Skip to content

fix(scripts/ironbank): build Terraform from source with Go 1.25.9+ #25259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
f0ssel merged 1 commit into from
May 18, 2026
Merged

fix(scripts/ironbank): build Terraform from source with Go 1.25.9+ #25259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions scripts/ironbank/build_ironbank.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ if [[ "$image_tag" == "" ]]; then
fi

# Check dependencies
dependencies docker sha256sum yq
dependencies docker sha256sum yq go zip git
if [[ $(yq --version) != *" v4."* ]]; then
error "yq version 4 is required"
fi
Expand Down Expand Up @@ -62,10 +62,31 @@ execrelative ../archive.sh \
--output "$tmpdir/coder.tar.gz" \
"$input_file"

# Build Terraform from source so the binary is compiled with the same Go
# toolchain as Coder (>= 1.25.9), avoiding CVEs present in older toolchains.
terraform_version="$(yq e '.args.TERRAFORM_VERSION' "$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml")"
if [[ -z "$terraform_version" || "$terraform_version" == "null" ]]; then
error "TERRAFORM_VERSION not found in hardening_manifest.yaml"
fi
log "Building Terraform $terraform_version from source with $(go version)..."
terraform_srcdir="$(mktemp -d)"
trap 'rm -rf "$terraform_srcdir" "$tmpdir"' EXIT
git clone --depth 1 --branch "v${terraform_version}" https://github.com/hashicorp/terraform.git "$terraform_srcdir"
pushd "$terraform_srcdir"
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -o terraform .
popd
(
cd "$terraform_srcdir"
zip "$tmpdir/terraform.zip" terraform
)
rm -rf "$terraform_srcdir"
log "Terraform $terraform_version built successfully."

# Download all resources in the hardening_manifest.yaml file except for
# coder.tar.gz (which we will make ourselves).
# coder.tar.gz (which we build ourselves) and terraform-src.tar.gz (we build
# Terraform from source above).
manifest_path="$(dirname "${BASH_SOURCE[0]}")/hardening_manifest.yaml"
resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
resources="$(yq e '.resources[] | select(.filename != "coder.tar.gz" and .filename != "terraform-src.tar.gz") | [.filename, .url, .validation.value] | @tsv' "$manifest_path")"
while read -r line; do
filename="$(echo "$line" | cut -f1)"
url="$(echo "$line" | cut -f2)"
Expand Down
27 changes: 16 additions & 11 deletions scripts/ironbank/hardening_manifest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,16 @@ name: "coder/coder-enterprise/coder-service-2"
# The most specific version should be the first tag and will be shown
# on ironbank.dso.mil
tags:
- "0.15.3"
- "2.32.1"
- "latest"

# Build args passed to Dockerfile ARGs
args:
# Needs to be kept in sync with the resource below.
TERRAFORM_CODER_PROVIDER_VERSION: "0.6.10"
TERRAFORM_CODER_PROVIDER_VERSION: "2.15.0"
# Terraform version to build from source. Must match TerraformVersion in
# provisioner/terraform/install.go.
TERRAFORM_VERSION: "1.14.5"

# Docker image labels
labels:
Expand All @@ -26,34 +29,36 @@ labels:
org.opencontainers.image.url: "https://coder.com/docs"
# Name of the distributing entity, organization or individual
org.opencontainers.image.vendor: "Coder Technologies"
org.opencontainers.image.version: "0.15.3"
org.opencontainers.image.version: "2.32.1"
# Keywords to help with search (ex. "cicd,gitops,golang")
mil.dso.ironbank.image.keywords: "remote, workspaces"

# List of resources to make available to the offline build context
resources:
# Coder binary
- url: "https://github.com/coder/coder/releases/download/v0.15.3/coder_0.15.3_linux_amd64.tar.gz"
- url: "https://github.com/coder/coder/releases/download/v2.32.1/coder_2.32.1_linux_amd64.tar.gz"
filename: "coder.tar.gz"
validation:
type: sha256
value: 2c88555777f1d9cc77a8f049093f4002472dc43d52b026e6784ef477bdced4a2
# Terraform binary, bundled inside of Coder to support air-gapped installs.
- url: https://releases.hashicorp.com/terraform/1.3.7/terraform_1.3.7_linux_amd64.zip
filename: "terraform.zip"
value: TO_BE_UPDATED_ON_RELEASE
# Terraform source, built from source with Go >= 1.25.9 to address CVEs in
# older Go toolchains. The build_ironbank.sh script compiles this from source
# rather than using a precompiled binary.
- url: https://github.com/hashicorp/terraform/archive/refs/tags/v1.14.5.tar.gz
filename: "terraform-src.tar.gz"
validation:
type: sha256
value: b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
value: ac3faee7b1d301a4d12fe6b7f33b1ba57a183e080a2442f6f1466a30f257ba45
# Coder Terraform provider, bundled inside of Coder to support air-gapped
# installs.
#
# The version of this provider needs to be kept in sync with the
# TERRAFORM_CODER_PROVIDER_VERSION build arg.
- url: https://github.com/coder/terraform-provider-coder/releases/download/v0.6.10/terraform-provider-coder_0.6.10_linux_amd64.zip
- url: https://github.com/coder/terraform-provider-coder/releases/download/v2.15.0/terraform-provider-coder_2.15.0_linux_amd64.zip
filename: "terraform-provider-coder.zip"
validation:
type: sha256
value: 4c2a16010621e146251f6fb5e27105dde9213d85ca8f3c8866c3f5a4159b81b0
value: eb0de36ba625d187dce45a24ad9e724bafff821fb466d014cc7d9a02d2d72309

# List of project maintainers
maintainers:
Expand Down
Loading