Skip to content

fix(scripts/ironbank): build Terraform from source with Go 1.25.9+#25259

Merged
f0ssel merged 1 commit into
release/2.32from
ironbank/upgrade-terraform-go-toolchain-v2.32
May 18, 2026
Merged

fix(scripts/ironbank): build Terraform from source with Go 1.25.9+#25259
f0ssel merged 1 commit into
release/2.32from
ironbank/upgrade-terraform-go-toolchain-v2.32

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 13, 2026

Summary

Fixes the bundled Terraform binary in IronBank images being compiled with an older Go toolchain that exposes 9 CVEs (1 Critical, 5 High, 3 Medium) fixed in Go 1.25.9.

Problem

No upstream Terraform release is yet compiled with Go 1.25.9+:

  • Terraform 1.14.5 (used by provisioner): compiled with Go 1.25.6
  • Terraform 1.15.2 (latest stable): compiled with Go 1.25.8
  • The previous IronBank manifest referenced Terraform 1.3.7, compiled with Go ~1.19

Fix

The IronBank build script now compiles Terraform from source using the same Go toolchain as Coder (>= 1.25.9), ensuring all CVEs in the Go stdlib are addressed.

Changes

scripts/ironbank/build_ironbank.sh:

  • Builds Terraform 1.14.5 from source instead of downloading a precompiled binary
  • Adds go, zip, and git as build dependencies
  • Reads TERRAFORM_VERSION from hardening_manifest.yaml

scripts/ironbank/hardening_manifest.yaml:

  • Updated all versions to match release/2.32 (was severely outdated):
    • Coder: 0.15.3 -> 2.32.1
    • Terraform: 1.3.7 -> 1.14.5 (built from source)
    • Provider: 0.6.10 -> 2.15.0
  • Replaced precompiled Terraform binary URL with source tarball reference
  • Added TERRAFORM_VERSION build arg for the build script
Decision log
  • Why build from source? Neither the latest Terraform 1.14.5 (Go 1.25.6) nor 1.15.2 (Go 1.25.8) is compiled with Go 1.25.9+. Building from source with our Go toolchain is the only way to address the CVEs without waiting for an upstream release.
  • Why not bump to Terraform 1.15.x? The provisioner on release/2.32 has maxTerraformVersion = 1.14.9. Bumping to 1.15.x would require provisioner changes, which is risky on a release branch.
  • Why update the entire manifest? The manifest was pinned to Coder 0.15.3, Terraform 1.3.7, and provider 0.6.10, all severely outdated and inconsistent with the release/2.32 branch.

Generated by Coder Agents. Issue ENT-23

@Shelnutt2
fix(scripts/ironbank): build Terraform from source with Go 1.25.9+
150053b 
The bundled Terraform binary in IronBank images was compiled with an
older Go toolchain, exposing 9 CVEs (1 Critical, 5 High, 3 Medium)
fixed in Go 1.25.9.

Since no upstream Terraform release is yet compiled with Go 1.25.9+
(1.14.5 uses Go 1.25.6, 1.15.2 uses Go 1.25.8), the IronBank build
script now compiles Terraform from source using the same Go toolchain
as Coder (>= 1.25.9).

Changes:
- build_ironbank.sh: Build Terraform 1.14.5 from source instead of
  downloading a precompiled binary. Adds go, zip, and git as build
  dependencies.
- hardening_manifest.yaml: Update all versions to match release/2.32
  (Terraform 1.14.5, provider v2.15.0, Coder v2.32.1). Replace the
  precompiled Terraform binary URL with the source tarball reference.
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.32 labels May 13, 2026
This was referenced May 13, 2026
Open
Merged
Merged
Merged
f0ssel pushed a commit that referenced this pull request May 13, 2026
@Shelnutt2
fix(scripts/ironbank): rebuild bundled Terraform from source with Go …
dfe986b 
…1.25.9 (#25260)

Build Terraform from source during the IronBank image build instead of
downloading pre-built binaries from HashiCorp. This controls the Go
toolchain version, ensuring Go stdlib CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9 are addressed in the bundled Terraform
binary.

No upstream Terraform release is compiled with Go 1.25.9+; all use Go
1.25.8. Building from source with GOTOOLCHAIN=go1.25.9 (read from
go.mod) is the only path forward without waiting for an upstream
toolchain bump.

### Changes
- **hardening_manifest.yaml**: Replace pre-built Terraform 1.3.7 binary
with Terraform 1.14.5 source tarball (matches `install.go`). Update
terraform-provider-coder from 0.6.10 to 2.13.1 (matches `go.mod`). Add
`TERRAFORM_VERSION` build arg.
- **build_ironbank.sh**: Download Terraform source, compile with the
project's Go toolchain (1.25.9), package as terraform.zip. Add `go` to
dependencies. Update base image to UBI9.
- **Dockerfile**: Update base image from UBI8 8.7 to UBI9 9.6. Remove
python3-urllib3 to address CVE-2026-44431.

Refs ENT-1

> [!NOTE]
> Generated by Coder Agents

<details>
<summary>Implementation context (Coder Agents generated)</summary>

### Go toolchain analysis
| Component | Before | After |
|-----------|--------|-------|
| Terraform binary | Go 1.19.4 (v1.3.7 pre-built) | Go 1.25.9 (v1.14.5
built from source) |
| terraform-provider-coder | old (v0.6.10) | Go 1.24.6 (v2.13.1) |
| Coder binary | Go 1.25.9 | Go 1.25.9 (unchanged) |

### Related PRs
- #25219 — main
- #25250 — release/2.33
- #25259 — release/2.32
</details>
@f0ssel f0ssel merged commit fcd45a9 into release/2.32 May 18, 2026
36 of 37 checks passed
@f0ssel f0ssel deleted the ironbank/upgrade-terraform-go-toolchain-v2.32 branch May 18, 2026 17:03
@github-actions github-actions Bot locked and limited conversation to collaborators May 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.32 dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel