Setting up SonarQube Cloud run tasks in Terraform Cloud
Currently, we only support GitHub and GitLab for use with the TFC integration.
You can use run tasks to integrate SonarQube Cloud into your Terraform Cloud (TFC) workflow and ensure that your TFC pipeline is interrupted if your SonarQube Cloud quality gate fails. The run task allows Terraform Cloud to interact with SonarQube Cloud at a specific point in the TFC run lifecycle. It retrieves the status of the latest SonarQube Cloud scan results and communicates the pass/fail result to Terraform, blocking the TFC workflow if the quality gate has failed. This ensures that no infrastructure changes in Terraform can take place until all unreviewed hotspots or security vulnerabilities within the code analyzed by SonarQube Cloud have been reviewed and remedied.
The process for integrating SonarQube Cloud into your TFC workflow consists of three main steps:
- Configuring the integration on the SonarQube Cloud side, creating an HMAC key for verification with TFC
- Creating a new run task for SonarQube Cloud within TFC using the URL and HMAC key values from SonarQube Cloud
- Associating your newly-created run task with the TFC workspace that will use the run task.
Configuring the run task integration in SonarQube Cloud
You must have administrator permissions for your organization to be able to configure the Terraform Cloud integration.
In SonarQube Cloud, go to the Terraform Cloud integration settings page for your organization: Your project > Administration > General settings > Integration
Create the HMAC key which will be used to authenticate SonarQube Cloud to TFC. Although the HMAC is listed as optional on the UI, is actually mandatory for the SonarQube Cloud integration to work.
Now that your HMAC is created, you need to complete the task creation process within Terraform Cloud.
Configuring the Terraform Cloud workspace to use the run task
Note that these steps take place within TFC. For more details on Terraform and the Terraform Cloud workflow, see HashiCorp's articles on run tasks in the Terraform help center.
In Terraform Cloud, you now need to create a run task for SonarQube Cloud.
Navigate to your organization’s global settings.
When logged in to your Terraform account, go to the run tasks settings for your TFC organization: https://app.terraform.io/app/{YOUR_TFC_ORG}/settings/tasks,
Go to Settings > General > Run tasks > Create run task
In the on-screen form, edit the following fields:
Name (required)
Description (optional)
URL (required)
The URL endpoint configured in the run task to send requests to. Enter https://api.sonarcloud.io/ci-interface/htc-integration/run-tasks
HMAC (required)
Choose Create to complete the configuration of your run task.
The run task is now available within the organization, and you can associate it with one or more workspaces. Go to the Terraform Cloud registry to view all available run tasks.
Associating the TFC run task with your client workspace
In Terraform Cloud, click Workspaces and then go to the workspace where you want to associate your run tasks.
Go to Settings > Run Tasks.
The run task you created is available under Available Run Tasks. Click the ✚ next to the run task you want to add to the workspace.
- Select Pre-plan to indicate when Terraform Cloud should start the run task.
- Select the Enforcement level Mandatory. If the task fails, the run will enter an errored state with a warning in the UI.
- Click Create to complete the configuration of your run task.
From now on, SonarQube Cloud will scan all Terraform plans on each push within your workspace.
If all goes well, you will receive a success message.
If the run task has failed, then you will received a failure message (below) and you will need to go back to SonarQube Cloud and address whatever caused your quality gate to fail.
Was this page helpful?