Digger is an open source Infrastructure as Code (IaC) orchestration tool designed to run Terraform and OpenTofu natively inside your existing CI/CD pipeline. It solves the complexity and security risks of managing separate IaC platforms by leveraging your current CI infrastructure—keeping secrets, compute, and logs within your controlled environment. Ideal for DevOps teams using GitHub Actions, GitLab CI, or similar systems who want to automate infrastructure changes without introducing third-party dependencies.
Built in Go, Digger uses a lightweight CLI that interfaces with Terraform/OpenTofu and a minimal orchestrator backend (self-hostable or cloud-based) to manage PR-level locks, plan caching, and CI job triggering. It integrates with AWS DynamoDB/S3, GCP equivalents, and supports OPA-based RBAC, drift detection, and multi-environment workflows—all while avoiding vendor lock-in or additional compute costs.
What You Get
- Terraform and OpenTofu PR Automation - Executes plan and apply commands directly from GitHub pull request comments, enabling infrastructure changes to be reviewed and approved like code.
- Private Runners via Existing CI - Uses your CI’s compute environment (e.g., GitHub Actions runners) instead of third-party servers, ensuring secrets and infrastructure state never leave your environment.
- Open Policy Agent (OPA) RBAC - Enforces fine-grained access controls on who can trigger apply, plan, or destroy operations using OPA policies.
- PR-Level Locking - Prevents concurrent Terraform runs across multiple PRs using state locks that coordinate with Terraform’s native locking mechanism, avoiding race conditions.
- Drift Detection - Automatically identifies and alerts on infrastructure drift between state and real-world resources, helping maintain compliance and consistency.
- Terragrunt, Workspaces & Multi-Version Support - Native support for Terragrunt modules, Terraform workspaces, and multiple Terraform/OpenTofu versions in the same pipeline.
Common Use Cases
- Running production Terraform at scale - A DevOps team at Converge Bio uses Digger to automate infrastructure changes across multiple AWS accounts without exposing secrets to external platforms.
- Multi-environment GCP deployments - A data engineering team at Brevo runs separate Terraform workspaces for dev, staging, and prod in different GCP projects using Digger’s CI-integrated workflow.
- Automated PR merging after Terraform apply - A SaaS company auto-merges PRs after successful Terraform apply in GitHub Actions, reducing manual toil and accelerating deployment cycles.
- Secure IaC automation without Atlantis - A fintech firm replaced Atlantis with Digger to eliminate server maintenance and reduce attack surface by removing external CI runners.
Under The Hood
Architecture
- Monolithic CLI design with tightly coupled components, lacking clear separation between orchestration, VCS integration, and policy enforcement layers
- VCS providers hardcoded without a unified interface, violating extensibility principles
- Fragmented service boundaries evident through multiple environment-specific configuration files
- Absence of dependency injection and service layer, leading to scattered business logic and primitive constants
- Procedural workflow definitions in Action.yml prioritize configuration over modular, testable components
Tech Stack
- Go-based CLI and backend services leveraging native concurrency and standard library for infrastructure automation
- Multi-IaC tool support via Terraform, OpenTofu, Terragrunt, and Pulumi orchestrated through CI/CD pipelines
- Fly.io as primary deployment platform with Dockerized services and automatic HTTPS enforcement
- JWT-based authentication and environment-aware configuration for enterprise-grade access control
- CI/CD pipelines dynamically configure cloud provider credentials via OIDC and support multi-cloud deployments
- Release management uses monorepo-style versioning across distributed binary components
Code Quality
- Extensive test coverage with unit, integration, and edge-case tests using testify for robust validation
- Modular package structure with well-defined interfaces enables testability and partial dependency inversion
- Environment-driven configuration with fallbacks and validation ensures secure and adaptive cloud provider behavior
- Idiomatic Go patterns, consistent naming, and structured logging with slog improve readability and observability
- Strong type safety and explicit struct definitions reduce runtime errors, though error handling remains underdeveloped
What Makes It Unique
- Native Terraform execution in isolated sandboxes enables safe, pull-request-driven infrastructure testing
- Distributed job orchestration decouples infrastructure operations from UI and backend for scalable execution
- Unified VCS event handling across GitHub, GitLab, and Bitbucket enables seamless multi-platform CI/CD
- Real-time Terraform output parsing provides live status updates in the UI, eliminating manual log analysis
- Built-in state and plan artifact management removes dependency on external remote state backends
- Extensible UI components using Radix UI and CSS-in-JS allow customizable dashboards without vendor lock-in