In this guide you will set up Digger to use completely segregated AWS accounts for Dev and Prod environments

Prerequisites

  • 2 Terraform projects with remote backends - example repo
  • 2 pairs of AWS keys
  • Using digger with orchestrator

Create digger.yml file

Place digger.yml file in the root of your repo. Point dir to folders with terraform

projects:
- name: develop
  dir: dev
  workflow_file: digger-run-dev.yml

- name: production
  dir: prod
  workflow_file: digger-run-prod.yml

Create 2 environments in GitHub

  • In your GitHub repo, go to Settings > Environments
  • Press “New Environment”
  • Name one “development” and another “production”

In each environment, create 2 secrets corresponding to your AWS accounts:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Create 2 Actions workflow files

  • .github/workflows/digger-run-dev.yml for dev
  • .github/workflows/digger-run-prod.yml for prod

Don’t forget to change environment and the Rename step from Dev to Prod


  name: Digger Dev

  on:
  pull_request:
  branches: [ "main" ]
  types: [ opened, synchronize ]
  issue_comment:
  types: [created]
  workflow_dispatch:

  jobs:
  plan:
  runs-on: ubuntu-latest
  environment: development                      # CHANGE HERE
  permissions:    
    contents: write      # required to merge PRs
    id-token: write      # required for workload-identity-federation
    pull-requests: write # required to post PR comments
    statuses: write      # required to validate combined PR status

  steps:
    - uses: actions/checkout@v4
    - name: Rename       # workaround until passing custom digger.yml is supported
      run: |
        mv digger.dev.yml digger.yml           # CHANGE HERE
    - name: digger run
      uses: diggerhq/digger@v0.4.13
      with:
        setup-aws: true
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Verify that it works

That’s it! Now you can use Digger to automate your Terraform PRs.

  • Create a PR that changes terraform in one of your projects
  • You should see 2 Actions jobs started
  • Shortly after, a comment with plan output for the affected project will be added
  • You can comment digger apply to apply changes
  • If you do so, another Action job will start to run apply
Include / exclude patternsPolicy overrides