1.15.2) is compiled with Go 1.25.9+; all use Go 1.25.8. Building from source with `GOTOOLCHAIN=go1.25.10` (read from `go.mod`) is the only path forward without waiting for an upstream toolchain bump. **Changes:** - `hardening_manifest.yaml`: Replace pre-built Terraform 1.3.7 binary with Terraform 1.14.5 source tarball (matches `install.go`). Update `terraform-provider-coder` from 0.6.10 to 2.16.0 (matches `go.mod`). - `build_ironbank.sh`: Download Terraform source, compile with the project's Go toolchain (1.25.10), package as `terraform.zip`. Add `go` to dependencies. Update base image to UBI9. - `Dockerfile`: Update base image from UBI8 8.7 to UBI9 9.6. Remove `python3-urllib3` to address CVE-2026-44431. Refs ENT-30 > [!NOTE] > Generated by Coder Agents <details> <summary>Context and decision log</summary> ### Problem The bundled Terraform binary in v2.33.x IronBank images was compiled with Go 1.25.8, exposing 9 CVEs. No upstream Terraform release uses Go 1.25.9+: | Terraform Version | Go Toolchain | |---|---| | 1.14.5 | go1.25.6 | | 1.14.9 | go1.25.8 | | 1.15.2 | go1.25.8 | ### Approach chosen Build Terraform from source instead of downloading pre-built binaries, using `GOTOOLCHAIN=go<version from go.mod>` to pin the Go toolchain. Verified this produces a binary with go1.25.10 embedded. ### Why not just update the Terraform version? Even the latest Terraform (1.15.2) is compiled with Go 1.25.8. Updating to a newer version alone does not resolve the CVEs. ### Additional fixes included - UBI9 base image migration (aligns with IronBank UBI9 adoption) - python3-urllib3 removal (CVE-2026-44431) - Provider version sync (0.6.10 -> 2.16.0 to match go.mod) </details> Co-authored-by: Seth Shelnutt <seth@coder.com>