In this guide you will set up Digger to use completely segregated AWS accounts for Dev and Prod environments

Prerequisites

  • 2 Terraform projects with remote backends - example repo
  • 2 pairs of AWS keys
  • Using digger with orchestrator

Create digger.yml file

Place digger.yml file in the root of your repo. Point dir to folders with terraform

projects:
- name: develop
  dir: dev
  workflow_file: digger-run-dev.yml

- name: production
  dir: prod
  workflow_file: digger-run-prod.yml

Create 2 environments in GitHub

  • In your GitHub repo, go to Settings > Environments
  • Press “New Environment”
  • Name one “development” and another “production”

In each environment, create 2 secrets corresponding to your AWS accounts:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Create 2 Actions workflow files

  • .github/workflows/digger-run-dev.yml for dev
  • .github/workflows/digger-run-prod.yml for prod

Don’t forget to change environment and the Rename step from Dev to Prod

name: Digger Workflow

on:
  workflow_dispatch:
  inputs:
    spec:
      required: true
    run_name:
      required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    environment: development                      # CHANGE ME !!!
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Verify that it works

That’s it! Now you can use Digger to automate your Terraform PRs.

  • Create a PR that changes terraform in one of your projects
  • You should see 2 Actions jobs started
  • Shortly after, a comment with plan output for the affected project will be added
  • You can comment digger apply to apply changes
  • If you do so, another Action job will start to run apply
Include / exclude patternsPolicy overrides