Show HN: Digger – Open Source Terraform automation and collaboration tool

One of the major security issues with running terraform in your CI&#x2F;CD pipeline is that it usually needs admin permissions to your entire cloud environment. To avoid this you need the pipeline to pass parameters to an internal process that actually applies the changes.<p>Digger makes it sound like it might address this:<p>&gt; Digger runs terraform natively in your CI. This is: Secure, because cloud access secrets aren&#x27;t shared with a third-party<p>From the Github+AWS demo:<p>&gt; 4. Add environment variables into your Github Action Secrets (cloud keys are a requirement since digger needs to connect to your account for coordinating locks) AWS_ACCESS_KEY_ID &amp; AWS_SECRET_ACCESS_KEY<p>It sure looks like AWS admin credentials are shared with Github, and also available to anything else in the diggerhq&#x2F;digger action.

I&#x27;m surprised nobody has mentioned Atlantis yet. Running bare terraform in CI is a bad idea (to the extent that running an &#x27;expect&#x27; script for an interactive tool is a bad idea), and when you consider the impact it can have (both on resources and on escalation) it should be out-of-band anyway.

They migrated from Python to Golang<p>More Detailed Here: <a href="https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;golang&#x2F;comments&#x2F;14rduec&#x2F;we_rewrote_our_product_in_go_from_scratch&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;golang&#x2F;comments&#x2F;14rduec&#x2F;we_rewrote_...</a>

I was initially very interested in digger, because I need something like atlantis but the thought of a web-accesible server with owner-level access to my project seemed scary. Having everything in cicd seemed like a great solution. However, when I read the digger docs, I discovered that it too has a publicly accessible server, that gets autodeployed when you first run digger.<p>1. I don&#x27;t like the idea of the tool creating resources I didn&#x27;t explicitly tell it to create<p>2. I don&#x27;t like the idea of a public endpoint for someone to pwn and get owner-level access of all my stuff.<p>It would be nice if the docs explained what the serverless backend thing does (besides the vague comment about handling webhooks), and it would be nice if there was an option that didn&#x27;t require the public backend even if it means slightly degraded functionality. (github actions can be triggered by PR opened, PR updated, comment created, comment edited, merge to main, and many other things. Seems to me like that should be enough?)<p><a href="https:&#x2F;&#x2F;docs.digger.dev&#x2F;readme&#x2F;how-it-works" rel="nofollow noreferrer">https:&#x2F;&#x2F;docs.digger.dev&#x2F;readme&#x2F;how-it-works</a>

I misread it as Dagger, the CI&#x2F;CD tool (<a href="https:&#x2F;&#x2F;dagger.io">https:&#x2F;&#x2F;dagger.io</a>)

I saw Digger and got excited for a second...<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Digger_(video_game)" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Digger_(video_game)</a>

One of the main reasons for us to use a terraform collaboration tool is to easily manage state files.<p>Would be awesome if they find a way to integrate state management.