Setting up SonarQube Cloud run tasks in Terraform Cloud

You can use run tasks to integrate SonarQube Cloud into your Terraform Cloud (TFC) workflow and ensure that your TFC pipeline is interrupted if your SonarQube Cloud quality gate fails. The run task allows Terraform Cloud to interact with SonarQube Cloud at a specific point in the TFC run lifecycle. It retrieves the status of the latest SonarQube Cloud scan results and communicates the pass/fail result to Terraform, blocking the TFC workflow if the quality gate has failed.  This ensures that no infrastructure changes in Terraform can take place until all unreviewed hotspots or security vulnerabilities within the code analyzed by SonarQube Cloud have been reviewed and remedied. 

The process for integrating SonarQube Cloud into your TFC workflow consists of three main steps:

• Configuring the integration on the SonarQube Cloud side, creating an HMAC key for verification with TFC
• Creating a new run task for SonarQube Cloud within TFC using the URL and HMAC key values from SonarQube Cloud
• Associating your newly-created run task with the TFC workspace that will use the run task. 

Configuring the run task integration in SonarQube Cloud

You must have administrator permissions for your organization to be able to configure the Terraform Cloud integration.

In SonarQube Cloud, go to the Terraform Cloud integration settings page for your organization: Your project > Administration > General settings > Integration 

Create the HMAC key which will be used to authenticate SonarQube Cloud to TFC. Although the HMAC is listed as optional on the UI, is actually mandatory for the SonarQube Cloud integration to work.

Now that your HMAC is created, you need to complete the task creation process within Terraform Cloud.

Configuring the Terraform Cloud workspace to use the run task

Note that these steps take place within TFC. For more details on Terraform and the Terraform Cloud workflow, see HashiCorp's articles on run tasks in the Terraform help center. 

In Terraform Cloud, you now need to create a run task for SonarQube Cloud:

1. Navigate to your organization’s global settings.
2. When logged in to your Terraform account, go to the run tasks settings for your TFC organization: https://app.terraform.io/app/{YOUR_TFC_ORG}/settings/tasks.
3. Go to Settings > General > Run tasks > Create run task.
4. In the on-screen form, edit the following fields:
   • Name (required)
   • Endpoint URL (required): The URL endpoint configured in the run task to send requests to. Enter https://api.sonarcloud.io/ci-interface/htc-integration/run-tasks
   • Description (optional)
   • HMAC key (required): This field is required because the SonarQube Cloud project needs to validate the HMAC key with the one in the TFC workspace.
5. Choose Create to complete the configuration of your run task.

The run task is now available within the organization, and you can associate it with one or more workspaces. Go to the Terraform Cloud registry to view all available run tasks.

Associating the TFC run task with your client workspace

In Terraform Cloud, click Workspaces and then go to the workspace where you want to associate your run tasks.

Go to Settings > Run Tasks.

The run task you created is available under Available Run Tasks. Click the ✚ next to the run task you want to add to the workspace.

• Select Pre-plan to indicate when Terraform Cloud should start the run task.
• Select the Enforcement level Mandatory. If the task fails, the run will enter an errored state with a warning in the UI.
• Click Create to complete the configuration of your run task. 

From now on, SonarQube Cloud will scan all Terraform plans on each push within your workspace. 

If all goes well, you will receive a success message.  

If the run task has failed, then you will received a failure message (below) and you will need to go back to SonarQube Cloud and address whatever caused your quality gate to fail.