Skip to content

Terraform module for setting up an (internal VNET integrated) AZURE hosted Sonarqube ACI instance including private endpointed persistent PaaS Database (Azure SQL), PaaS File Share (Azure Files) and custom domain using reverse proxy (Caddy) sidecar container with an auto generated self signed certificate.

License

Notifications You must be signed in to change notification settings

Pwd9000-ML/terraform-azurerm-sonarqube-aci-internal

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Manual-Tests-and-Release Automated-Dependency-Tests-and-Release Dependabot

Module: VNET integrated SonarQube Azure Container Instance (+ Automatic SSL self-signed certificate)

image.png

Description

Terraform Registry module for setting up an (internal/private VNET integrated) AZURE hosted SonarQube ACI instance including private endpointed persistent PaaS Database (Azure SQL), PaaS File Share (Azure Files) and custom local domain using reverse proxy (Caddy) sidecar container with self-signed generated certificate.

See VNET integrated deployment - networking resources deployed separately:
For an example of how to create the required networking prerequisites separately to the SonarQube instance by setting the parameter: "var.create_networking_prereqs = false".

See VNET integrated deployment - networking resources deployed (Built-in):
For an example of how to create the required networking prerequisites and SonarQube instance in one module by setting the parameter: "var.create_networking_prereqs = true".

See VNET integrated deployment - existing network resources:
For an example on how to create and integrate the SonarQube instance on existing network resources by setting the parameter: "create_networking_prereqs = false".

Also see this module for creating a public instance of SonarQube using a Let's Encrypt Certificate. Module: Sonarqube Azure Container Instance (+ Automatic SSL).

This module is published on the Public Terraform Registry - sonarqube-aci-internal

Network prerequisites

The following networking resources are required to be created before deploying the SonarQube instance:

  • Virtual Network (VNET)
  • Private DNS Zones (Private DNS Zones for privatelink resources [Keyvault, MsSQL and File Storage], and a custom [local] domain)

image.png

  • Subnets (Resource Subnet to private endpoint supporting resources, and a subnet delegated for Azure Container Instances)

image.png

Supporting PaaS resources are private endpointed and integrated with the VNET on the resources subnet and linked with DNS private zones attached to the VNET.

image.png

After the SonarQube instance is deployed, the SonarQube instance will be integrated with the VNET on the delegated-subnet and the private IP "A-record" linked with the DNS private [local] zone attached to the VNET.

image.png

SonarQube instance

The following resources are deployed as part of the SonarQube instance:

  • Azure Container Group containing the SonarQube ACI and Caddy sidecar ACI with a private IP on the delegated-subnet of the VNET.
  • Azure SQL Database (PaaS) with a private endpoint on the resources subnet of the VNET.
  • Azure File Share (PaaS) with a private endpoint on the resources subnet of the VNET.
  • Azure Key Vault (PaaS) with a private endpoint on the resources subnet of the VNET.

image.png

After the SonarQube instance is built, the SonarQube instance will be accessible on the custom domain name (e.g. https://sonar.custom.local) using the self-signed certificate generated by the Caddy sidecar container.

Ensure that any clients accessing the SonarQube instance have the relevant network peering in place with the SonarQube VNET and that the Private DNS custom local domain custom.local is linked with relevant VNETs for domain name resolution of the sonarqube instance.

When logging into the SonarQube instance for the first time, use the default credentials: admin/admin. This will then force you to update the default password:

image.png

if the container group is restarted or powered down/up, data is persisted in the Azure SQL database and Azure File Share.

Enjoy!

Requirements

Name Version
terraform >= 1.9.5
azurerm ~> 4.0

Providers

Name Version
azurerm ~> 4.0
random n/a

Modules

Name Source Version
create_networking_prereqs ./modules/network_prereqs n/a
private_endpoint_kv ./modules/private_endpoint n/a
private_endpoint_mssql ./modules/private_endpoint n/a
private_endpoint_sa ./modules/private_endpoint n/a

Resources

Name Type
azurerm_container_group.sonarqube_aci_private resource
azurerm_key_vault.sonarqube_kv resource
azurerm_key_vault_secret.password_secret resource
azurerm_key_vault_secret.username_secret resource
azurerm_mssql_database.sonarqube_mssql_db resource
azurerm_mssql_firewall_rule.sonarqube_mssql_fw_rules resource
azurerm_mssql_server.sonarqube_mssql resource
azurerm_mssql_virtual_network_rule.mssql_vnet_rule resource
azurerm_private_dns_a_record.aci_a_record resource
azurerm_role_assignment.kv_role_assigment resource
azurerm_storage_account.sonarqube_sa resource
azurerm_storage_share.sonarqube resource
azurerm_storage_share_file.sonar_properties resource
random_password.sql_admin_password resource
azurerm_client_config.current data source
azurerm_private_dns_zone.keyvault data source
azurerm_private_dns_zone.mssql data source
azurerm_private_dns_zone.storage data source
azurerm_subnet.delegated_subnet_aci data source
azurerm_subnet.resource_subnet data source

Inputs

Name Description Type Default Required
aci_group_config Container group configuration object to create sonarqube aci with caddy reverse proxy.
object({
container_group_name = string
ip_address_type = string
os_type = string
restart_policy = string
})
{
"container_group_name": "sonarqubeaci9000",
"ip_address_type": "Private",
"os_type": "Linux",
"restart_policy": "Never"
}
no
aci_private_dns_record Create private dns record for internal sonarqube instance in '.local'(internal) Azure private DNS zone. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) If false, add private IP to hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. bool false no
caddy_config Caddy container configuration object to create caddy reverse proxy aci - internal certs (self signed).
object({
container_name = string
container_image = string
container_cpu = number
container_memory = number
container_environment_variables = map(string)
container_commands = list(string)
})
{
"container_commands": [
"caddy",
"reverse-proxy",
"--from",
"custom.domain.local",
"--to",
"localhost:9000",
"--internal-certs"
],
"container_cpu": 1,
"container_environment_variables": null,
"container_image": "ghcr.io/sashkab/docker-caddy2/docker-caddy2:latest",
"container_memory": 1,
"container_name": "caddy-reverse-proxy"
}
no
create_networking_prereqs Create networking resources required for ACI to be deployed. bool false no
delegated_subnet_name The name for the aci delegated subnet, used in data source to get subnet ID. string n/a yes
keyvault_firewall_allowed_ips value of keyvault firewall allowed ip rules. list(string) [] no
keyvault_firewall_bypass List of keyvault firewall rules to bypass. string "AzureServices" no
keyvault_firewall_default_action Default action for keyvault firewall rules. string "Deny" no
kv_config Key Vault configuration object to create azure key vault to store sonarqube aci sql creds.
object({
name = string
sku = string
})
{
"name": "sonarqubekv9000",
"sku": "standard"
}
no
local_dns_zone_name Private Azure dns zone name for the '.local'(internal) DNS zone to add dns record for internal sonarqube instance. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) Otherwise use hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. string "pwd9000.local" no
location Azure region to deploy resources to. string "uksouth" no
mssql_config MSSQL configuration object to create persistent SQL server instance for sonarqube aci.
object({
name = string
version = string
})
{
"name": "sonarqubemssql9000",
"version": "12.0"
}
no
mssql_db_config MSSQL database configuration object to create persistent azure SQL db for sonarqube aci.
object({
db_name = string
collation = string
create_mode = string
license_type = string
max_size_gb = number
min_capacity = number
auto_pause_delay_in_minutes = number
read_scale = bool
sku_name = string
storage_account_type = string
zone_redundant = bool
point_in_time_restore_days = number
backup_interval_in_hours = number
})
{
"auto_pause_delay_in_minutes": 60,
"backup_interval_in_hours": 24,
"collation": "SQL_Latin1_General_CP1_CS_AS",
"create_mode": "Default",
"db_name": "sonarqubemssqldb9000",
"license_type": null,
"max_size_gb": 128,
"min_capacity": 1,
"point_in_time_restore_days": 7,
"read_scale": false,
"sku_name": "GP_S_Gen5_2",
"storage_account_type": "Zone",
"zone_redundant": false
}
no
mssql_fw_rules List of SQL firewall rules in format: [[rule1, startIP, endIP],[rule2, startIP, endIP]] etc. list(list(string))
[
[
"AllowAll",
"0.0.0.0",
"0.0.0.0"
]
]
no
network_resource_group_name Name of the resource group where networking resources are hosted (if different from resource group hosting ACI resources). string n/a yes
pass_length Password length for sql admin creds. (Stored in sonarqube key vault) number 36 no
private_dns_zones Private DNS zones to create and link to VNET. list(string) null no
resource_group_name Name of the resource group where resources will be hosted. string n/a yes
resource_subnet_name The name for the resource subnet, used in data source to get subnet ID. string n/a yes
sa_config Storage configuration object to create persistent azure file shares for sonarqube aci.
object({
name = string
account_kind = string
account_tier = string
account_replication_type = string
access_tier = string
min_tls_version = string
is_hns_enabled = bool
})
{
"access_tier": "Hot",
"account_kind": "StorageV2",
"account_replication_type": "LRS",
"account_tier": "Standard",
"is_hns_enabled": false,
"min_tls_version": "TLS1_2",
"name": "sonarqubesa9000"
}
no
shares_config Sonarqube file shares.
list(object({
share_name = string
quota_gb = number
}))
[
{
"quota_gb": 10,
"share_name": "data"
},
{
"quota_gb": 10,
"share_name": "extensions"
},
{
"quota_gb": 10,
"share_name": "logs"
},
{
"quota_gb": 1,
"share_name": "conf"
}
]
no
sonar_config Sonarqube container configuration object to create sonarqube aci.
object({
container_name = string
container_image = string
container_cpu = number
container_memory = number
container_environment_variables = map(string)
container_commands = list(string)
})
{
"container_commands": [],
"container_cpu": 2,
"container_environment_variables": null,
"container_image": "ghcr.io/metrostar/quartz/ironbank/big-bang/sonarqube-9:9.9.4-community",
"container_memory": 8,
"container_name": "sonarqube-server"
}
no
sonarqube_private_dns_record Private dns A record for sonarqube instance. (Remember to add dns zone link to other peered vnets to resolve aci dns record.) Otherwise use hosts file to resolve the dns record for internal sonarqube instance: 'custom.domain.local'. string "sonar" no
sql_admin_username Username for sql admin creds. (Stored in sonarqube key vault) string "Sonar-Admin" no
storage_firewall_allowed_ips value of storage firewall allowed ip rules. list(string) [] no
storage_firewall_bypass List of storage firewall rules to bypass. list(string)
[
"AzureServices"
]
no
storage_firewall_default_action Default action for storage firewall rules. string "Deny" no
subnet_config A list of subnet configuration objects to create subnets in the virtual network.
list(object({
subnet_name = string
subnet_address_space = list(string)
service_endpoints = list(string)
private_endpoint_network_policies_enabled = string
private_link_service_network_policies_enabled = bool
}))
null no
subnet_config_delegated_aci A list of subnet configuration objects to create subnets in the virtual network. - delegated to ACI
list(object({
subnet_name = string
subnet_address_space = list(string)
service_endpoints = list(string)
private_endpoint_network_policies_enabled = string
private_link_service_network_policies_enabled = bool
delegation_name = string
delegation_service = string
delegation_ations = list(string)
}))
null no
tags A map of key value pairs that is used to tag resources created. map(string)
{
"Author": "Marcel Lupo",
"Description": "Sonarqube VNET integrated aci with caddy (self signed cert).",
"GitHub": "https://github.com/Pwd9000-ML/terraform-azurerm-sonarqube-aci-internal",
"Terraform": "True"
}
no
virtual_network_name Name of the virtual network where resources are attached. string null no
vnet_address_space value of the address space for the virtual network. list(string) null no

Outputs

Name Description
azurerm_container_group The container group object.
azurerm_private_dns_fqdn The private DNS FQDN of the sonarqube instance.
sonarqube_aci_container_group_ip_address The container group IP address (Private IP of the sonarqube instance).
sonarqube_aci_kv_id The resource ID for the sonarqube key vault.
sonarqube_aci_mssql_db_id The resource ID for the sonarqube MSSQL database.
sonarqube_aci_mssql_db_name The name of the sonarqube MSSQL database.
sonarqube_aci_mssql_id The resource ID for the sonarqube MSSQL Server instance.
sonarqube_aci_sa_id The resource ID for the sonarqube storage account hosting file shares.
sonarqube_aci_share_ids List of resource IDs of each of the sonarqube file shares.

About

Terraform module for setting up an (internal VNET integrated) AZURE hosted Sonarqube ACI instance including private endpointed persistent PaaS Database (Azure SQL), PaaS File Share (Azure Files) and custom domain using reverse proxy (Caddy) sidecar container with an auto generated self signed certificate.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages