When HashiCorp switched Terraform to BSL (not open source), the community forked it. OpenTofu is a drop-in replacement — same HCL, same providers, same workflow — but backed by the Linux Foundation and genuinely open source.
What OpenTofu Gives You for Free
- Drop-in Terraform replacement — same syntax, same providers, same state format
- Client-side state encryption — encrypt secrets in state files (Terraform can't do this)
- Linux Foundation governance — truly open source, not vendor-controlled
- Early variable/locals evaluation — use variables in backend configuration
- Provider-defined functions — extend HCL with custom functions from providers
- All Terraform providers work — AWS, Azure, GCP, Kubernetes, etc.
Quick Start
# Install
brew install opentofu
# Or download directly
curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
# Replace terraform command
alias terraform=tofu
Migration From Terraform (2 Minutes)
# In your existing Terraform project:
tofu init # Downloads providers (same registry)
tofu plan # Same output as terraform plan
tofu apply # Same behavior
Your .tf files, .tfstate, .tfvars — everything works unchanged.
State Encryption (OpenTofu Exclusive)
Terraform stores secrets in plaintext in state files. OpenTofu encrypts them:
# tofu.encryption.hcl
terraform {
encryption {
key_provider "pbkdf2" "my_key" {
passphrase = var.state_passphrase
}
method "aes_gcm" "encrypt" {
keys = key_provider.pbkdf2.my_key
}
state {
method = method.aes_gcm.encrypt
}
}
}
Now your state file is encrypted at rest. No more leaking database passwords in S3.
Dynamic Backend Configuration (OpenTofu Exclusive)
# Terraform: backend blocks can't use variables 😤
# OpenTofu: they can! 🎉
variable "environment" {
type = string
}
terraform {
backend "s3" {
bucket = "tfstate-${var.environment}"
key = "infra/terraform.tfstate"
region = "us-east-1"
}
}
This has been the #1 requested Terraform feature for years. OpenTofu shipped it.
Standard Infrastructure Example
# main.tf — works identically in OpenTofu and Terraform
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = {
Name = "${var.project}-vpc"
Environment = var.environment
}
}
resource "aws_ecs_cluster" "app" {
name = "${var.project}-cluster"
setting {
name = "containerInsights"
value = "enabled"
}
}
resource "aws_rds_instance" "db" {
identifier = "${var.project}-db"
engine = "postgres"
engine_version = "16.1"
instance_class = "db.t3.micro"
allocated_storage = 20
db_name = var.db_name
username = var.db_username
password = var.db_password # Encrypted in state with OpenTofu!
}
OpenTofu vs Terraform
| Feature | OpenTofu | Terraform |
|---|---|---|
| License | MPL 2.0 (open source) | BSL 1.1 (not open source) |
| State encryption | Built-in | Not available |
| Variable backends | Supported | Not supported |
| Provider functions | Supported | Limited |
| Provider registry | Works with both | HashiCorp only |
| Governance | Linux Foundation | HashiCorp |
| CLI compatibility | 99%+ | N/A |
Who's Behind OpenTofu
- Linux Foundation — same org behind Kubernetes, Node.js, Linux
- Backed by: Spacelift, env0, Scalr, Gruntwork, and 100+ companies
- 150+ contributors, growing fast
The Verdict
OpenTofu is what Terraform should have stayed. Same power, true open source, plus features HashiCorp won't add. If you're starting new IaC or worried about Terraform's licensing, OpenTofu is the safe bet.
Need help building production web scrapers or data pipelines? I build custom solutions. Reach out: spinov001@gmail.com
Check out my awesome-web-scraping collection — 400+ tools for extracting web data.
Top comments (0)