Digger is an open-source Terraform Cloud Alternative
Digger is Github Action that runs Terraform plan and apply with PR-level locks
Unlike Terraform Cloud or Spacelift, terraform jobs run natively in your Github Actions - no need to share sensitive data with another CI system
Unlike Atlantis, there's no need to deploy and maintain a backend service.
Demo video: https://www.loom.com/share/e201e639a73941e0b5508710377a6106
- code-level locks - only 1 open PR can run plan / apply. This avoids conflicts
- no need to install any backend into your infra - locks are stored in DynamoDB
This is demo flow with a sample repo using local state - for real world scenario you'll need to configure remote backend (S3 + DynamoDB) and add a workflow file to the root of the repo.
- Fork the demo repository
- Enable Actions (by default workflows won't trigger in a fork)
- In your repository settings > Actions ensure that the Workflow Read and Write permissions are assigned - This will allow the workflow to post comments on your PRs
- Add environment variables into your Github Action Secrets (NOTE: This step is optional if you just want to test out the Action with
null_resource)
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- make a change and create a PR - this will create a lock
- comment
digger plan- terraform plan output will be added as comment. If you don't see a comment (bug) - check out job output - create another PR - plan or apply wonβt work in this PR until the first lock is released
- you should see
Locked by PR #1comment. The action logs will display "Project locked" error message.
Digger does not interfere with your remote backend setup. You could be using S3 backend or TF cloud's remote backend or some other way
Digger also doesn't differentiate locks based on statefiles - if a PR is locked, it's locked for all "instances" of state (aka Terraform CLI Workspaces)
state-level locks will keep working normally because are handled by terraform itself (same as in Atlantis)
- Support for multiple modes of locking (apply-only, no-lock + queing)
- π GCP Support
- Supporting of GCP storage buckets for PR locks
- π Azure Support
- Supporting of Azure Cosmos DB for PR Locks
- π Gitlab Support
- π Jenkins Support
- We perform anonymous usage tracking. No sensitive or personal / identifyable data is logged. You can see what is tracked in
pkg/utils/usage.go
If you are considering using digger within your organisation please reach out to us.
To contribute to Digger please follow our Contributing guide
Q) Since you're FOSS I assume you plan to monetize by selling support? Or...?
A) We are a vc-backed startup fully focused on this tool; in terms of monetization not planning to reinvent the wheel - we're just going to introduce an "enterprise tier" later on with things like OPA integration, drift detection, cost control, multi-team dashboards etc etc. And yes - support. Similarly to what Signoz does for monitoring, or Posthog for product metrics.