daniel jeong

Posted on Mar 28 • Originally published at manoit.co.kr

HCP Terraform Free Tier Ending: OpenTofu Migration Guide

#iac #terraform #opentofu #hashicorp

HCP Terraform Free Tier Sunset and OpenTofu Migration Practical Guide

HCP Terraform Free Tier Sunset: A Branching Point in IaC Ecosystem

On March 31, 2026, HashiCorp's official announcement of the end of HCP Terraform Free tier created a significant shock wave in the Infrastructure as Code ecosystem. This is the second major change following the 2023 transition to BSL (Business Source License) license, affecting both open-source communities and enterprise users. Existing free users must either switch to a paid plan or migrate to alternative solutions.

This article is not merely a problem announcement but compares the current state of Terraform and OpenTofu, and presents actual migration pathways. Some teams manage hundreds of modules and infrastructure code, while others operate just a few small projects. Let's examine the best options for each situation.

Terraform vs OpenTofu: The Real Situation in 2026

As of March 2026, Terraform has reached version 1.14.x, while OpenTofu has climbed to version 1.9.x. It could be said that OpenTofu has already surpassed Terraform in major version numbers. This is not merely a version number but represents the philosophical differences of the two projects.

OpenTofu's registry is mirroring over 2,000 providers, and 34% of infrastructure teams have completed full migration from Terraform to OpenTofu. Additionally, 28% of teams are undergoing partial migration, so already 62% of the overall team base is moving toward OpenTofu.

Item	Terraform 1.14	OpenTofu 1.9
License	BSL (Business Source License) - Commercialized	MPL 2.0 (Mozilla Public License) - Fully Open Source
Governance	HashiCorp & IBM sole decision	Linux Foundation OpenTofu TSC
State Encryption	HCP Terraform paid plan required	Native support (free, local/remote)
Provider Count	3,000+ (official + community)	2,000+ (fully mirrored, adding more)
AI Integration	HCP Terraform AI (IBM watsonx-based, additional cost)	Community-driven extensions (free)
Cloud Service	HCP Terraform (paid, minimum $20/month)	Spacelift, env0, Roadrunner, etc. (various pricing)
Support Channel	Enterprise contract required	Open-source community + Linux Foundation
Local State Management	Remote backend recommended	Perfect local state encryption support

The most noteworthy point is state encryption. Terraform provides encryption only in HCP Terraform paid plans (Standard $20/month+), while OpenTofu provides encrypted state management by default, even locally. From a small team's perspective, this alone is a strong reason to choose OpenTofu.

Migration Decision Framework

I've organized criteria for deciding whether to continue using Terraform or switch to OpenTofu.

When Terraform Maintenance is Appropriate:

Large enterprise organization with sufficient budget
Using advanced HCP Terraform features (policy management, cost estimation, VCS auto-linking)
Widely using Sentinel policies
HashiCorp enterprise support contract is a required requirement

When OpenTofu Migration is Appropriate:

Startup or small team where cost optimization is important
State encryption, local state management needed
Vendor independence, open-source governance important
Verified that existing modules and providers work in OpenTofu
Using self-operated IaC platform (Spacelift, env0)

Hybrid Approach (Recommended):

Start new projects with OpenTofu
Gradually migrate existing Terraform projects
Keep only critical infrastructure in Terraform, use OpenTofu for the rest

OpenTofu Migration Practical Step-by-Step Guide

Step 1: Environment Preparation and Compatibility Check

OpenTofu is fully compatible with Terraform 0.14+ state file format. However, some features added after Terraform 1.6 (import block, check block, provider testing) may behave slightly differently in OpenTofu.


# Check current Terraform version and state
terraform version
terraform state list | head -20

# Install OpenTofu (macOS)
brew install opentofu

# Linux package manager
# Ubuntu/Debian:
curl https://get.opentofu.org/install-opentofu.sh | sh

# RHEL/CentOS:
rpm -ivh https://releases.opentofu.org/opentofu-1.9.0.rpm

# Or download official binary
curl -LO https://github.com/opentofu/opentofu/releases/download/v1.9.0/tofu_1.9.0_linux_amd64.zip
unzip tofu_1.9.0_linux_amd64.zip
sudo mv tofu /usr/local/bin/

# Verify OpenTofu version
tofu version
# Output: OpenTofu v1.9.0

💡 Practical Tip: For large Terraform projects, first install OpenTofu in non-production environments (dev/test) and run Plan to verify compatibility. If no special issues, proceed with production migration.

Step 2: State File Migration

One of OpenTofu's greatest advantages is that state file format is perfectly compatible with Terraform. This makes the migration process very simple.


# Move to existing Terraform project directory
cd /path/to/your-terraform-project

# Initialize with OpenTofu (auto-recognizes existing state)
tofu init

# Validate state: run Plan without changes
tofu plan
# Expected output: No changes. Your infrastructure matches the configuration.

# If successful, update .terraform.lock.hcl
tofu init -upgrade

# Backup old .terraform directory (optional)
mv .terraform .terraform-backup

# Verify OpenTofu state
tofu state list
tofu state show 'resource_type.name'

Important checkpoints:

tofu plan should show no resource change plans (meaning no drift)
If using local state, it's very fast, but if using HCP Terraform remote backend, must first migrate to S3/GCS
If multiple teams share same state, prior notice needed to prevent concurrent access during migration

Step 3: HCP Terraform → S3/GCS Backend Migration (Optional)

If using HCP Terraform remote backend, must switch backend to AWS S3 or Google Cloud Storage before OpenTofu migration.


# Step 1: Download terraform.tfstate
# terraform state pull > terraform.tfstate

# Step 2: New backend configuration (S3 example)
# Add to main.tf:
terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

# Step 3: Backend migration
terraform init -migrate-state
# Downloads state from HCP Terraform and uploads to S3

# Step 4: Re-initialize with OpenTofu
tofu init

# Step 5: Verification
tofu plan

S3 Backend Advantages:

Fully control state files yourself
Very low cost (S3 storage approximately $0.023/GB/month)
Manage state lock with DynamoDB (approximately $1.25/month)
Compatible with both Terraform and OpenTofu

Step 4: CI/CD Pipeline Migration

Replace terraform binary with tofu in GitHub Actions, GitLab CI, Jenkins, etc.


# GitHub Actions example: terraform → tofu migration
name: Infrastructure Deploy

on:
  push:
    branches: [main, develop]
    paths: ['infrastructure/**']
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Use official OpenTofu Action
      - uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: 1.9.0

      - name: Init
        run: tofu init
        working-directory: infrastructure/
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Validate
        run: tofu validate
        working-directory: infrastructure/

      - name: Plan
        run: tofu plan -out=tfplan
        working-directory: infrastructure/
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Apply
        if: github.ref == 'refs/heads/main'
        run: tofu apply tfplan
        working-directory: infrastructure/
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Output Summary
        run: |
          echo "# Deployment Complete" >> $GITHUB_STEP_SUMMARY
          echo "✅ Infrastructure updated successfully" >> $GITHUB_STEP_SUMMARY

GitLab CI example:


stages:
  - validate
  - plan
  - apply

variables:
  TOFU_VERSION: "1.9.0"
  AWS_DEFAULT_REGION: "us-east-1"

before_script:
  - curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
  - tofu version

validate:
  stage: validate
  script:
    - cd infrastructure
    - tofu init -backend=false
    - tofu validate
    - tofu fmt -check

plan:
  stage: plan
  script:
    - cd infrastructure
    - tofu init
    - tofu plan -out=tfplan

apply:
  stage: apply
  script:
    - cd infrastructure
    - tofu apply tfplan
  only:
    - main

Step 5: Terragrunt Integration

Teams using Terragrunt only need to change one configuration line.


# terragrunt.hcl
terraform {
  # Using Terraform
  # source = "..."

  # Switch to OpenTofu
  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()
  }
}

# Configure to run OpenTofu (Terragrunt 0.64.0+)
# Using CLI flag:
terragrunt run-all apply --terraform-binary tofu

# Or environment variable:
export TERRAGRUNT_TFPATH=$(which tofu)
terragrunt run-all apply

⚠️ Caution: If using Sentinel policies, OpenTofu doesn't support them by default. Instead, migrate to OPA (Open Policy Agent). Community provides policy migration tools.

Migration Precautions and Troubleshooting

1) Provider Version Compatibility

OpenTofu is compatible with most Terraform providers, but some providers require version checking. The .terraform.lock.hcl file may be generated differently by tool.


# Issue: version mismatch due to lock file difference
# Solution: update lock file
tofu init -upgrade

# Force specific provider version
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"  # Version range supported by OpenTofu
    }
  }
}

2) Sentinel → OPA Policy Migration

If using Sentinel policies, switch to OPA (Open Policy Agent). Using Conftest tool, you can validate HCL files with policies.


# OPA policy example: S3 buckets must have encryption
package main

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket"
  not resource.change.after.server_side_encryption_configuration
  msg := sprintf("S3 bucket '%s' must have encryption", [resource.address])
}

# Run validation
conftest test -p policy.rego terraform.tfplan

3) Loss of HCP Terraform AI Features

HCP Terraform's AI-based cost estimation, policy creation assistance, and other features are not available in OpenTofu. Alternatives:

infracost: open-source cost estimation tool
Spacelift: AI-based policy support
env0: automated IaC platform

Cost Comparison: Real Numbers

Item	HCP Terraform Pro	OpenTofu + S3	OpenTofu + Spacelift Free
Base Cost	$20/month	$1.50/month (S3 + DynamoDB)	$0 (free tier)
Users (5-person basis)	+$70/month (5 × $14)	$0 (unlimited)	$0 (unlimited)
State Encryption	Included	Included (default)	Included
VCS Integration	Included	CI/CD required	Included (GitHub/GitLab)
Monthly Total (5 people)	$90/month ($1,080/year)	$1.50/month ($18/year)	$0 (free)

For small teams (5 people or less), cost savings are very clear. Even large organizations can significantly reduce HCP Terraform costs by strengthening CI/CD automation.

Frequently Asked Questions and Answers

Q: Can I use existing modules as-is after switching to OpenTofu?

Yes, almost all Terraform modules work in OpenTofu without modification. OpenTofu registry mirrors Terraform registry providers, so you don't need to modify required_providers blocks. For local modules, path references are identical, so no problems.

Q: Can I operate a hybrid environment (Terraform + OpenTofu)?

Yes, possible. In fact, many organizations maintain legacy projects with Terraform and start new projects with OpenTofu. However, if the same team uses both tools, education costs and compatibility validation are needed. Recommended to clearly choose tools per project.

Q: Can it be used in data center environments (no AWS/GCP)?

Yes, OpenTofu can run entirely locally. State files can be stored locally and checked into git repositories (though not recommended). Manage entire IaC with minimal external dependencies.

Q: Does OpenTofu develop at the same pace as Terraform?

Yes, even more actively. Because OpenTofu is community-driven, user feedback is reflected quickly. As of 2026, OpenTofu's release cycle is faster than Terraform.

Migration Timeline and Roadmap

Week 1-2: Evaluation and Planning

Create inventory of existing Terraform projects
Select migration targets
Team training and documentation preparation

Week 3-4: Pilot Project

Migrate simplest project to OpenTofu first
Verify compatibility, performance testing
Test CI/CD pipelines

Week 5-8: Gradual Migration

Migrate remaining projects
Operational monitoring
Gather team feedback

Week 9+: Stabilization

Complete transition of all projects
Remove Terraform controller
Cost optimization

Conclusion: The Age of Choice

Terraform's BSL license transition and HCP Terraform paid shift have brought new options. OpenTofu is no longer an "alternative" but a clear choice. Especially for organizations where cost optimization, open-source governance, and state encryption are important, OpenTofu is an excellent choice.

Important is that there's no need to rush the decision. You can operate stably in a mixed environment, so starting new projects with OpenTofu and gradually migrating existing projects is realistic.

This article was written with AI technology support. For more cloud-native engineering insights, visit the ManoIT Tech Blog.

DEV Community