devops-basics

1. What is OpenTofu?

Overview

OpenTofu is an open-source Infrastructure as Code (IaC) tool that is a fork of Terraform, maintained by the Linux Foundation. It was created in response to HashiCorp’s license change from MPL to the Business Source License (BSL) in August 2023.

OpenTofu is:

OpenTofu vs Terraform

Feature OpenTofu Terraform
License MPL 2.0 (open source) BSL 1.1 (source available)
Governance Linux Foundation HashiCorp / IBM
State encryption βœ… Built-in ❌ Not available
Provider compatibility βœ… Same as Terraform βœ… Native
Module registry registry.opentofu.org registry.terraform.io
Community Open contributors HashiCorp-controlled

Official Documentation

2. Prerequisites

3. Installation

Install OpenTofu

# macOS
brew install opentofu

# Linux (official installer)
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh

# Verify installation
tofu version

Migrate from Terraform

# OpenTofu is CLI-compatible with Terraform
# Simply replace 'terraform' with 'tofu' in your commands
terraform init    β†’  tofu init
terraform plan    β†’  tofu plan
terraform apply   β†’  tofu apply
terraform destroy β†’  tofu destroy

4. Basics of OpenTofu

OpenTofu Hello World

Core Workflow

# Initialize working directory (downloads providers)
tofu init

# Preview infrastructure changes
tofu plan

# Apply the changes
tofu apply

# Show current state
tofu show

# Destroy all managed infrastructure
tofu destroy

Basic Configuration Example

# main.tf
terraform {
  required_providers {
    local = {
      source  = "hashicorp/local"
      version = "~> 2.4"
    }
  }
}

resource "local_file" "hello" {
  content  = "Hello from OpenTofu!"
  filename = "${path.module}/hello.txt"
}

output "file_content" {
  value = local_file.hello.content
}

5. Beyond the Basics

State Encryption (OpenTofu-exclusive feature)

# Encrypt state with a passphrase (OpenTofu only)
terraform {
  encryption {
    key_provider "pbkdf2" "my_passphrase" {
      passphrase = var.state_passphrase
    }
    method "aes_gcm" "my_method" {
      keys = key_provider.pbkdf2.my_passphrase
    }
    state {
      method = method.aes_gcm.my_method
    }
  }
}

Testing with OpenTofu

# tests/basic.tftest.hcl
run "verify_file_created" {
  command = apply

  assert {
    condition     = local_file.hello.content == "Hello from OpenTofu!"
    error_message = "File content does not match expected value"
  }
}

Hands-On Examples

6. More

OpenTofu Cheatsheet

tofu init          # Initialize directory
tofu validate      # Validate configuration
tofu plan          # Show execution plan
tofu apply         # Apply changes
tofu apply -auto-approve  # Apply without confirmation
tofu destroy       # Destroy infrastructure
tofu state list    # List resources in state
tofu state show <resource>  # Show resource details
tofu output        # Show output values
tofu fmt           # Format configuration files