[terraform] - Fix terraform installation in ubuntu noble.

[Kaniska244]

Ref: #1418

Description: This PR aims to solve #1418 to solve broken terraform installation in ubuntu noble (24.04). The issue is happening in ubuntu noble platform while installing terraform as noble has stricter GPG validation and different default keyserver behavior compared to jammy/focal due to changes in how GPG keys are handled in Ubuntu Noble (24.04) and newer versions have deprecated the use of apt-key and require keys to be in a specific format (usually .gpg or .asc) and placed in /etc/apt/keyrings folder. But as the given approach where in the feature the binary is downloaded from hashicorp release site verified against the GPG key, as part of this PR added alternate source for the key & imported the same for Ubuntu noble (24.04).

Changelog: The following changes are included.

• The installation script is changed to add alternate source for the GPG key & imported the same for Ubuntu noble.
• Change in devcontainer-feature.json to do version bump
• Test scripts for relevant options with Ubuntu noble base image.

Checklist:

• All checks are passed.

[Copilot]

Pull Request Overview

This PR fixes terraform installation on Ubuntu Noble (24.04) by addressing GPG key handling changes in the newer Ubuntu version. Ubuntu Noble has stricter GPG validation and deprecated apt-key usage, requiring keys in specific formats and locations.

• Adds Ubuntu Noble detection and alternate GPG key import method using keybase.io source
• Implements fallback verification logic for both Terraform and Sentinel installations
• Adds comprehensive test coverage for Ubuntu Noble with both standard and Sentinel installations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/terraform/install.sh	Core installation logic with Noble detection and alternate GPG handling
src/terraform/devcontainer-feature.json	Version bump from 1.4.0 to 1.4.1
test/terraform/scenarios.json	Test scenarios for Ubuntu Noble installations
test/terraform/install_in_ubuntu_noble.sh	Test script for basic Noble installation
test/terraform/install_in_ubuntu_noble_sentinel.sh	Test script for Noble installation with Sentinel

[AlvaroRausell]

As a side note, is there a way to bypass the key verification? If the key ever went away, we might want to allow the user to be able to get running without it

[AlvaroRausell]

And lastly, would this be an alternative URL for the GPG key?

[Kaniska244]

And lastly, would this be an alternative URL for the GPG key?

Hello @AlvaroRausell ,

They don't appear to be the same key. so won’t work.

@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import
gpg: key 34365D9472D7468F: public key "HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ 
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ gpg --list-keys
/home/node/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096 2021-04-19 [SC] [expires: 2026-04-18]
      C874011F0AB405110D02105534365D9472D7468F
uid           [ unknown] HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>
sub   rsa4096 2021-04-19 [E] [expires: 2026-04-18]
sub   rsa4096 2021-04-21 [S] [expires: 2026-04-20]

@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ 
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ gpg --delete-keys C874011F0AB405110D02105534365D9472D7468F
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/34365D9472D7468F 2021-04-19 HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>

Delete this key from the keyring? (y/N) y
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ 
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ gpg --list-keys
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ 
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --import
gpg: key AA16FCBCA621E701: public key "HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ gpg --list-keys
/home/node/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
      798AEC654E5C15428C8E42EEAA16FCBCA621E701
uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub   rsa4096 2023-01-10 [S] [expires: 2028-01-09]

@Kaniska244 ➜ /workspaces/features (gpg_fix_ubuntu_noble) $ 

[Kaniska244]

As a side note, is there a way to bypass the key verification? If the key ever went away, we might want to allow the user to be able to get running without it

Hello @AlvaroRausell ,

I think it should work but I will test and confirm.

Edit :- I have verified the same, we can proceed with installation with basic checksum validation alone. So now I have kept it as a fallback mechanism for ubuntu noble, if the key download or verification fails.

[Kaniska244]

Hello @AlvaroRausell ,

Thank you for the detailed review and the suggestions. I have corrected the implementation accordingly. Would you kindly have another look and let me know in case of any further concern.

With Regards,
Kaniska

[Kaniska244]

Hello @AlvaroRausell ,

I have slightly changed the error handling for the part of the code when gpg validation of the download package fails even with the correct key which you had highlighted in the last review. Would you kindly have a look and let me know in case of any further concern.

[sethbacon]

Hello @AlvaroRausell,
Any chance you can review this for @Kaniska244 ? Waiting on this PR to hit...
Thanks