Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.
No upstream Terraform release is compiled with Go 1.25.9+; all use Go
1.25.8. Building from source with GOTOOLCHAIN=go1.25.9 (read from
go.mod) is the only path forward without waiting for an upstream
toolchain bump.
### Changes
- **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary
with Terraform 1.14.5 source tarball (matches `install.go`). Update
terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add
`TERRAFORM_VERSION` build arg.
- **build_ironbank.sh**: Download Terraform source, compile with the
project's Go toolchain (1.25.9), package as terraform.zip. Add `go` to
dependencies. Update base image to UBI9.
- **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove
python3-urllib3 to address CVE-2026-44431.
Refs ENT-1
> [!NOTE]
> Generated by Coder Agents
<details>
<summary>Implementation context (Coder Agents generated)</summary>
### Go toolchain analysis
| Component | Before | After |
|-----------|--------|-------|
| Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Go 1.25.9 (v1.14.5
built from source) |
| terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) |
| Coder binary | Go 1.25.9 | Go 1.25.9 (unchanged) |
### Related PRs
- #25219 — main
- #25250 — release/2.33
- #25259 — release/2.32
</details>
Seth Shelnutt
dfe986b2b0