SonarQube Terraform Module for AWS

This Terraform module deploys a SonarQube community server on AWS. Based on official Sonarqube Docker image https://hub.docker.com/_/sonarqube.

Usage

Check valid versions on:

• Github Releases: https://github.com/cn-terraform/terraform-aws-sonarqube/releases
• Terraform Module Registry: https://registry.terraform.io/modules/cn-terraform/sonarqube/aws

Install pre commit hooks.

Pleas run this command right after cloning the repository.

    pre-commit install

For that you may need to install the following tools:

• Pre-commit
• Terraform Docs

In order to run all checks at any point run the following command:

    pre-commit run --all-files

Requirements

Name	Version
terraform	>= 0.13
aws	>= 4
random	>= 3

Providers

Name	Version
aws	4.29.0
random	3.4.2

Modules

Name	Source	Version
acm	terraform-aws-modules/acm/aws	~> 4.0
aws_cw_logs	cn-terraform/cloudwatch-logs/aws	1.0.12
ecs_fargate	cn-terraform/ecs-fargate/aws	2.0.45

Resources

Name	Type
aws_db_subnet_group.aurora_db_subnet_group	resource
aws_kms_key.encryption_key	resource
aws_rds_cluster.aurora_db	resource
aws_rds_cluster_instance.aurora_db_cluster_instances	resource
aws_route53_record.record_dns	resource
aws_security_group.aurora_sg	resource
random_password.master_password	resource

Inputs

Name	Description	Type	Default	Required
block_s3_bucket_public_access	(Optional) If true, public access to the S3 bucket will be blocked.	bool	true	no
container_cpu	(Optional) The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container_cpu of all containers in a task will need to be lower than the task-level cpu value	number	4096	no
container_memory	(Optional) The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container_memory, the container is killed. This field is optional for Fargate launch type and the total amount of container_memory of all containers in a task will need to be lower than the task memory value	number	8192	no
container_memory_reservation	(Optional) The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container_memory hard limit	number	4096	no
create_kms_key	If true a new KMS key will be created to encrypt the logs. Defaults true. If set to false a custom key can be used by setting the variable log_group_kms_key_id	bool	false	no
db_backup_retention_period	The days to retain backups for. Default 3	number	3	no
db_deletion_protection	If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.	bool	false	no
db_engine_version	DB engine version	string	"14.2"	no
db_instance_number	Number of instance deployed on Aurora. By default, number of subnet in private_subnets_ids	number	null	no
db_instance_size	DB instance size	string	"db.r4.large"	no
db_name	Default DB name	string	"sonar"	no
db_password	DB password	string	""	no
db_username	Default DB username	string	"sonar"	no
dns_zone_id	Route 53 zone id	string	""	no
enable_autoscaling	Enable auto scaling for datacenter edition	bool	false	no
enable_s3_bucket_server_side_encryption	(Optional) If true, server side encryption will be applied.	bool	true	no
enable_s3_logs	(Optional) If true, all resources to send LB logs to S3 will be created	bool	true	no
enable_ssl	Enable SSL	bool	true	no
ephemeral_storage_size	The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200	number	0	no
https_record_domain_name	Route 53 domain name	string	""	no
https_record_name	Route 53 dns name	string	""	no
lb_enable_cross_zone_load_balancing	Enable cross zone support for LB	string	"true"	no
lb_http_ports	Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code	map(any)	{}	no
lb_https_ports	Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code	map(any)	{ "default": { "listener_port": 443, "target_group_port": 9000, "target_group_protocol": "HTTP" } }	no
lb_waf_web_acl_arn	ARN of a WAFV2 to associate with the ALB	string	""	no
log_group_kms_key_id	The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested.	string	null	no
log_group_retention_in_days	(Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. Default to 30 days.	number	30	no
mount_points	Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume. The readOnly key is optional.	list(any)	[]	no
name_prefix	Name prefix for resources on AWS	string	n/a	yes
permissions_boundary	(Optional) The ARN of the policy that is used to set the permissions boundary for the ecs_task_execution_role role.	string	null	no
private_subnets_ids	List of Private Subnets IDs	list(string)	n/a	yes
public_subnets_ids	List of Public Subnets IDs	list(string)	n/a	yes
region	AWS Region the infrastructure is hosted in	string	n/a	yes
s3_bucket_server_side_encryption_key	(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.	string	null	no
s3_bucket_server_side_encryption_sse_algorithm	(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms	string	"AES256"	no
sonarqube_image	Sonarqube image	string	"sonarqube:lts"	no
tags	Resource tags	map(string)	{}	no
volumes	(Optional) A set of volume blocks that containers in your task may use	list(object({ host_path = string name = string docker_volume_configuration = list(object({ autoprovision = bool driver = string driver_opts = map(string) labels = map(string) scope = string })) efs_volume_configuration = list(object({ file_system_id = string root_directory = string transit_encryption = string transit_encryption_port = string authorization_config = list(object({ access_point_id = string iam = string })) })) }))	[]	no
vpc_id	ID of the VPC	string	n/a	yes

Outputs

Name	Description
ecs_tasks_sg_id	SonarQube ECS Tasks Security Group - The ID of the security group
sonar_lb_arn	SonarQube Load Balancer ARN
sonar_lb_arn_suffix	SonarQube Load Balancer ARN Suffix
sonar_lb_dns_name	SonarQube Load Balancer DNS Name
sonar_lb_id	SonarQube Load Balancer ID
sonar_lb_zone_id	SonarQube Load Balancer Zone ID