With Terraform

In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions This guide assumes you completed Configure PR automation and workflows. Prerequisites

A GitHub repository with valid terraform code. Don’t have one? see Example repo
Your cloud provider credentials:
- For AWS: Hashicorp’s AWS tutorial
- For GCP: Hashicorp’s GCP tutorial
- For Azure: Hashicorp’s Azure tutorial

Prerequisite: OpenTaco account setup

Complete Set up your OpenTaco account before continuing.

Prerequisite: GitHub App installed

Complete Set up GitHub App before continuing.

Create Action Secrets with cloud credentials

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

AWS
GCP
Azure

AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY You can also use OIDC for AWS authentication.

Tip: Set GitHub Action secrets with gh CLI

From the repository root (with GitHub CLI installed):

# Set AWS credentials as repository Action secrets
gh secret set AWS_ACCESS_KEY_ID --body "$AWS_ACCESS_KEY_ID"
gh secret set AWS_SECRET_ACCESS_KEY --body "$AWS_SECRET_ACCESS_KEY"

GCP_CREDENTIALS - contents of your GCP Service Account Key json file You can also use OIDC for GCP authentication.

Tip: Set GitHub Action secrets with gh CLI

If your Service Account key is saved to a file, you can pipe it directly:

# Set GCP credentials secret from a JSON key file
gh secret set GCP_CREDENTIALS < path/to/service-account-key.json

Or set from an environment variable/string:

gh secret set GCP_CREDENTIALS --body "$(cat path/to/service-account-key.json)"

AZURE_CLIENT_ID - Your Azure App Registration Client ID
AZURE_TENANT_ID - Your Azure Tenant ID
AZURE_SUBSCRIPTION_ID - Your Azure Subscription ID

You’ll need to configure OIDC authentication by setting up federated credentials in your Azure App Registration. See Azure OIDC setup for details.

Tip: Set GitHub Action secrets with gh CLI

From the repository root (with GitHub CLI installed):

gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID"
gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID"
gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

AWS
GCP
Azure

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          setup-terraform: true
          terraform-version: 1.5.5
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

name: Digger

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
      run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
        uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: false
          setup-terraform: true
          terraform-version: 1.5.5
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This workflow includes additional steps for GCP:

Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely on Application Default Credentials will not work.
Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
Verify that GCP is configured correctly by running gcloud info

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-azure: true
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          setup-terraform: true
          terraform-version: 1.5.5
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

This workflow uses Azure OIDC authentication, which requires:

Setting up federated credentials in your Azure App Registration for GitHub Actions
The id-token: write permission for workload identity federation
ARM_* environment variables for the Azure Terraform provider

Create a PR to verify that it works

Terraform will run an existing plan against your code.Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.

If you forked one of the demo repositories you will need to enable Actions in your repository.

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.

Introduction

Onboarding

Features

Architecture & Self-hosting

State Management

Drift

How To

Reference

AWS-specific

GCP-specific

Azure-specific

Local Development

Contributing

Troubleshooting

With Terraform