https://github.com/diggerhq/digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://github.com/diggerhq/digger

github-actions hacktoberfest infrastructure-as-code tacos terraform terraform-aws terraform-gcp terraform-github-actions terraformcloud

Last synced: 1 day ago
JSON representation

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️

• Host: GitHub
• URL: https://github.com/diggerhq/digger
• Owner: diggerhq
• License: apache-2.0
• Created: 2023-02-24T11:07:31.000Z (almost 3 years ago)
• Default Branch: develop
• Last Pushed: 2025-04-23T19:25:42.000Z (9 months ago)
• Last Synced: 2025-04-23T20:57:40.932Z (9 months ago)
• Topics: github-actions, hacktoberfest, infrastructure-as-code, tacos, terraform, terraform-aws, terraform-gcp, terraform-github-actions, terraformcloud
• Language: Go
• Homepage: https://digger.dev
• Size: 97.9 MB
• Stars: 4,490
• Watchers: 20
• Forks: 560
• Open Issues: 306
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-opentofu - digger - Open-source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline. (Tools / Platforms)
• awesome-platform-engineering - digger - state aware Terraform orchestrator (Linting / Terraform)
• awesome-repositories - diggerhq/digger - Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️ (Go)
• awesome-starred - diggerhq/digger - Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️ (hacktoberfest)
• awesome-rainmana - diggerhq/digger - Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️ (Go)
• jimsghstars - diggerhq/digger - Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️ (Go)

README

          


  

  




  Community Slack |

  Schedule a call |

  Demo Video |

  Docs



---

> Heads-up: We’ve rebranded!

> Starting from 7th November 2025, the Digger project is now OpenTaco.  

> The company’s still Digger, same battle-tested engine — just a more apt name and a bigger vision.

>

> TL;DR

> - Before: Best-in-class Terraform PR automation (a solid improvement upon Atlantis)

> - After: The only piece of software you need to run Terraform or OpenTofu in production. 
 


> We'll gradually update all our marketing material to reflect the same!

---

CI/CD for Terraform is [tricky](https://itnext.io/pains-in-terraform-collaboration-249a56b4534e). To make life easier, specialized CI systems aka [TACOS](https://itnext.io/spice-up-your-infrastructure-as-code-with-tacos-1a9c179e0783) exist - Terraform Cloud, Spacelift, Atlantis, etc.

But why have 2 CI systems? Why not reuse the async jobs infrastructure (compute, orchestration, logs, etc.) of your existing CI?

Digger runs Terraform natively in your CI. This is:

- Secure, because cloud access secrets aren't shared with a third-party

- Cost-effective, because you are not paying for additional compute just to run your Terraform

## Features

- Terraform plan and apply in pull request comments

- Private runners - thanks to the fact that there are no separate runners! Your existing CI's compute environment is used

- Open Policy Agent (OPA) support for RBAC

- PR-level locks (on top of Terraform native state locks, similar to Atlantis) to avoid race conditions across multiple PRs

- Terragrunt, Workspaces, multiple Terraform versions, static analysis via Checkov, plan persistence, ...

- Drift detection

## Getting Started

- [GitHub Actions + AWS](https://docs.digger.dev/getting-started/github-actions-+-aws)

- [GitHub Actions + GCP](https://docs.opentaco.dev/ce/gcp/setting-up-gcp-+-gh-actions)

## How it works

Digger has 2 main components:

- CLI that runs inside your CI and calls Terraform with the right arguments

- Orchestrator - a minimal backend (that can also be self-hosted) that triggers CI jobs in response to events such as PR comments

Digger also stores PR-level locks and plan cache in your cloud account (DynamoDB + S3 on AWS, equivalents in other cloud providers)

## Compared to Atlantis

- No need to host and maintain a server (although you [can](https://docs.digger.dev/self-host/deploy-helm))

- Secure by design: jobs run in your CI, so sensitive data stays there

- Scalable compute: jobs can run in parallel

- RBAC and policies via OPA

- Drift detection

- Apply-after-merge workflows

- Web UI (cloud-based)

- Read more about differences with Atlantis in our [blog post](https://medium.com/@DiggerHQ/digger-and-atlantis-key-differences-c08029ffe112)

## Compared to Terraform Cloud and other TACOs

- Open source; the orchestrator can be self-hosted

- Unlimited runs and unlimited resources-under-management on all tiers

- Jobs run in your CI, not on a third-party server

- Supports PR automation (apply before merge)

- No duplication of the CI/CD stack

- Secrets not shared with a third-party

## How Digger is Used

- [Production-ready Terraform setup powered by Digger CI/CD](https://medium.com/converge-bio/production-ready-terraform-setup-powered-by-digger-ci-cd-47f18803cdd9) - authored by Amit Lavi from [Converge Bio](https://converge-bio.com/)

- ["I like Digger more than Terraform Cloud and Atlantis"](https://zenn.dev/kiwamizamurai/articles/48594bcad234fb) (Translated from Japanese), includes an [example repo](https://github.com/kiwamizamurai/digger_tutorial)

- How the data ops team at [Brevo](https://www.brevo.com/) uses Digger (a part of this [podcast](https://youtu.be/511RilKsQCY?si=FTPlehy3hVd7zXAM), French)

- ["Use Digger to run Terraform in a different GCP project for each environment"](https://qiita.com/Takayoshi_Makabe/items/d0206cc5c356023c0561) (Japanese)

- ["Automatically merging pull requests after terraform apply with Digger"](https://kakakakakku.hatenablog.com/entry/2025/03/10/143453) (Japanese)

  

## Contributing

We love contributions. Check out our [contributing guide](CONTRIBUTING.md) to get started.

Please pick an existing issue if you’re interested in contributing; otherwise, feel free to create an issue and triage it with the maintainers before creating a PR.

Not sure where to get started? You can:

- Join our [Slack](https://join.slack.com/t/diggertalk/shared_invite/zt-1tocl4w0x-E3RkpPiK7zQkehl8O78g8Q), and ask us any questions there.

## Telemetry

Digger collects anonymized telemetry. See [usage.go](https://github.com/diggerhq/digger/blob/develop/cli/pkg/usage/usage.go) for details. You can disable telemetry collection either by setting `telemetry: false` in digger.yml, or by setting the `TELEMETRY` env variable to `false`.

## Running migrations

```

atlas migrate apply --url $DATABASE_URL --allow-dirty

```

## Local postgres

You might need to disable SSL if running the default docker image.

```

export DATABASE_URL=postgres://postgres:root@localhost:5432/postgres?sslmode=disable

```

## Resources

- [Docs](https://docs.digger.dev/) for comprehensive documentation and guides

- [Slack](https://join.slack.com/t/diggertalk/shared_invite/zt-1tocl4w0x-E3RkpPiK7zQkehl8O78g8Q) for discussion with the community and Digger team.

- [GitHub](https://github.com/diggerhq/digger) for code, issues, and pull requests

- [Medium](https://medium.com/@DiggerHQ) for terraform automation and collaboration insights, articles, tutorials, and updates.