SonarCloud | Advanced setup | Other integrations | Setting up run tasks in TFC

On this page

Setting up SonarCloud run tasks in Terraform Cloud

You can use run tasks to integrate SonarCloud into your Terraform Cloud (TFC) workflow and ensure that your TFC pipeline is interrupted if your SonarCloud quality gate fails. The run task allows Terraform Cloud to interact with SonarCloud at a specific point in the TFC run lifecycle. It retrieves the status of the latest SonarCloud scan results and communicates the pass/fail result to Terraform, blocking the TFC workflow if the quality gate has failed.  This ensures that no infrastructure changes in Terraform can take place until all unreviewed hotspots or security vulnerabilities within the code analyzed by SonarCloud have been reviewed and remedied. 

The process for integrating SonarCloud into your TFC workflow consists of three main steps:

  • Configuring the integration on the SonarCloud side, creating an HMAC key for verification with TFC
  • Creating a new run task for SonarCloud within TFC using the URL and HMAC key values from SonarCloud
  • Associating your newly-created run task with the TFC workspace that will use the run task. 

Configuring the run task integration in SonarCloud

You must have administrator permissions for your organization to be able to configure the Terraform Cloud integration.

In the SonarCloud, go to the Terraform Cloud integration settings page for your organization: Your project > Administration > General settings > Integration 

Create the HMAC key which will be used to authenticate SonarCloud to TFC. Although the HMAC is listed as optional on the UI, is actually mandatory for the SonarCloud integration to work.

Where to add your Terraform HMAC Key in the SonarCloud UI.

Now that your HMAC is created, you need to complete the task creation process within Terraform Cloud.

Configuring the Terraform Cloud workspace to use the run task

Note that these steps take place within TFC. For more details on Terraform and the Terraform Cloud workflow, see HashiCorp's articles on run tasks in the Terraform help center. 

In Terraform Cloud, you now need to create a run task for SonarCloud.

Navigate to your organization’s global settings.

When logged in to your Terraform account, go to the run tasks settings for your TFC organization: https://app.terraform.io/app/{YOUR_TFC_ORG}/settings/tasks

Go to Settings > General > Run tasks > Create run task

In the on-screen form, edit the following fields:

Name (required)
Description (optional)
URL (required)
The URL endpoint configured in the run task to send requests to. Enter https://api.sonarcloud.io/ci-interface/htc-integration/run-tasks
HMAC (required

Choose Create to complete the configuration of your run task.

The run task is now available within the organization, and you can associate it with one or more workspaces. Go to the Terraform Cloud registry to view all available run tasks.

Associating the TFC run task with your client workspace

In Terraform Cloud, click Workspaces and then go to the workspace where you want to associate your run tasks.

Go to Settings > Run Tasks.

The run task you created is available under Available Run Tasks. Click the ✚ next to the run task you want to add to the workspace.

Choose the correct Run stage for the SonarCloud task in Terraform.
  • Select Pre-plan to indicate when Terraform Cloud should start the run task.
  • Select the Enforcement level Mandatory. If the task fails, the run will enter an errored state with a warning in the UI.
  • Click Create to complete the configuration of your run task. 

From now on, SonarCloud will scan all Terraform plans on each push within your workspace. 

If all goes well, you will receive a success message.  

Your SonarCloud runt task has passed the Pre-plan!

If the run task has failed, then you will received a failure message (below) and you will need to go back to SonarCloud and address whatever caused your quality gate to fail.  

Your SonarCloud runt task has failed the Pre-plan.

  ©2018-2023 SonarSource SA. All rights reserved.

Creative Commons License