In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and AWS

Prerequisites

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (you can also use OIDC
  • DIGGER_TOKEN - your Digger token (cloud or self-hosted)

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true
jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@latest
        with:
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This file defines a simple workflow that

  • Checks out repository using Github’s official Checkout action
  • Runs Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret), you also need to set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY parameter. OIDC is also supported if you prefer that route

Create a PR to verify that it works

Terraform will run an existing plan against your code.

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.

In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and AWS

Prerequisites

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (you can also use OIDC
  • DIGGER_TOKEN - your Digger token (cloud or self-hosted)

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true
jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@latest
        with:
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This file defines a simple workflow that

  • Checks out repository using Github’s official Checkout action
  • Runs Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret), you also need to set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY parameter. OIDC is also supported if you prefer that route

Create a PR to verify that it works

Terraform will run an existing plan against your code.

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.