Setting up run tasks in TFC
Run tasks help you to integrate SonarQube Cloud into your Terraform Cloud (TFC) workflow so that your TFC pipeline is interrupted if your quality gate fails.
Currently, SonarQube Cloud only supports GitHub and GitLab for use with the TFC integration.
The run task allows Terraform Cloud (TFC) to interact with SonarQube Cloud at a specific point in the TFC run lifecycle. It retrieves the status of the latest SonarQube Cloud scan results and communicates the pass/fail result to Terraform, blocking the TFC workflow if the quality gate has failed. This ensures that no infrastructure changes in Terraform can take place until all unreviewed hotspots or security vulnerabilities within the code analyzed by SonarQube Cloud have been reviewed and remedied.
The process for integrating SonarQube Cloud into your TFC workflow consists of the steps described below.
Generate an HMAC key
You must generate the HMAC key which will be used to authenticate SonarQube Cloud to TFC.
To ensure the security of your integration, you must use a high-entropy secret key. Do not use human-readable passwords or phrases. According to NIST SP 800-107, the key should be randomly generated and at least as long as the hash output (e.g., 32 bytes for SHA-256).
Below is a recommended command to generate a compliant key.
# Generates a 32-byte key in Hex format (secure for HMAC-SHA256)
openssl rand -hex 32Configure the run task integration in SonarQube Cloud
You must have administrator permissions for your organization to be able to configure the Terraform Cloud integration.
Proceed as follows:
In SonarQube Cloud, retrieve your project. For more information, see Retrieving projects.
Go to Administration > General settings > Integration.
In Terraform Cloud Run Task HMAC Key, enter the HMAC key you generated in Generate an HMAC key above.
Configure the Terraform Cloud workspace to use the run task
You must create a new run task for SonarQube Cloud within TFC using the URL and HMAC key values from SonarQube Cloud. Note that these steps take place within TFC. For more details on Terraform and the Terraform Cloud workflow, see HashiCorp’s articles on run tasks in the Terraform help center.
To create the run task:
In Terraform Cloud, navigate to your organization’s global settings.
When logged in to your Terraform account, go to the run tasks settings for your TFC organization:
https://app.terraform.io/app/{YOUR_TFC_ORG}/settings/tasks.Go to Settings > General > Run tasks > Create run task.
In the on-screen form, edit the following fields:
Name (required)
Endpoint URL (required): The URL endpoint configured in the run task to send requests to. Enter
https://api.sonarcloud.io/ci-interface/htc-integration/run-tasksDescription (optional)
HMAC key (required): HMAC key you generated in Generate an HMAC key above. This field is required because the SonarQube Cloud project needs to validate the HMAC key with the one in the TFC workspace.
Choose Create to complete the configuration of your run task.
The run task is now available within the organization, and you can associate it with one or more workspaces. Go to the Terraform Cloud registry to view all available run tasks.
Associate the TFC run task with your client workspace
Associate your newly-created run task with the TFC workspace that will use the run task:
In Terraform Cloud, click Workspaces and then go to the workspace where you want to associate your run tasks.
Go to Settings > Run Tasks. The run task you created is available under Available Run Tasks. Click the ✚ next to the run task you want to add to the workspace.
Select Pre-plan to indicate when Terraform Cloud should start the run task.
Select the Enforcement level Mandatory. If the task fails, the run will enter an errored state with a warning in the UI.
Click Create to complete the configuration of your run task.
Viewing the run task result
SonarQube Cloud will scan all Terraform plans on each push within your workspace.
If all goes well, you will receive a success message.
If the run task has failed, then you will received a failure message and you will need to go back to SonarQube Cloud and address whatever caused your quality gate to fail.
Last updated
Was this helpful?