Setting up SonarCloud run tasks in Terraform Cloud
Currently, we only support GitHub and GitLab for use with the TFC integration.
You can use run tasks to integrate SonarCloud into your Terraform Cloud (TFC) workflow and ensure that your TFC pipeline is interrupted if your SonarCloud quality gate fails. The run task allows Terraform Cloud to interact with SonarCloud at a specific point in the TFC run lifecycle. It retrieves the status of the latest SonarCloud scan results and communicates the pass/fail result to Terraform, blocking the TFC workflow if the quality gate has failed. This ensures that no infrastructure changes in Terraform can take place until all unreviewed hotspots or security vulnerabilities within the code analyzed by SonarCloud have been reviewed and remedied.
The process for integrating SonarCloud into your TFC workflow consists of three main steps:
- Configuring the integration on the SonarCloud side, creating an HMAC key for verification with TFC
- Creating a new run task for SonarCloud within TFC using the URL and HMAC key values from SonarCloud
- Associating your newly-created run task with the TFC workspace that will use the run task.
Configuring the run task integration in SonarCloud
You must have administrator permissions for your organization to be able to configure the Terraform Cloud integration.
In the SonarCloud, go to the Terraform Cloud integration settings page for your organization: Your project > Administration > General settings > Integration
Create the HMAC key which will be used to authenticate SonarCloud to TFC. Although the HMAC is listed as optional on the UI, is actually mandatory for the SonarCloud integration to work.
Now that your HMAC is created, you need to complete the task creation process within Terraform Cloud.
Configuring the Terraform Cloud workspace to use the run task
Note that these steps take place within TFC. For more details on Terraform and the Terraform Cloud workflow, see HashiCorp's articles on run tasks in the Terraform help center.
In Terraform Cloud, you now need to create a run task for SonarCloud.
Navigate to your organization’s global settings.
When logged in to your Terraform account, go to the run tasks settings for your TFC organization: https://app.terraform.io/app/{YOUR_TFC_ORG}/settings/tasks,
Go to Settings > General > Run tasks > Create run task
In the on-screen form, edit the following fields:
Name (required)
Description (optional)
URL (required)
The URL endpoint configured in the run task to send requests to. Enter https://api.sonarcloud.io/ci-interface/htc-integration/run-tasks
HMAC (required)
Choose Create to complete the configuration of your run task.
The run task is now available within the organization, and you can associate it with one or more workspaces. Go to the Terraform Cloud registry to view all available run tasks.
Associating the TFC run task with your client workspace
In Terraform Cloud, click Workspaces and then go to the workspace where you want to associate your run tasks.
Go to Settings > Run Tasks.
The run task you created is available under Available Run Tasks. Click the ✚ next to the run task you want to add to the workspace.
- Select Pre-plan to indicate when Terraform Cloud should start the run task.
- Select the Enforcement level Mandatory. If the task fails, the run will enter an errored state with a warning in the UI.
- Click Create to complete the configuration of your run task.
From now on, SonarCloud will scan all Terraform plans on each push within your workspace.
If all goes well, you will receive a success message.
If the run task has failed, then you will received a failure message (below) and you will need to go back to SonarCloud and address whatever caused your quality gate to fail.
Was this page helpful?