At a Glance:
OpenTaco (formerly Digger) is an open-source Terraform and OpenTofu CI/CD tool that runs plan and apply directly inside your existing CI pipeline, with OPA-based RBAC, PR-level locks, drift detection, and a self-hostable orchestrator backend.
Overview:
OpenTaco is an open-source CI/CD tool purpose-built for running Terraform and OpenTofu in production. Instead of requiring a separate, specialized CI system, it reuses the compute, orchestration, and logging infrastructure of your existing CI environment. Its architecture consists of a CLI that executes inside CI jobs and a minimal, self-hostable orchestrator backend that triggers those jobs in response to pull request events. The tool is designed for platform and DevOps teams who want to maintain full control over their infrastructure-as-code workflows without routing sensitive cloud secrets through a third-party service.
Key Decision Points:
Runs in your existing CI: Uses your CI's compute environment and job infrastructure rather than requiring separate, dedicated runners.
Self-hostable orchestrator: The backend can be self-hosted, keeping all workflow coordination within your own infrastructure.
RBAC via Open Policy Agent: Access control is implemented through OPA policies, not a proprietary permissions model.
PR-level locking: Provides locks at the pull request level on top of Terraform's native state locks to prevent race conditions.
No third-party secret sharing: Cloud access credentials remain within your CI environment and are not shared with an external service.
Core Features:
Pull request plan and apply: Terraform plans and applies are executed and displayed within pull request comments.
Private runners: Jobs run on your existing CI compute, eliminating the need for separate, dedicated runners.
OPA-based RBAC: Role-based access control is managed through Open Policy Agent policies.
PR-level locks: Locks scoped to pull requests prevent concurrent modifications across multiple PRs.
Drift detection: Identifies configuration drift between your declared infrastructure and actual state.
Terragrunt and multi-version support: Works with Terragrunt, multiple Terraform versions, workspaces, and static analysis via Checkov.
Use Cases:
DevOps teams wanting to automate Terraform plan and apply within pull request workflows without adopting a separate CI system.
Platform engineers who need RBAC and PR-level locking for infrastructure-as-code pipelines without sending secrets to a third-party service.
Teams using Terraform or OpenTofu who require drift detection and plan persistence alongside their existing CI setup.
Open-Source Alternative Value:
As an open-source tool, OpenTaco provides an alternative to proprietary TACOS like Terraform Cloud, Spacelift, and the self-hosted Atlantis. Its key differentiator is the ability to orchestrate runs through your existing CI rather than duplicating infrastructure. The orchestrator backend is open-source and can be self-hosted, while the architecture ensures secrets remain inside the user's CI environment. This model avoids additional compute costs and scales by leveraging the parallel job capacity already available in the user's CI system.
