Module: VNET integrated SonarQube Azure Container Instance (+ Automatic SSL self-signed certificate)
Terraform Registry module for setting up an (internal/private VNET integrated) AZURE hosted SonarQube ACI instance including private endpointed persistent PaaS Database (Azure SQL), PaaS File Share (Azure Files) and custom local domain using reverse proxy (Caddy) sidecar container with self-signed generated certificate.
See VNET integrated deployment - networking resources deployed separately:
For an example of how to create the required networking prerequisites separately to the SonarQube instance by setting the parameter: "var.create_networking_prereqs = false"
.
See VNET integrated deployment - networking resources deployed (Built-in):
For an example of how to create the required networking prerequisites and SonarQube instance in one module by setting the parameter: "var.create_networking_prereqs = true"
.
See VNET integrated deployment - existing network resources:
For an example on how to create and integrate the SonarQube instance on existing network resources by setting the parameter: "create_networking_prereqs = false"
.
Also see this module for creating a public instance of SonarQube using a Let's Encrypt Certificate. Module: Sonarqube Azure Container Instance (+ Automatic SSL).
This module is published on the Public Terraform Registry - sonarqube-aci-internal
The following networking resources are required to be created before deploying the SonarQube instance:
- Virtual Network (VNET)
- Private DNS Zones (Private DNS Zones for privatelink resources
[Keyvault, MsSQL and File Storage]
, and a custom[local]
domain)
- Subnets (Resource Subnet to private endpoint supporting resources, and a subnet delegated for Azure Container Instances)
Supporting PaaS resources are private endpointed and integrated with the VNET on the resources subnet and linked with DNS private zones attached to the VNET.
After the SonarQube instance is deployed, the SonarQube instance will be integrated with the VNET on the delegated-subnet and the private IP "A-record" linked with the DNS private [local]
zone attached to the VNET.
The following resources are deployed as part of the SonarQube instance:
- Azure Container Group containing the SonarQube ACI and Caddy sidecar ACI with a private IP on the delegated-subnet of the VNET.
- Azure SQL Database (PaaS) with a private endpoint on the resources subnet of the VNET.
- Azure File Share (PaaS) with a private endpoint on the resources subnet of the VNET.
- Azure Key Vault (PaaS) with a private endpoint on the resources subnet of the VNET.
After the SonarQube instance is built, the SonarQube instance will be accessible on the custom domain name (e.g. https://sonar.custom.local
) using the self-signed certificate generated by the Caddy sidecar container.
Ensure that any clients accessing the SonarQube instance have the relevant network peering in place with the SonarQube VNET and that the Private DNS custom local domain custom.local
is linked with relevant VNETs for domain name resolution of the sonarqube instance.
When logging into the SonarQube instance for the first time, use the default credentials: admin/admin
. This will then force you to update the default password:
if the container group is restarted or powered down/up, data is persisted in the Azure SQL database and Azure File Share.
Enjoy!
Name | Version |
---|---|
terraform | >= 1.9.5 |
azurerm | ~> 4.0 |
Name | Version |
---|---|
azurerm | ~> 4.0 |
random | n/a |
Name | Source | Version |
---|---|---|
create_networking_prereqs | ./modules/network_prereqs | n/a |
private_endpoint_kv | ./modules/private_endpoint | n/a |
private_endpoint_mssql | ./modules/private_endpoint | n/a |
private_endpoint_sa | ./modules/private_endpoint | n/a |
Name | Type |
---|---|
azurerm_container_group.sonarqube_aci_private | resource |
azurerm_key_vault.sonarqube_kv | resource |
azurerm_key_vault_secret.password_secret | resource |
azurerm_key_vault_secret.username_secret | resource |
azurerm_mssql_database.sonarqube_mssql_db | resource |
azurerm_mssql_firewall_rule.sonarqube_mssql_fw_rules | resource |
azurerm_mssql_server.sonarqube_mssql | resource |
azurerm_mssql_virtual_network_rule.mssql_vnet_rule | resource |
azurerm_private_dns_a_record.aci_a_record | resource |
azurerm_role_assignment.kv_role_assigment | resource |
azurerm_storage_account.sonarqube_sa | resource |
azurerm_storage_share.sonarqube | resource |
azurerm_storage_share_file.sonar_properties | resource |
random_password.sql_admin_password | resource |
azurerm_client_config.current | data source |
azurerm_private_dns_zone.keyvault | data source |
azurerm_private_dns_zone.mssql | data source |
azurerm_private_dns_zone.storage | data source |
azurerm_subnet.delegated_subnet_aci | data source |
azurerm_subnet.resource_subnet | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aci_group_config | Container group configuration object to create sonarqube aci with caddy reverse proxy. | object({ |
{ |
no |
aci_private_dns_record | Create private dns record for internal sonarqube instance in '.local'(internal) Azure private DNS zone. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) If false, add private IP to hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. | bool |
false |
no |
caddy_config | Caddy container configuration object to create caddy reverse proxy aci - internal certs (self signed). | object({ |
{ |
no |
create_networking_prereqs | Create networking resources required for ACI to be deployed. | bool |
false |
no |
delegated_subnet_name | The name for the aci delegated subnet, used in data source to get subnet ID. | string |
n/a | yes |
keyvault_firewall_allowed_ips | value of keyvault firewall allowed ip rules. | list(string) |
[] |
no |
keyvault_firewall_bypass | List of keyvault firewall rules to bypass. | string |
"AzureServices" |
no |
keyvault_firewall_default_action | Default action for keyvault firewall rules. | string |
"Deny" |
no |
kv_config | Key Vault configuration object to create azure key vault to store sonarqube aci sql creds. | object({ |
{ |
no |
local_dns_zone_name | Private Azure dns zone name for the '.local'(internal) DNS zone to add dns record for internal sonarqube instance. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) Otherwise use hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. | string |
"pwd9000.local" |
no |
location | Azure region to deploy resources to. | string |
"uksouth" |
no |
mssql_config | MSSQL configuration object to create persistent SQL server instance for sonarqube aci. | object({ |
{ |
no |
mssql_db_config | MSSQL database configuration object to create persistent azure SQL db for sonarqube aci. | object({ |
{ |
no |
mssql_fw_rules | List of SQL firewall rules in format: [[rule1, startIP, endIP],[rule2, startIP, endIP]] etc. | list(list(string)) |
[ |
no |
network_resource_group_name | Name of the resource group where networking resources are hosted (if different from resource group hosting ACI resources). | string |
n/a | yes |
pass_length | Password length for sql admin creds. (Stored in sonarqube key vault) | number |
36 |
no |
private_dns_zones | Private DNS zones to create and link to VNET. | list(string) |
null |
no |
resource_group_name | Name of the resource group where resources will be hosted. | string |
n/a | yes |
resource_subnet_name | The name for the resource subnet, used in data source to get subnet ID. | string |
n/a | yes |
sa_config | Storage configuration object to create persistent azure file shares for sonarqube aci. | object({ |
{ |
no |
shares_config | Sonarqube file shares. | list(object({ |
[ |
no |
sonar_config | Sonarqube container configuration object to create sonarqube aci. | object({ |
{ |
no |
sonarqube_private_dns_record | Private dns A record for sonarqube instance. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) Otherwise use hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. | string |
"sonar" |
no |
sql_admin_username | Username for sql admin creds. (Stored in sonarqube key vault) | string |
"Sonar-Admin" |
no |
storage_firewall_allowed_ips | value of storage firewall allowed ip rules. | list(string) |
[] |
no |
storage_firewall_bypass | List of storage firewall rules to bypass. | list(string) |
[ |
no |
storage_firewall_default_action | Default action for storage firewall rules. | string |
"Deny" |
no |
subnet_config | A list of subnet configuration objects to create subnets in the virtual network. | list(object({ |
null |
no |
subnet_config_delegated_aci | A list of subnet configuration objects to create subnets in the virtual network. - delegated to ACI | list(object({ |
null |
no |
tags | A map of key value pairs that is used to tag resources created. | map(string) |
{ |
no |
virtual_network_name | Name of the virtual network where resources are attached. | string |
null |
no |
vnet_address_space | value of the address space for the virtual network. | list(string) |
null |
no |
Name | Description |
---|---|
azurerm_container_group | The container group object. |
azurerm_private_dns_fqdn | The private DNS FQDN of the sonarqube instance. |
sonarqube_aci_container_group_ip_address | The container group IP address (Private IP of the sonarqube instance). |
sonarqube_aci_kv_id | The resource ID for the sonarqube key vault. |
sonarqube_aci_mssql_db_id | The resource ID for the sonarqube MSSQL database. |
sonarqube_aci_mssql_db_name | The name of the sonarqube MSSQL database. |
sonarqube_aci_mssql_id | The resource ID for the sonarqube MSSQL Server instance. |
sonarqube_aci_sa_id | The resource ID for the sonarqube storage account hosting file shares. |
sonarqube_aci_share_ids | List of resource IDs of each of the sonarqube file shares. |