Digger is an open-source CI/CD orchestrator for Terraform/Opentofu
The way digger works is by running terraform in the Github action.In their website they mentioned about adding support for other CI tools like Gitlab CI, Azure devops etc..
You may think why do i need this tool when I have other terraform setup already available in Github action which can still run terraform plan and apply. I had the same question in my mind as well.
The way its designed is to kick start the CI job when a PR is raised to see the changes requested will actually work before merging.
It runs terraform plan when a new PR is raised and output the plan as a PR comment.
If you are satisfied with the plan as a reviewer you can comment digger apply in the PR and it will start the terraform apply job.
Lets see how to configure digger to run terraform/opentofu for Oracle Cloud
In your private Github repo create a file named digger.yml .This file contains Digger configuration and needs to be placed at the root level of your repository.
projects:
- name: production
dir: prod
- name: dev
dir: dev
opentofu: true
I have created two projects named production and dev with the terraform files placed under prod and dev directory respectively in Github repository.
If you want to run opentofu instead of terraform you have to set opentofu:true in the project configuration like I have set it for dev project above.
After that create Github action workflow file for digger with the name digger_workflow.yml .
name: Digger Workflow
on:
workflow_dispatch:
inputs:
spec:
required: true
run_name:
required: false
run-name: '${{inputs.run_name}}'
jobs:
digger-job:
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
pull-requests: write # required to post PR comments
issues: read # required to check if PR number is an issue or not
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: ${{ fromJSON(github.event.inputs.spec).job_id }}
run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
- uses: diggerhq/digger@vLatest
with:
digger-spec: ${{ inputs.spec }}
setup-opentofu: true
setup-checkov: true
env:
TF_VAR_tenancy_ocid: ${{ secrets.TENANCY_ID }}
TF_VAR_user_ocid: ${{ secrets.USER_ID }}
TF_VAR_fingerprint: ${{ secrets.FINGERPRINT }}
TF_VAR_compartment_id: ${{ secrets.COMPARTMENT_ID }}
TF_VAR_region: eu-frankfurt-1
TF_VAR_private_key: ${{ secrets.PRIVATE_KEY }}
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Create Github secrets for the OCI terraform provider variables and other sensitive variables used.
This is an example terraform file created for the dev and prod project
provider "oci" {
fingerprint = var.fingerprint
private_key = var.private_key
region = "eu-frankfurt-1"
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
}
terraform {
required_providers {
oci = {
version = ">= 6.15.0"
source = "oracle/oci"
}
}
}
variable "fingerprint" {}
variable "private_key" {}
variable "tenancy_ocid" {}
variable "user_ocid" {}
variable "compartment_id" {}
data "oci_objectstorage_namespace" "object_namespace" {}
resource "oci_objectstorage_bucket" "test_bucket" {
compartment_id = var.compartment_id
name = "devbucket"
namespace = data.oci_objectstorage_namespace.object_namespace.namespace
}After successful plan if we comment digger apply terraform apply /tofu apply will run .
We can merge the pull request from the dev branch to main branch.I have two project created dev and production one pointed to development compartment and other one pointed to production compartment in OCI.Once the dev project is tested i can make the same changes in prod project and raise a PR to initiate/trigger the CI job.
The reason for this in some cases terraform plan will work but apply might fail due to some reasons. I want to test the apply in dev environment and then proceed to production. I can destroy the resources in dev environment afterwards if needed.
To auto merge once the apply is successful you can set the below settings in digger.yml
projects:
- name: development
dir: dev
- name: production
dir: prod
auto_merge: trueYou can specify the terraform /opentofu version in digger_workflow.yml
setup-opentofu: true
opentofu-version: v1.6.1
You can look at this doc to see all the option available to configure in digger.yml
If you notice in the digger_workflow.yml i have enabled checkov as well using setup-checkov: true
Lets create a custom workflow configuration to run checkov in digger.yml. This will run checkov against the terraform code to create OCI object storage.
- name: production
dir: prod
workflow: production_checkov
- name: dev
dir: dev
opentofu: true
auto_merge: true
telemetry: false
workflows:
production_checkov:
plan:
steps:
- init
- plan
- run: checkov -d . --framework terraform
workflow_configuration:
on_pull_request_pushed: [digger plan]The above plan will fail since some of the checkov check did not pass for OCI object storage .
