fix(terrascript): upgrade time and random Terraform provider versions

[RH-tj]

Summary

• Upgrade hashicorp/time provider version from 0.9.1 to 0.13.1 in terrascript required_providers
• Upgrade hashicorp/random provider version from 3.4.3 to 3.8.1 in terrascript required_providers

Context

ACS flagged critical fixable CVEs in the qontract-reconcile-master image running in gabi-pipelines on appsrep09ue1. The root cause is old Terraform providers compiled with vulnerable Go versions (< 1.19.9). The old time (0.9.1) and random (3.4.3) providers were built with Go 1.18.5, which is affected by CVE-2023-24538, CVE-2023-24540, CVE-2024-24790, and others.

Dependency

This PR requires the updated qontract-reconcile-base container image (with the new provider versions available in the plugin directory) to be published first. See companion PR: app-sre/container-images#TBD

The qontract-reconcile Dockerfile base image digest will also need to be updated to reference the new base image once it is published.

Test plan

• Verify terraform init succeeds with new provider versions
• Verify terrascript generates correct required_providers blocks
• Verify ACS CVE alerts clear after deployment

Made with Cursor

Summary by CodeRabbit

• Chores
  • Updated Terraform provider version constraints for temporary providers to ensure compatibility and receive recent fixes.
  • Bumped base images used for development and pre-test builds to a newer revision for improved stability and build consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2851ad71-0069-476a-940e-4ced64e85968

📥 Commits

Reviewing files that changed from the base of the PR and between 6953a28 and 43e39e1.

📒 Files selected for processing (2)

• dockerfiles/Dockerfile
• reconcile/utils/terrascript_aws_client.py

✅ Files skipped from review due to trivial changes (2)

• dockerfiles/Dockerfile
• reconcile/utils/terrascript_aws_client.py

---

Walkthrough

Updated Terraform temporary provider version constraints for hashicorp/time and hashicorp/random, and bumped the base image tag and digest used in two Docker build stages.

Changes

Cohort / File(s)	Summary
Terraform Provider Version Updates reconcile/utils/terrascript_aws_client.py	Updated temporary provider version constraints in TerrascriptClient.__init__: hashicorp/time 0.9.1 → 0.13.1, hashicorp/random 3.4.3 → 3.8.1.
Docker base image bump dockerfiles/Dockerfile	Updated base image tag and pinned digest for dev-image and prod-image-pre-test stages to qontract-reconcile-base-master:1.5.2-1 (from 1.5.1-1).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lisa]

/lgtm

[lisa]

/lgtm

[hemslo]

LGTM!