shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b98577cb911ff8a748dd6a57f5d49e4797a3c789
coder/scripts/ironbank
T
History
coder-tasks[bot] 868fa09195 fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.10 (#25250) 
Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.

No upstream Terraform release (including 1.14.9 and 1.15.2) is compiled
with Go 1.25.9+; all use Go 1.25.8. Building from source with
`GOTOOLCHAIN=go1.25.10` (read from `go.mod`) is the only path forward
without waiting for an upstream toolchain bump.

**Changes:**
- `hardening_manifest.yaml`: Replace pre-built Terraform 1.3.7 binary
with Terraform 1.14.5 source tarball (matches `install.go`). Update
`terraform-provider-coder` from 0.6.10 to 2.16.0 (matches `go.mod`).
- `build_ironbank.sh`: Download Terraform source, compile with the
project's Go toolchain (1.25.10), package as `terraform.zip`. Add `go`
to dependencies. Update base image to UBI9.
- `Dockerfile`: Update base image from UBI8 8.7 to UBI9 9.6. Remove
`python3-urllib3` to address CVE-2026-44431.

Refs ENT-30

> [!NOTE]
> Generated by Coder Agents

<details>
<summary>Context and decision log</summary>

### Problem
The bundled Terraform binary in v2.33.x IronBank images was compiled
with Go 1.25.8, exposing 9 CVEs. No upstream Terraform release uses Go
1.25.9+:

| Terraform Version | Go Toolchain |
|---|---|
| 1.14.5 | go1.25.6 |
| 1.14.9 | go1.25.8 |
| 1.15.2 | go1.25.8 |

### Approach chosen
Build Terraform from source instead of downloading pre-built binaries,
using `GOTOOLCHAIN=go<version from go.mod>` to pin the Go toolchain.
Verified this produces a binary with go1.25.10 embedded.

### Why not just update the Terraform version?
Even the latest Terraform (1.15.2) is compiled with Go 1.25.8. Updating
to a newer version alone does not resolve the CVEs.

### Additional fixes included
- UBI9 base image migration (aligns with IronBank UBI9 adoption)
- python3-urllib3 removal (CVE-2026-44431)
- Provider version sync (0.6.10 -> 2.16.0 to match go.mod)

</details>

Co-authored-by: Seth Shelnutt <seth@coder.com>
2026-05-18 12:32:08 -04:00
..
.gitignore
build_ironbank.sh
fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.10 (#25250)
2026-05-18 12:32:08 -04:00
Dockerfile
fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25247)
2026-05-13 11:01:05 -04:00
hardening_manifest.yaml
fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.10 (#25250)
2026-05-18 12:32:08 -04:00
terraform-filesystem-mirror.tfrc