Digger is an open-source Terraform Cloud Alternative
Slack |
Website
TFrun by Digger is Github Action that runs Terraform plan and apply with PR-level locks
Unlike Terraform Cloud or Spacelift, terraform jobs run natively in your Github Actions – no need to share sensitive data with another CI system
Unlike Atlantis, there’s no need to deploy and maintain a backend service.
Demo video: https://www.loom.com/share/e201e639a73941e0b5508710377a6106
Features
- code-level locks – only 1 open PR can run plan / apply. This avoids conflicts
- no need to install any backend into your infra – locks are stored in DynamoDB
How to use
This is demo flow with a sample repo using local state – for real world scenario you’ll need to configure remote backend (S3 + DynamoDB) and add a workflow file to the root of the repo.
- Fork the demo repository
- Enable Actions (by default workflows won’t trigger in a fork)
- In your repository settings > Actions ensure that the Workflow Read and Write permissions are assigned – This will allow the workflow to post comments on your PRs
- Add environment variables into your Github Action Secrets (NOTE: This step is optional if you just want to test out the Action with
null_resource)
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- make a change and create a PR – this will create a lock
- comment
digger plan– terraform plan output will be added as comment. If you don’t see a comment (bug) – check out job output - create another PR – plan or apply won’t work in this PR until the first lock is released
- you should see
Locked by PR #1comment. The action logs will display “Project locked” error message.
Remote backend and state-level locks
tfrun does not interfere with your remote backend setup. You could be using S3 backend or TF cloud’s remote backend or some other way
tfrun also doesn’t differentiate locks based on statefiles – if a PR is locked, it’s locked for all “instances” of state (aka Terraform CLI Workspaces)
state-level locks will keep working normally because are handled by terraform itself (same as in Atlantis)
Roadmap
🔍 GCP Support- Supporting of GCP Spanner for PR locks
🔍 Azure Support- Supporting of Azure Cosmos DB for PR Locks
🔍 Gitlab Support🔍 Jenkins Support
Notes
- we perform anonymous tracking to measure usage, no data is logged during the process, you can see what is tracked in
code/usage.py
