Github Actions + AWS
In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and AWS
Prerequisites
- A GitHub repository with valid terraform code. Here’s a demo repo
- Your AWS credentials. See Hashicorp’s AWS tutorial
- Digger token - get it on cloud.digger.dev
Create Action Secrets
In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
- your AWS key pair. OIDC is supported tooDIGGER_TOKEN
- your Digger token (get it at cloud.digger.dev)
Create digger.yml
This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod
directory:
projects:
- name: production
dir: prod
Create Github Actions workflow file
Place it at .github/workflows/digger_workflow.yml
(name is important!)
name: Digger Workflow
on:
workflow_dispatch:
inputs:
id:
description: 'run identifier'
required: false
job:
required: true
jobs:
digger-job:
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- uses: diggerhq/digger@v0.3.0
with:
setup-aws: true
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
disable-locking: true
digger-hostname: 'https://cloud.digger.dev'
digger-organisation: 'digger'
digger-token: ${{ secrets.DIGGER_TOKEN }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This file defines a simple workflow that
- Checks out repository using Github’s official Checkout action
- Runs Digger. Note that
DIGGER_TOKEN
needs to be set as a secret in Actions (either repository secret, or environment secret), you also need to set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY parameter. OIDC is also supported if you prefer that route
Create a PR to verify that it works
Terraform will run an existing plan against your code.
Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.
Then you can add a comment like digger apply
and shortly after apply output will be added as comment too.