With OpenTofu

In this tutorial, you will set up Digger to automate OpenTofu pull requests using Github Actions This guide assumes you completed Configure PR automation and workflows. Prerequisites

A GitHub repository with valid OpenTofu code
Your cloud provider credentials:
- For AWS: Hashicorp’s AWS tutorial
- For GCP: Hashicorp’s GCP tutorial
- For Azure: Hashicorp’s Azure tutorial

Prerequisite: OpenTaco account setup

Complete Set up your OpenTaco account before continuing.

Prerequisite: GitHub App installed

Complete Set up GitHub App before continuing.

Create Action Secrets with cloud credentials

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

AWS
GCP
Azure

AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY You can also use OIDC for AWS authentication.

GCP_CREDENTIALS - contents of your GCP Service Account Key json file You can also use OIDC for GCP authentication.

AZURE_CLIENT_ID - Your Azure App Registration Client ID
AZURE_TENANT_ID - Your Azure Tenant ID
AZURE_SUBSCRIPTION_ID - Your Azure Subscription ID

You’ll need to configure OIDC authentication by setting up federated credentials in your Azure App Registration. See Azure OIDC setup for details.

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your OpenTofu code is in the prod directory:

projects:
- name: production
  dir: prod
  opentofu: true

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

AWS
GCP
Azure

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          setup-opentofu: true
          opentofu-version: 1.10.3
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

name: Digger

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
      run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
      uses: diggerhq/digger@vLatest
      with:
        digger-spec: ${{ inputs.spec }}
        setup-aws: false
        setup-opentofu: true
        opentofu-version: 1.10.3
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This workflow includes additional steps for GCP:

Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely on Application Default Credentials will not work.
Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
Verify that GCP is configured correctly by running gcloud info

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-azure: true
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          setup-opentofu: true
          opentofu-version: 1.10.3
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

This workflow uses Azure OIDC authentication, which requires:

Setting up federated credentials in your Azure App Registration for GitHub Actions
The id-token: write permission for workload identity federation
ARM_* environment variables for the Azure Terraform provider

Create a PR to verify that it works

OpenTofu will run an existing plan against your code.Make any change to your OpenTofu code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of OpenTofu Plan added as a comment to your PR.Then you can add a comment like digger apply and shortly after apply output will be added as comment too.

Introduction

Onboarding

Features

Architecture & Self-hosting

State Management

Drift

How To

Reference

AWS-specific

GCP-specific

Azure-specific

Local Development

Contributing

Troubleshooting

Demo repositories