Use this file to discover all available pages before exploring further.
In this tutorial, you will set up Digger to automate terraform pull requests using Github ActionsThis guide assumes you completed Configure PR automation and workflows.Prerequisites
A GitHub repository with valid terraform code. Don’t have one? see Example repo
In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
AWS
GCP
Azure
AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY You can also use
OIDC for AWS
authentication.
Tip: Set GitHub Action secrets with gh CLI
From the repository root (with GitHub CLI installed):
# Set AWS credentials as repository Action secretsgh secret set AWS_ACCESS_KEY_ID --body "$AWS_ACCESS_KEY_ID"gh secret set AWS_SECRET_ACCESS_KEY --body "$AWS_SECRET_ACCESS_KEY"
GCP_CREDENTIALS - contents of your GCP Service Account Key json file You
can also use OIDC for GCP authentication.
Tip: Set GitHub Action secrets with gh CLI
If your Service Account key is saved to a file, you can pipe it directly:
# Set GCP credentials secret from a JSON key filegh secret set GCP_CREDENTIALS < path/to/service-account-key.json
Or set from an environment variable/string:
gh secret set GCP_CREDENTIALS --body "$(cat path/to/service-account-key.json)"
AZURE_CLIENT_ID - Your Azure App Registration Client ID
AZURE_TENANT_ID - Your Azure Tenant ID
AZURE_SUBSCRIPTION_ID - Your Azure Subscription ID
You’ll need to configure OIDC authentication by setting up federated credentials in your Azure App Registration. See Azure OIDC setup for details.
Tip: Set GitHub Action secrets with gh CLI
From the repository root (with GitHub CLI installed):
gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID"gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID"gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"
4
Create digger.yml
This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:
projects:- name: production dir: prod
5
Create Github Actions workflow file
Place it at .github/workflows/digger_workflow.yml (name is important!)
AWS
GCP
Azure
name: Digger Workflowon: workflow_dispatch: inputs: spec: required: true run_name: required: falserun-name: '${{inputs.run_name}}'jobs: digger-job: runs-on: ubuntu-latest permissions: contents: write # required to merge PRs actions: write # required for plan persistence id-token: write # required for workload-identity-federation pull-requests: write # required to post PR comments issues: read # required to check if PR number is an issue or not statuses: write # required to validate combined PR status steps: - uses: actions/checkout@v4 - name: ${{ fromJSON(github.event.inputs.spec).job_id }} run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}" - uses: diggerhq/digger@vLatest with: digger-spec: ${{ inputs.spec }} setup-aws: true setup-terraform: true terraform-version: 1.5.5 aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} env: GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Diggeron: workflow_dispatch: inputs: spec: required: true run_name: required: falserun-name: '${{inputs.run_name}}'jobs: digger-job: name: Digger runs-on: ubuntu-latest permissions: contents: write # required to merge PRs actions: write # required for plan persistence id-token: write # required for workload-identity-federation pull-requests: write # required to post PR comments issues: read # required to check if PR number is an issue or not statuses: write # required to validate combined PR status steps: - uses: actions/checkout@v4 - name: ${{ fromJSON(github.event.inputs.spec).job_id }} run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}" - id: 'auth' uses: 'google-github-actions/auth@v1' with: credentials_json: '${{ secrets.GCP_CREDENTIALS }}' create_credentials_file: true - name: 'Set up Cloud SDK' uses: 'google-github-actions/setup-gcloud@v1' - name: 'Use gcloud CLI' run: 'gcloud info' - name: digger run uses: diggerhq/digger@vLatest with: digger-spec: ${{ inputs.spec }} setup-aws: false setup-terraform: true terraform-version: 1.5.5 env: GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This workflow includes additional steps for GCP:
Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely on Application Default Credentials will not work.
Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
Verify that GCP is configured correctly by running gcloud info
name: Digger Workflowon: workflow_dispatch: inputs: spec: required: true run_name: required: falserun-name: '${{inputs.run_name}}'jobs: digger-job: runs-on: ubuntu-latest permissions: contents: write # required to merge PRs actions: write # required for plan persistence id-token: write # required for workload-identity-federation pull-requests: write # required to post PR comments issues: read # required to check if PR number is an issue or not statuses: write # required to validate combined PR status steps: - uses: actions/checkout@v4 - name: ${{ fromJSON(github.event.inputs.spec).job_id }} run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}" - uses: diggerhq/digger@vLatest with: digger-spec: ${{ inputs.spec }} setup-azure: true azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} setup-terraform: true terraform-version: 1.5.5 env: GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
This workflow uses Azure OIDC authentication, which requires:
Setting up federated credentials in your Azure App Registration for GitHub Actions
The id-token: write permission for workload identity federation
ARM_* environment variables for the Azure Terraform provider
6
Create a PR to verify that it works
Terraform will run an existing plan against your code.Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.
If you forked one of the demo repositories you will need to enable Actions in your repository.
Then you can add a comment like digger apply and shortly after apply output will be added as comment too.
