Digger — Run Terraform and OpenTofu in Your Existing CI Pipeline

Introduction

Digger runs Terraform and OpenTofu plan/apply directly inside your existing CI system rather than requiring a separate Terraform Cloud instance or custom CI server. It posts plan output as PR comments, handles locking to prevent concurrent applies, and supports multi-project monorepos out of the box.

What Digger Does

• Executes terraform plan on pull requests and posts output as PR comments
• Runs terraform apply on merge with automatic locking to prevent conflicts
• Supports monorepos with multiple Terraform projects and dependency ordering
• Integrates natively with GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket
• Provides drift detection by running scheduled plans against deployed infrastructure

Architecture Overview

Digger operates as a CI step that detects which Terraform projects were modified in a PR, acquires a lock (stored in DynamoDB, GCS, or Postgres), runs plan/apply, and reports results. A lightweight orchestrator backend (optional, self-hosted) coordinates jobs across multiple runners and manages lock state. All Terraform execution happens in your own CI runner with your own cloud credentials, so no secrets leave your environment.

Self-Hosting & Configuration

• Add the Digger GitHub Action or GitLab CI template to your repository
• Configure projects in a digger.yml file at the repo root listing directories and dependencies
• Set up a lock backend (DynamoDB table, GCS bucket, or Postgres) for state locking
• Cloud credentials stay in your CI secrets; Digger never stores or proxies them
• Enable the optional orchestrator backend via Docker for advanced features like RBAC and audit logs

Key Features

• Runs in your CI so cloud credentials never leave your environment
• PR-level locking prevents concurrent applies to the same Terraform state
• Monorepo-aware with automatic detection of changed projects per PR
• Policy-as-code integration with OPA for plan approval gates
• Cost estimation via Infracost integration shown inline in PR comments

Comparison with Similar Tools

• Terraform Cloud — hosted by HashiCorp with per-resource pricing; Digger is free and runs in your CI
• Atlantis — similar PR-based workflow but requires a dedicated server; Digger is serverless
• Spacelift — managed IaC platform; Digger keeps execution in your existing CI infrastructure
• Env0 — SaaS with approval workflows; Digger provides similar features self-hosted
• Terragrunt — CLI wrapper for DRY configs; Digger is an orchestration layer, they complement each other

FAQ

Q: Do I need to run a separate server for Digger? A: No. The core functionality runs as a CI step. The optional orchestrator backend adds advanced features but is not required for basic plan/apply workflows.

Q: How does Digger prevent two PRs from applying to the same state simultaneously? A: It acquires a project-level lock before running apply. Other PRs targeting the same project wait until the lock is released.

Q: Does Digger support OpenTofu? A: Yes. Configure the binary path in digger.yml or use the setup-opentofu flag in the GitHub Action.

Q: Can I use Digger with a monorepo containing 50+ Terraform projects? A: Yes. Digger detects which projects are affected by file changes and only runs plans for those, keeping CI times short.

Sources

• https://github.com/diggerhq/digger
• https://docs.digger.dev