Announcing Version 1.0 of SonarQube ARM Template

Controlling technical debt is an important exercise for development teams as they embrace DevOps.  Previously we released a beta solution for deployment of SonarQube into azure to help remove blockers around implementing it, but another primary concern will always be security.  With this first official release we have implemented security around the creation of SonarQube within Azure to be included in the ARM template to further remove an additional blocker.

What’s new in this release?

In the previous version of this beta, (found here) we had provided a mechanism for creating a Windows Server 2012 R2 VM, with SonarQube installed and an Azure SQL instance to serve as the backend database through the use of an Azure Resource Manager (ARM) template.  The end goal of this effort being the removal of blockers to getting SonarQube implemented to start leveraging it to monitor an application’s technical debt and leverage the integration between SonarQube and Visual Studio Team Services (found here).

Now that we have been able deploy SonarQube into an Azure environment, we need to ensure that only authorized users are able to access it.  Most source code implements software that support processes that are private to your organization and may provide a competitive advantage.  Organizations that have this need will only adopt SonarQube in this configuration if they can be assured that their intellectual property is being secured.  By its very nature SonarQube is scanning the code and analyzing the inner workings of the application to provide better insights into its overall maintainability.

This version of the ARM Template, leverages a self-signed certificate which must be replaced for production. But additionally, it handles the creation of a Network Service Group for restricting traffic, configures the firewall appropriately, and performs the following additional steps to assist in the security of SonarQube:

  • Install and Configure IIS
  • Create a new website for SonarQube
  • Install Application Request Routing on IIS (ARR)
  • Generate the self-signed certificate
  • Change the SonarQube website binding to https (port 443)
  • Disable HTTP Firewall inside the VM
  • Configure AAR Proxy settings
  • Add rewrite rules for the website.

Additionally, we have also did enhancements to make sure it easy to extend the code to serve additional needs. One thing we did was to move SonarQube version from the DSC code to the main template to make it easy for you to change the version by just edit the template.json file. We will enhance this experience in the future releases, please refer to What’s coming? For more details.

How do I make use of it?

You can access this template on the Azure.com documentation site or from the Azure Quick start Templates GitHub repo.  In either case, you can click the Deploy to Azure button to deploy the template to your Azure subscription.

To deploy this template click on the Deploy to Azure button. This will launch the Azure Portal and you will be prompted to provide values for the parameters below.

image

The deployment in Azure can take up to 60 minutes. At the end of the deployment, SonarQube will be configured to run as a Windows Service on the SonarQube VM. When the SonarQube service starts for the first time, it will configure its database. This can take an additional 15 minutes  to complete during which time the Azure deployment shows as completed but you still won’t be able to reach the SonarQube home page. Please give SonarQube some time to update.

Once the deployment and configuration have finished you will be able to access your SonarQube by entering its public address into a browser. The address format is:

image

Parameter Descriptions

Parameter Name Description Default value
sqVM_AppName Name of the VM that SonarQube will be installed upon. sonarqubevm
sq_PublicIP_DnsPrefix The prefix of the public URL for the VM on the Internet (Max 63 chars, lower-case). It should match with the following regular expression: ^[a-z][a-z0-9-]{1,61}[a-z0-9]$ or it will raise an error. This will be used to build the fully qualified URL for the SonarQube site in the form of https://[sq_PublicIP_DnsPrefix].[AzureRegion].cloudapp.azure.com Ex: A value of "my-sonarqube" will result in a URL of https://my-sonarqube.eastus.cloudapp.azure.com if the ARM template is deployed into a storage account hosted in the EASTUS Azure region. None
sqVM_AppAdmin_UserName Local Admin account name for the SonarQube VM. None
sqVM_AppAdmin_Password Password for the SonarQube VM Local Admin account. None
sqDB_Admin_UserName Admin account name for Azure SQL Server. None
sqDB_Admin_Password Password for Azure SQL Server Admin account. None
sqDB_ServerName Name of Azure SQL Server (Max: 10 chars) sonarsql
sqDB_DBName Name of the SonarQube DB on the Azure SQL Server sonar
sqDB_DBEdition Edition of Azure SQL Server to create, Allowed Values: Basic, Business, Premium, Standard, Web Basic
sqStorage_AcctType Type of Azure Storage Acct to create, Standard_LRS, Standard_ZRS, Standard_GRS, Standard_RAGRS, Premium_LRS Standard_LRS
sqVM_Installation_Type Type of SonarQube installation: Secure (HTTPs) or nonsecure (HTTP) Secure
sqVM_ReverseProxy_Type Type of reverse proxy to be used in case of Secure installation IIS
SqVM_LTS_Version Allow for selection of version of SonarQube Sonarqube-5.6.4

The Team

Brian Randell, Cesar Solis, Clementino de Mendonca, David V. Corbin, Giulio Vian, Hosam Kamel, John Spinella, Kevin Mack, Pierre Donyegro, Rui Melo, Steve St Jean, Vinicius Moura, and our product owner Jean-Marc Prieur.

What’s coming?

With this release the ability to generate a secured implementation of SonarQube within your environment is now possible with the click of a button. For further development of this solution the intention is to enhance the ARM template by making it possible to determine which version of SonarQube is installed from the template. This will increase the flexibility of the template moving forward.

Do you have an idea for a feature?

If there is something you would like to see added to this template you can either fork the template from the Azure GitHub repo or add a comment to this blog post and we can add it to our Product Backlog.

We look forward to hearing from you

We need your feedback. Here are some ways to connect with us: