Skip to content

fix(scripts/ironbank): upgrade bundled Terraform to 1.14.5 and provider to 2.13.1#25248

Open
coder-tasks[bot] wants to merge 1 commit into
release/2.30from
seth/ironbank-v230-terraform-upgrade
Open

fix(scripts/ironbank): upgrade bundled Terraform to 1.14.5 and provider to 2.13.1#25248
coder-tasks[bot] wants to merge 1 commit into
release/2.30from
seth/ironbank-v230-terraform-upgrade

Conversation

@coder-tasks
Copy link
Copy Markdown
Contributor

@coder-tasks coder-tasks Bot commented May 13, 2026

Summary

Update the IronBank hardening manifest on the v2.30.x release branch to use current Terraform and provider versions that match what the codebase expects.

Changes

  • Terraform: 1.3.7 -> 1.14.5 (matches TerraformVersion in provisioner/terraform/install.go and scripts/Dockerfile.base)
  • terraform-provider-coder: 0.6.10 -> 2.13.1 (matches go.mod)
  • SHA256 checksums updated for both artifacts from official release files

Context

The Coder binary Go toolchain was already upgraded from 1.25.8 to 1.25.10 in #25232 (addressing ENT-40). This PR brings the IronBank-bundled Terraform and provider versions in sync with the rest of the codebase.

Note: the pre-built Terraform 1.14.5 binary from HashiCorp is still compiled with Go 1.25.8 (.go-version in the Terraform repo). The Go stdlib CVEs in the bundled Terraform binary depend on an upstream HashiCorp Go toolchain bump; no Terraform release through 1.15.2 uses Go 1.25.9+.

Refs https://linear.app/codercom/issue/ENT-37

🤖 Generated with Coder Agents

Co-Authored-By: Claude Sonnet 4 [email protected]

@github-actions github-actions Bot added the community Pull Requests and issues created by the community. label May 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@Shelnutt2
fix(scripts/ironbank): upgrade bundled Terraform to 1.14.5 and provid…
753d3c4 
…er to 2.13.1

Update the IronBank hardening manifest to use current Terraform and
provider versions, matching what the Coder v2.30.x codebase expects:

- Terraform: 1.3.7 -> 1.14.5 (matches TerraformVersion in install.go
  and scripts/Dockerfile.base)
- terraform-provider-coder: 0.6.10 -> 2.13.1 (matches go.mod)
- SHA256 checksums updated for both artifacts

Note: the pre-built Terraform 1.14.5 binary from HashiCorp is compiled
with Go 1.25.8. The Go stdlib CVEs in the Terraform binary depend on an
upstream HashiCorp Go toolchain bump. The Coder binary itself was already
upgraded to Go 1.25.10 in #25232.

Refs ENT-37
@Shelnutt2 Shelnutt2 force-pushed the seth/ironbank-v230-terraform-upgrade branch from a5d164d to 753d3c4 Compare May 13, 2026 01:57
@Shelnutt2 Shelnutt2 mentioned this pull request May 13, 2026
Open
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch and removed community Pull Requests and issues created by the community. labels May 13, 2026
@Shelnutt2 Shelnutt2 marked this pull request as ready for review May 13, 2026 02:06
@coder-tasks
Copy link
Copy Markdown
Contributor Author

coder-tasks Bot commented May 13, 2026

Documentation Check

No Changes Needed

This PR only updates scripts/ironbank/hardening_manifest.yaml to bump bundled dependency versions (Terraform 1.3.7 → 1.14.5, terraform-provider-coder 0.6.10 → 2.13.1) and their SHA256 checksums. These are internal build infrastructure changes with no user-facing behavior, API, CLI, or configuration impact. No documentation exists for these IronBank-specific version pins, and none is needed.

Automated review via Coder Tasks

@Shelnutt2 Shelnutt2 mentioned this pull request May 13, 2026
Merged
f0ssel pushed a commit that referenced this pull request May 18, 2026
@Shelnutt2
fix(scripts/ironbank): rebuild bundled Terraform from source with Go …
4ded055 
…1.25.10 (#25268)

Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.

Supersedes #25248 which only did a version bump without source build.

### Changes
- **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary
with Terraform 1.14.5 source tarball (matches `install.go`). Update
terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add
`TERRAFORM_VERSION` build arg.
- **build_ironbank.sh**: Download Terraform source, compile with the
project's Go toolchain (1.25.10), package as terraform.zip. Add `go` to
dependencies. Update base image to UBI9.
- **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove
python3-urllib3 to address CVE-2026-44431.

Refs ENT-37

> Generated by Coder Agents

<details>
<summary>Implementation context (Coder Agents generated)</summary>

### Go toolchain analysis
| Component | Before | After |
|-----------|--------|-------|
| Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Go 1.25.10 (v1.14.5
built from source) |
| terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) |
| Coder binary | Go 1.25.10 | Go 1.25.10 (unchanged) |

### Related PRs
- #25219 — main
- #25250 — release/2.33
- #25259 — release/2.32
- #25260 — release/2.31
- #25267 — release/2.29
</details>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cherry-pick/v2.30 Needs to be cherry-picked to the 2.30 release branch dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shelnutt2