In this guide you will set up Digger to use completely segregated AWS accounts for Dev and Prod environments

Prerequisites

  • 2 Terraform projects with remote backends - example repo
  • 2 pairs of AWS keys
  • Using digger with orchestrator

Create digger.yml file

Place digger.yml file in the root of your repo. Point dir to folders with terraform

projects:
- name: develop
  dir: dev
  workflow_file: digger-run-dev.yml

- name: production
  dir: prod
  workflow_file: digger-run-prod.yml

Create 2 environments in GitHub

  • In your GitHub repo, go to Settings > Environments
  • Press “New Environment”
  • Name one “development” and another “production”

In each environment, create 2 secrets corresponding to your AWS accounts:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Create 2 Actions workflow files

  • .github/workflows/digger-run-dev.yml for dev
  • .github/workflows/digger-run-prod.yml for prod

Don’t forget to change environment and the Rename step from Dev to Prod

name: Digger Workflow

on:
  workflow_dispatch:
  inputs:
    spec:
      required: true
    run_name:
      required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    environment: development                      # CHANGE ME !!!
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Verify that it works

That’s it! Now you can use Digger to automate your Terraform PRs.

  • Create a PR that changes terraform in one of your projects
  • You should see 2 Actions jobs started
  • Shortly after, a comment with plan output for the affected project will be added
  • You can comment digger apply to apply changes
  • If you do so, another Action job will start to run apply

In this guide you will set up Digger to use completely segregated AWS accounts for Dev and Prod environments

Prerequisites

  • 2 Terraform projects with remote backends - example repo
  • 2 pairs of AWS keys
  • Using digger with orchestrator

Create digger.yml file

Place digger.yml file in the root of your repo. Point dir to folders with terraform

projects:
- name: develop
  dir: dev
  workflow_file: digger-run-dev.yml

- name: production
  dir: prod
  workflow_file: digger-run-prod.yml

Create 2 environments in GitHub

  • In your GitHub repo, go to Settings > Environments
  • Press “New Environment”
  • Name one “development” and another “production”

In each environment, create 2 secrets corresponding to your AWS accounts:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Create 2 Actions workflow files

  • .github/workflows/digger-run-dev.yml for dev
  • .github/workflows/digger-run-prod.yml for prod

Don’t forget to change environment and the Rename step from Dev to Prod

name: Digger Workflow

on:
  workflow_dispatch:
  inputs:
    spec:
      required: true
    run_name:
      required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    environment: development                      # CHANGE ME !!!
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Verify that it works

That’s it! Now you can use Digger to automate your Terraform PRs.

  • Create a PR that changes terraform in one of your projects
  • You should see 2 Actions jobs started
  • Shortly after, a comment with plan output for the affected project will be added
  • You can comment digger apply to apply changes
  • If you do so, another Action job will start to run apply