You can configure Digger to use Conftest to check your Terraform plan output against Open Policy Agent policies.

Pre-requisites

  • Conftest binary needs to be installed into your CI pipeline (see Conftest Docs)

  • OPA policies (rego files) under /policies directory in your repo

Digger.yml configuration

Example assumes the terraform is in the prod directory.

Don’t forget to update the json file name as well if your directory is named differently

projects:
- name: prod
  dir: prod
  workflow: my_custom_workflow
workflows:
  my_custom_workflow:
    plan:
      steps:
      - init:
      - plan
      - run: "conftest test ./prod.json -p ../policies"
    workflow_configuration:
      on_pull_request_pushed: [digger plan]
      on_pull_request_closed: [digger unlock]
      on_commit_to_default: [digger apply]
Using InfracostUsing Terragrunt