Sign in Subscribe

Production Ready Atlantis Alternative for Terraform CI/CD automation within GitHub Actions (5 Minute Setup Time)

Utpal Nadiger

3 min read
Production Ready Atlantis Alternative for Terraform CI/CD automation within GitHub Actions (5 Minute Setup Time)

Managing Terraform workflows efficiently can be challenging, especially when working with a team. While Atlantis has been a popular choice for Terraform collaboration, it comes with its own set of complexities and maintenance overhead. Enter Digger: a robust, production-ready atlantis alternative for terraform automation that integrates seamlessly with GitHub Actions, offering a quick and secure setup without the need for hosting and maintaining a separate server.

Why Digger is Better than Atlantis

No Need to Host and Maintain a Server

One of the significant advantages of using Digger over Atlantis is that Digger eliminates the need to host and maintain a server. This not only reduces the operational overhead but also simplifies the infrastructure, making it more accessible for teams of all sizes.

Secure by Design

Digger is designed with security in mind. Unlike traditional setups, Digger does not require direct access to your cloud account. Instead, it initiates jobs within your CI, ensuring that all sensitive data remains within your CI environment. This approach minimizes the risk of exposing sensitive information.

Scalable Compute with Jobs Isolation

Digger leverages scalable compute with job isolation, allowing it to handle multiple jobs concurrently without interference. This makes it highly scalable and efficient, particularly for larger teams or complex workflows that require parallel processing.

Role-Based Access Control via OPA

Digger incorporates role-based access control (RBAC) using Open Policy Agent (OPA). This feature provides granular control over who can execute specific operations, enhancing security and compliance within your organization.

Quick Setup Tutorial

Setting up Digger is straightforward and can be done in just a few minutes. Here's a step-by-step guide:

Backendless Mode for Small Teams

If you're working with a small team and are comfortable running jobs sequentially, you can use Digger in backendless mode as a standalone action. Simply set the following option in your workflow configuration:

no-backend: true

Additionally, you need to add pull_request and issue_comment workflow triggers:

on:
  pull_request:
    branches: [ "main" ]
    types: [ opened, synchronize ]
  issue_comment:
    types: [created]
  workflow_dispatch:

Concurrent Mode for Larger Teams

For teams that require concurrency, you can either self-host the Digger Community edition or use a cloud instance. Here are the steps:

  1. Prepare a GitHub Repository with Valid Terraform Code
  2. Ensure You Have AWS Credentials
  3. Install the Digger GitHub App
    • Note that the Digger GitHub App does not need access to your cloud account. It only initiates jobs in your CI, ensuring all sensitive data stays within your CI job.

      (OR)
    • Self-Host Digger Orchestrator: You can self-host the Digger orchestrator with a private GitHub app and issue your own token. Helm chart here.

Create Action Secrets with AWS Credentials

In your GitHub repository settings, go to Secrets and Variables - Actions, and create the following secrets:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Create digger.yml

Place this configuration file at the root level of your repository. Assuming your Terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create GitHub Actions Workflow File

Save this file as .github/workflows/digger_workflow.yml (the name is important!):

name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write # required to merge PRs
      actions: write # required for plan persistence
      id-token: write # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Create a PR to Verify It Works

To ensure everything is set up correctly, create a pull request. Terraform will run an existing plan against your code. Make any change to your Terraform code (e.g., add a blank line). An action run should start, and you can view the log output in Actions. After some time, you should see the output of Terraform Plan added as a comment to your PR.

You can then add a comment like digger apply, and shortly after, the apply output will be added as a comment too.

By following these steps, you can leverage Digger to streamline your Terraform workflows, providing a secure, scalable, and easy-to-maintain solution for your team.

Using Atlantis? Considering a faster, more secure & scalable alternative? Book a demo using this link with the founders of Digger for a detailed walk through!

Read how Employ (The parent company of JazzHR, Lever, Jobvite and NXTThing RPO) manages terraform at scale with Digger here

Sign up for more like this.

Enter your email
Subscribe