cn-terraform
terraform-aws-sonarqube
HCL

SonarQube Terraform Module for AWS

Last updated Dec 1, 2025
40
Stars
45
Forks
9
Issues
0
Stars/day
Attention Score
52
Language breakdown
HCL 100.0%
Files click to expand
README

SonarQube Terraform Module for AWS #

This Terraform module deploys a SonarQube community server on AWS. Based on official Sonarqube Docker image .

Usage

Check valid versions on:

  • Github Releases:
  • Terraform Module Registry:

Install pre commit hooks.

Pleas run this command right after cloning the repository.

pre-commit install

For that you may need to install the following tools:

In order to run all checks at any point run the following command:

pre-commit run --all-files

Requirements

| Name | Version | |------|---------| | terraform | >= 0.13 | | aws | >= 4 | | random | >= 3 |

Providers

| Name | Version | |------|---------| | aws | >= 4 | | random | >= 3 |

Modules

| Name | Source | Version | |------|--------|---------| | acm | terraform-aws-modules/acm/aws | ~> 4.0 | | aws\cw\logs | cn-terraform/cloudwatch-logs/aws | 1.0.12 | | ecs\_fargate | cn-terraform/ecs-fargate/aws | 2.0.52 |

Resources

| Name | Type | |------|------| | awsdbsubnetgroup.auroradbsubnet_group | resource | | awskmskey.encryption_key | resource | | awsrdscluster.aurora_db | resource | | awsrdsclusterinstance.auroradbcluster_instances | resource | | awsroute53record.record_dns | resource | | awssecuritygroup.aurora_sg | resource | | randompassword.master_password | resource |

Inputs

| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | block\s3\bucket\public\access | (Optional) If true, public access to the S3 bucket will be blocked. | bool | true | no | | container\cpu | (Optional) The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container\cpu of all containers in a task will need to be lower than the task-level cpu value | number | 4096 | no | | container\memory | (Optional) The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container\memory, the container is killed. This field is optional for Fargate launch type and the total amount of container\_memory of all containers in a task will need to be lower than the task memory value | number | 8192 | no | | container\memory\reservation | (Optional) The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container\_memory hard limit | number | 4096 | no | | create\kms\key | If true a new KMS key will be created to encrypt the logs. Defaults true. If set to false a custom key can be used by setting the variable loggroupkmskeyid | bool | false | no | | custom\lb\arn | ARN of the Load Balancer to use in the ECS service. If provided, this module will not create a load balancer and will use the one provided in this variable | string | null | no | | db\backup\retention\_period | The days to retain backups for. Default 3 | number | 3 | no | | db\deletion\protection | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false. | bool | false | no | | db\engine\version | DB engine version | string | "14.4" | no | | db\instance\number | Number of instance deployed on Aurora. By default, number of subnet in private\subnets\ids | number | null | no | | db\instance\size | DB instance size | string | "db.r4.large" | no | | db\_name | Default DB name | string | "sonar" | no | | db\_password | DB password | string | "" | no | | db\_username | Default DB username | string | "sonar" | no | | default\certificate\arn | ACM certificate ARN if you plan to manage it yourself | string | "" | no | | deployment\circuit\breaker\_enabled | (Optional) You can enable the deployment circuit breaker to cause a service deployment to transition to a failed state if tasks are persistently failing to reach RUNNING state or are failing healthcheck. | bool | false | no | | deployment\circuit\breaker\_rollback | (Optional) The optional rollback option causes Amazon ECS to roll back to the last completed deployment upon a deployment failure. | bool | false | no | | dns\zone\id | Route 53 zone id | string | "" | no | | enable\_autoscaling | Enable auto scaling for datacenter edition | bool | false | no | | enable\s3\bucket\server\side\_encryption | (Optional) If true, server side encryption will be applied. | bool | true | no | | enable\s3\logs | (Optional) If true, all resources to send LB logs to S3 will be created | bool | true | no | | enable\_ssl | Enable SSL | bool | true | no | | ephemeral\storage\size | The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200 | number | 0 | no | | https\record\domain\_name | Route 53 domain name | string | "" | no | | https\record\name | Route 53 dns name | string | "" | no | | lb\enable\cross\zone\load\_balancing | Enable cross zone support for LB | string | "true" | no | | lb\http\ports | Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener\port and the target\group\port. For redirect type, include listener port, host, path, port, protocol, query and status\code. For fixed-response, include listener\port, content\type, message\body and status\code | map(any) | {} | no | | lb\https\ports | Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener\port and the target\group\port. For redirect type, include listener port, host, path, port, protocol, query and status\code. For fixed-response, include listener\port, content\type, message\body and status\code | map(any) |

{
"default": {
"listenerport": 443,
"target
groupport": 9000,
"target
group_protocol": "HTTP"
}
}
| no | | lb\waf\web\acl\arn | ARN of a WAFV2 to associate with the ALB | string | "" | no | | log\group\kms\key\id | The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested. | string | null | no | | log\group\retention\in\days | (Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. Default to 30 days. | number | 30 | no | | mount\_points | Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume. The readOnly key is optional. | list(any) | [] | no | | name\_prefix | Name prefix for resources on AWS | string | n/a | yes | | permissions\boundary | (Optional) The ARN of the policy that is used to set the permissions boundary for the ecstaskexecutionrole role. | string | null | no | | private\subnets\ids | List of Private Subnets IDs | list(string) | n/a | yes | | public\subnets\ids | List of Public Subnets IDs | list(string) | n/a | yes | | region | AWS Region the infrastructure is hosted in | string | n/a | yes | | s3\bucket\server\side\encryption\key | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | string | null | no | | s3\bucket\server\side\encryption\sse\algorithm | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | string | "AES256" | no | | sonarqube\_image | Sonarqube image | string | "sonarqube:lts" | no | | tags | Resource tags | map(string) | {} | no | | volumes | (Optional) A set of volume blocks that containers in your task may use |
list(object({
hostpath = string
name = string
docker
volumeconfiguration = list(object({
autoprovision = bool
driver = string
driver
opts = map(string)
labels = map(string)
scope = string
}))
efsvolumeconfiguration = list(object({
filesystemid = string
rootdirectory = string
transit
encryption = string
transitencryptionport = string
authorizationconfig = list(object({
access
point_id = string
iam = string
}))
}))
}))
| [] | no | | vpc\_id | ID of the VPC | string | n/a | yes |

Outputs

| Name | Description | |------|-------------| | ecs\tasks\sg\_id | SonarQube ECS Tasks Security Group - The ID of the security group | | sonar\lb\arn | SonarQube Load Balancer ARN | | sonar\lb\arn\_suffix | SonarQube Load Balancer ARN Suffix | | sonar\lb\dns\_name | SonarQube Load Balancer DNS Name | | sonar\lb\id | SonarQube Load Balancer ID | | sonar\lb\zone\_id | SonarQube Load Balancer Zone ID |

🔗 More in this category

© 2026 GitRepoTrend · cn-terraform/terraform-aws-sonarqube · Updated daily from GitHub