Github Actions + GCP
In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.
Prerequisites
- A GitHub repository with valid terraform code. Here’s a demo repo for inspiration.
- A GCP Service Account Key json file. See Hashicorp’s GCP tutorial
- Digger GitHub App installed
Digger GitHub App does not need access to your cloud account, it just starts jobs in your CI. All sensitive data stays in your CI job.
You can also self-host Digger orchestrator with a private GiHub app and issue your own token
Create Action Secrets
In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
GCP_CREDENTIALS
- contents of your GCP Service Account Key json file. You can also use OIDC)
Create digger.yml
This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod
directory:
Create Github Actions workflow file
Place it at .github/workflows/digger_workflow.yml
(name is important!)
This file defines a workflow with 5 steps:
- Checkout repository using Github’s official Checkout action
- Authenticate into GCP using Google’s official Auth action. Note the
create_credentials_file: true
option; without it, subsequent steps that rely Application Default Credentials will not work. - Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
- Verify that GCP is configured correctly by running
gcloud info
- Run Digger.
Create a PR to verify that it works
Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:
Then you can add a comment like digger apply
and shortly after apply output will be added as comment too.