mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Seth Shelnutt
c61867b7d7
Build Terraform from source during the IronBank image build instead of downloading pre-built binaries from HashiCorp. This controls the Go toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3 Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform binary. On v2.29.x, both the Coder binary and the Terraform binary were compiled with Go 1.25.8. The Coder binary's Go toolchain upgrade is handled separately via go.mod changes. This commit addresses the Terraform binary by building from source. ### Changes - **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary with Terraform 1.14.5 source tarball (matches `install.go`). Update terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add `TERRAFORM_VERSION` build arg. - **build_ironbank.sh**: Download Terraform source, compile with the project's Go toolchain, package as terraform.zip. Add `go` to dependencies. Update base image to UBI9. - **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove python3-urllib3 to address CVE-2026-44431. Refs ENT-48 > [!NOTE] > Generated by Coder Agents <details> <summary>Implementation context (Coder Agents generated)</summary> ### Note on v2.29.x v2.29.x is more severely affected than later branches: both the Coder binary AND the Terraform binary were compiled with Go 1.25.8. The Coder binary go.mod upgrade to 1.25.9+ is tracked separately (ENT-48). This PR addresses the Terraform binary component. ### Go toolchain analysis | Component | Before | After | |-----------|--------|-------| | Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Built from source with project Go toolchain | | terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) | | Coder binary | Go 1.25.8 | Go 1.25.8 (unchanged by this PR) | ### Related PRs - #25219 — main - #25250 — release/2.33 - #25259 — release/2.32 </details>