In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and AWS

​

Prerequisites

• A GitHub repository with valid terraform code. Here’s a demo repo
• Your AWS credentials. See Hashicorp’s AWS tutorial
• Digger token - get it on cloud.digger.dev

​

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

• AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - your AWS key pair. OIDC is supported too
• DIGGER_TOKEN - your Digger token (get it at cloud.digger.dev)

​

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

​

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@v0.3.0
        with:
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         

This file defines a simple workflow that

• Checks out repository using Github’s official Checkout action
• Runs Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret), you also need to set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY parameter. OIDC is also supported if you prefer that route

​

Create a PR to verify that it works

Terraform will run an existing plan against your code.

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.