Skip to content

fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.10#25268

Merged
f0ssel merged 1 commit into
release/2.30from
fix/ironbank-terraform-go-toolchain-v2.30
May 18, 2026
Merged

fix(scripts/ironbank): rebuild bundled Terraform from source with Go 1.25.10#25268
f0ssel merged 1 commit into
release/2.30from
fix/ironbank-terraform-go-toolchain-v2.30

Conversation

@Shelnutt2

@Shelnutt2 Shelnutt2 commented May 13, 2026

Copy link
Copy Markdown
Contributor

Build Terraform from source during the IronBank image build instead of downloading pre-built binaries from HashiCorp. This controls the Go toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3 Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform binary.

Supersedes #25248 which only did a version bump without source build.

Changes

  • hardening_manifest.yaml: Replace pre-built Terraform 1.3.7 binary with Terraform 1.14.5 source tarball (matches install.go). Update terraform-provider-coder from 0.6.10 to 2.13.1 (matches go.mod). Add TERRAFORM_VERSION build arg.
  • build_ironbank.sh: Download Terraform source, compile with the project's Go toolchain (1.25.10), package as terraform.zip. Add go to dependencies. Update base image to UBI9.
  • Dockerfile: Update base image from UBI8 8.7 to UBI9 9.6. Remove python3-urllib3 to address CVE-2026-44431.

Refs ENT-37

Generated by Coder Agents

Implementation context (Coder Agents generated)

Go toolchain analysis

Component Before After
Terraform binary Go 1.19.4 (v1.3.7 pre-built) Go 1.25.10 (v1.14.5 built from source)
terraform-provider-coder old (v0.6.10) Go 1.24.6 (v2.13.1)
Coder binary Go 1.25.10 Go 1.25.10 (unchanged)

Related PRs

@Shelnutt2
fix(scripts/ironbank): rebuild bundled Terraform from source with Go …
c65175b 
…1.25.10

Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.

Changes:
- hardening_manifest.yaml: Replace pre-built Terraform 1.3.7 binary with
  Terraform 1.14.5 source tarball (matches install.go). Update
  terraform-provider-coder from 0.6.10 to 2.13.1 (matches go.mod).
  Add TERRAFORM_VERSION build arg.
- build_ironbank.sh: Download Terraform source, compile with the
  project's Go toolchain (1.25.10), package as terraform.zip. Add go to
  dependencies. Update base image to UBI9.
- Dockerfile: Update base image from UBI8 8.7 to UBI9 9.6. Remove
  python3-urllib3 to address CVE-2026-44431.

Refs ENT-37
@coder-tasks

coder-tasks Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

Documentation Check

No Changes Needed

This PR makes internal build infrastructure changes to the IronBank image build scripts (scripts/ironbank/):

  • Rebuilds Terraform from source using the project's Go toolchain (CVE remediation)
  • Updates base image from UBI8 to UBI9
  • Updates terraform-provider-coder from 0.6.10 to 2.13.1
  • Removes python3-urllib3 to address CVE-2026-44431

None of these changes affect user-facing behavior, CLI flags, APIs, or configuration options. There is no existing IronBank-specific documentation in docs/ that needs updating.

Automated review via Coder Tasks

@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch labels May 13, 2026
@f0ssel f0ssel merged commit 4ded055 into release/2.30 May 18, 2026
32 of 33 checks passed
@f0ssel f0ssel deleted the fix/ironbank-terraform-go-toolchain-v2.30 branch May 18, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel