Merge pull request #2058 from diggerhq/docs/enhance-helm-guide-with-iac-steps

ZIJ · web-flow · commit 043926b20e16 · 2025-07-25T20:40:05.000+01:00
docs: add IaC setup steps to Helm deployment guide
diff --git a/docs/ce/self-host/deploy-helm.mdx b/docs/ce/self-host/deploy-helm.mdx
@@ -186,6 +186,236 @@ description: "Learn how to use Helm chart to install Digger on your Kubernetes c
     - Select which repositories the app can access
   </Step>
 
+  <Step title="Create Action Secrets with cloud credentials">
+    In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
+
+    <Tabs>
+      <Tab title="AWS">
+        - `AWS_ACCESS_KEY_ID`
+        - `AWS_SECRET_ACCESS_KEY`
+        
+        You can also [use OIDC](/ce/cloud-providers/authenticating-with-oidc-on-aws) for AWS authentication.
+      </Tab>
+      <Tab title="GCP">
+        - `GCP_CREDENTIALS` - contents of your GCP Service Account Key json file
+        
+        You can also [use OIDC](/gcp/federated-oidc-access/) for GCP authentication.
+      </Tab>
+      <Tab title="Azure">
+        - `AZURE_CLIENT_ID` - Your Azure App Registration Client ID
+        - `AZURE_TENANT_ID` - Your Azure Tenant ID
+        - `AZURE_SUBSCRIPTION_ID` - Your Azure Subscription ID
+        
+        You'll need to configure OIDC authentication by setting up federated credentials in your Azure App Registration. See [Azure OIDC setup](/ce/azure-specific/azure) for details.
+      </Tab>
+    </Tabs>
+  </Step>
+
+  <Step title="Create digger.yml">
+    This file contains Digger configuration and needs to be placed at the root level of your repository:
+    
+    <Tabs>
+      <Tab title="Terraform / OpenTofu">
+        Assuming your terraform code is in the `prod` directory:
+        
+        ```
+        projects:
+        - name: production
+          dir: prod
+        ```
+      </Tab>
+      <Tab title="Terragrunt Generated">
+        For Terragrunt monorepos with many modules, use the blocks syntax to automatically generate projects:
+        
+        ```yaml
+        generate_projects:
+          blocks:
+            - block_name: dev
+              terragrunt: true
+              root_dir: "dev/"
+              workflow: default
+            - block_name: staging
+              terragrunt: true
+              root_dir: "staging/"
+              workflow: default
+            - block_name: prod
+              terragrunt: true
+              root_dir: "prod/"
+              workflow: default
+
+        workflows:
+          default:
+            plan:
+              steps:
+                - init
+                - plan
+            apply:
+              steps:
+                - init
+                - apply
+        ```
+        
+        This approach automatically discovers all Terragrunt modules under each directory and creates projects for them.
+      </Tab>
+    </Tabs>
+  </Step>
+
+  <Step title="Create Github Actions workflow file">
+    Place it at `.github/workflows/digger_workflow.yml` (name is important!)
+    
+    <Tabs>
+      <Tab title="AWS">
+        ```yaml
+        name: Digger Workflow
+
+        on:
+          workflow_dispatch:
+            inputs:
+              spec:
+                required: true
+              run_name:
+                required: false
+
+        run-name: '${{inputs.run_name}}'
+
+        jobs:
+          digger-job:
+            runs-on: ubuntu-latest
+            permissions:
+              contents: write      # required to merge PRs
+              actions: write       # required for plan persistence
+              id-token: write      # required for workload-identity-federation
+              pull-requests: write # required to post PR comments
+              issues: read         # required to check if PR number is an issue or not
+              statuses: write      # required to validate combined PR status
+
+            steps:
+              - uses: actions/checkout@v4
+              - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
+                run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
+              - uses: diggerhq/digger@vLatest
+                with:
+                  digger-spec: ${{ inputs.spec }}
+                  setup-aws: true
+                  setup-terraform: true
+                  terraform-version: 1.5.5
+                  aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                env:
+                  GITHUB_CONTEXT: ${{ toJson(github) }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        ```
+      </Tab>
+      <Tab title="GCP">
+        ```yaml
+        name: Digger
+
+        on:
+          workflow_dispatch:
+            inputs:
+              spec:
+                required: true
+              run_name:
+                required: false
+
+        run-name: '${{inputs.run_name}}'
+
+        jobs:
+          digger-job:
+            name: Digger
+            runs-on: ubuntu-latest
+            permissions:
+              contents: write      # required to merge PRs
+              actions: write       # required for plan persistence
+              id-token: write      # required for workload-identity-federation
+              pull-requests: write # required to post PR comments
+              issues: read         # required to check if PR number is an issue or not
+              statuses: write      # required to validate combined PR status
+            steps:
+            - uses: actions/checkout@v4
+            - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
+              run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
+            - id: 'auth'
+              uses: 'google-github-actions/auth@v1'
+              with:
+                credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+                create_credentials_file: true
+            - name: 'Set up Cloud SDK'
+              uses: 'google-github-actions/setup-gcloud@v1'
+            - name: 'Use gcloud CLI'
+              run: 'gcloud info'
+            - name: digger run
+                uses: diggerhq/digger@vLatest
+                with:
+                  digger-spec: ${{ inputs.spec }}
+                  setup-aws: false
+                  setup-terraform: true
+                  terraform-version: 1.5.5
+                env:
+                  GITHUB_CONTEXT: ${{ toJson(github) }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        ```
+      </Tab>
+      <Tab title="Azure">
+        ```yaml
+        name: Digger Workflow
+
+        on:
+          workflow_dispatch:
+            inputs:
+              spec:
+                required: true
+              run_name:
+                required: false
+
+        run-name: '${{inputs.run_name}}'
+
+        jobs:
+          digger-job:
+            runs-on: ubuntu-latest
+            permissions:
+              contents: write      # required to merge PRs
+              actions: write       # required for plan persistence
+              id-token: write      # required for workload-identity-federation
+              pull-requests: write # required to post PR comments
+              issues: read         # required to check if PR number is an issue or not
+              statuses: write      # required to validate combined PR status
+
+            steps:
+              - uses: actions/checkout@v4
+              - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
+                run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
+              - uses: diggerhq/digger@vLatest
+                with:
+                  digger-spec: ${{ inputs.spec }}
+                  setup-azure: true
+                  azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+                  azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+                  azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+                  setup-terraform: true
+                  terraform-version: 1.5.5
+                env:
+                  GITHUB_CONTEXT: ${{ toJson(github) }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+                  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+                  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        ```
+      </Tab>
+    </Tabs>
+    
+    <Note>
+      The workflow above uses Terraform. For other tools:
+      - **OpenTofu**: Replace `setup-terraform: true` with `setup-opentofu: true` and `terraform-version: 1.5.5` with `opentofu-version: 1.10.3`
+      - **Terragrunt**: Replace `setup-terraform: true` with `setup-terragrunt: true` and `terraform-version: 1.5.5` with `terragrunt-version: 0.44.1`
+      
+      For complete examples, see:
+      - [Terraform quickstart](/ce/getting-started/with-terraform)
+      - [OpenTofu quickstart](/ce/getting-started/with-opentofu)
+      - [Terragrunt quickstart](/ce/getting-started/with-terragrunt)
+    </Note>
+  </Step>
+
   <Step title="Verify installation">
     Test that your Digger installation is working correctly:
     
