What is OpenTofu?

OpenTofu is an open-source, community-driven fork of Terraform, the popular infrastructure as code (IaC) tool. It was created in 2023 after HashiCorp, the company behind Terraform, announced that it was changing the license of Terraform from the Mozilla Public License (MPL) version 2 to the Business Source License (BSL) version 1.1.

The BSL is a more restrictive license than the MPL, and it does not allow for commercial use of Terraform without a paid license. This change caused concern among many Terraform users, particularly those who were using Terraform in commercial projects.

OpenTofu was created to provide a free and open-source alternative to Terraform. It is a drop-in replacement for Terraform, which means that it can be used with existing Terraform configuration files without any changes.

OpenTofu is still under development, but it is already being used by many organizations. It has a growing community of contributors, and it is supported by the Linux Foundation.

How does OpenTofu work?​

OpenTofu creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable OpenTofu to work with virtually any platform or service with an accessible API.

The OpenTofu community have already written thousands of providers to manage many different types of resources and services. You can find all publicly available providers on the Public Terraform Registry, including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.

The core OpenTofu workflow consists of three stages:

• Write: You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
• Plan: OpenTofu creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
• Apply: On approval, OpenTofu performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, OpenTofu will recreate the VPC before scaling the virtual machines.

Why OpenTofu?​

Manage any infrastructure​

Find providers for many of the platforms and services you already use in the Public Terraform Registry. You can also write your own. OpenTofu takes an immutable approach to infrastructure, reducing the complexity of upgrading or modifying your services and infrastructure.

Track your infrastructure​

OpenTofu generates a plan and prompts you for your approval before modifying your infrastructure. It also keeps track of your real infrastructure in a state file, which acts as a source of truth for your environment. OpenTofu uses the state file to determine the changes to make to your infrastructure so that it will match your configuration.

Automate changes​

OpenTofu configuration files are declarative, meaning that they describe the end state of your infrastructure. You do not need to write step-by-step instructions to create resources because OpenTofu handles the underlying logic. OpenTofu builds a resource graph to determine resource dependencies and creates or modifies non-dependent resources in parallel. This allows OpenTofu to provision resources efficiently.

Standardize configurations​

OpenTofu supports reusable configuration components called modules that define configurable collections of infrastructure, saving time and encouraging best practices. You can use publicly available modules from the Terraform Registry, or write your own.

Collaborate​

Since your configuration is written in a file, you can commit it to a Version Control System (VCS) and use a cloud backend to efficiently manage OpenTofu workflows across teams. A cloud backend runs OpenTofu in a consistent, reliable environment and provides secure access to shared state and secret data, role-based access controls, a private registry for sharing both modules and providers, and more.

Use Cases

OpenTofu is an infrastructure as code tool that lets you define infrastructure resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to safely and efficiently provision and manage your infrastructure throughout its lifecycle.

This page describes popular OpenTofu use cases and provides related resources that you can use to create OpenTofu configurations and workflows.

Multi-Cloud Deployment​

Provisioning infrastructure across multiple clouds increases fault-tolerance, allowing for more graceful recovery from cloud provider outages. However, multi-cloud deployments add complexity because each provider has its own interfaces, tools, and workflows. OpenTofu lets you use the same workflow to manage multiple providers and handle cross-cloud dependencies. This simplifies management and orchestration for large-scale, multi-cloud infrastructures.

Resources​

• Browse the Public Terraform Registry to find thousands of publicly available providers.

Application Infrastructure Deployment, Scaling, and Monitoring Tools​

You can use OpenTofu to efficiently deploy, release, scale, and monitor infrastructure for multi-tier applications. N-tier application architecture lets you scale application components independently and provides a separation of concerns. An application could consist of a pool of web servers that use a database tier, with additional tiers for API servers, caching servers, and routing meshes. OpenTofu allows you to manage the resources in each tier together, and automatically handles dependencies between tiers. For example, OpenTofu will deploy a database tier before provisioning the web servers that depend on it.

Self-Service Clusters​

At a large organization, your centralized operations team may get many repetitive infrastructure requests. You can use OpenTofu to build a “self-serve” infrastructure model that lets product teams manage their own infrastructure independently. You can create and use OpenTofu modules that codify the standards for deploying and managing services in your organization, allowing teams to efficiently deploy services in compliance with your organization’s practices. A cloud backend can also integrate with ticketing systems like ServiceNow to automatically generate new infrastructure requests.

Policy Compliance and Management​

OpenTofu can help you enforce policies on the types of resources teams can provision and use. Ticket-based review processes are a bottleneck that can slow down development. Instead, you can use Sentinel, a policy-as-code framework, to automatically enforce compliance and governance policies before OpenTofu makes infrastructure changes. Sentinel policies are available in cloud backends.

PaaS Application Setup​

Platform as a Service (PaaS) vendors like Heroku allow you to create web applications and attach add-ons, such as databases or email providers. Heroku can elastically scale the number of dynos or workers, but most non-trivial applications need many add-ons and external services. You can use OpenTofu to codify the setup required for a Heroku application, configure a DNSimple to set a CNAME, and set up Cloudflare as a Content Delivery Network (CDN) for the app. OpenTofu can quickly and consistently do all of this without a web interface.

Software Defined Networking​

OpenTofu can interact with Software Defined Networks (SDNs) to automatically configure the network according to the needs of the applications running in it. This lets you move from a ticket-based workflow to an automated one, reducing deployment times.

Kubernetes​

Kubernetes is an open-source workload scheduler for containerized applications. OpenTofu lets you both deploy a Kubernetes cluster and manage its resources (e.g., pods, deployments, services, etc.).

Parallel Environments​

You may have staging or QA environments that you use to test new applications before releasing them in production. As the production environment grows larger and more complex, it can be increasingly difficult to maintain an up-to-date environment for each stage of the development process. OpenTofu lets you rapidly spin up and decommission infrastructure for development, test, QA, and production. Using OpenTofu to create disposable environments as needed is more cost-efficient than maintaining each one indefinitely.

Software Demos​

You can use OpenTofu to create, provision, and bootstrap a demo on various cloud providers. This lets end users easily try the software on their own infrastructure and even enables them to adjust parameters like cluster size to more rigorously test tools at any scale.

Why should you use OpenTofu instead of Terraform?

Personal use

Initial impressions suggest you could use either OpenTofu or Terraform for personal use, as the BUSL license has no restrictions for non-commercial use cases. That may change as the Terraform ecosystem becomes increasingly unstable, and a switch to another license may happen. Those familiar with Terraform will have no issues adopting OpenTofu for personal use, so there will be no knowledge gaps, at least at the start.

Consultants

A consultant should offer their clients the best possible solution that aligns with their budget. OpenTofu will be on par with Terraform, and one of the project’s central objectives is to listen to the community’s issues, so it makes sense to recommend a project that will always stay open-source. Anyone who has used Terraform in the last eight years has probably come across issues that took some time to be resolved. The large community involved in developing OpenTofu means this will no longer be the case.

Companies

Companies will encounter more difficulties with the situation. Switching to a new project carries risks, but staying with a project that changes its license without warning is far riskier. This risk is minimized by giving OpenTofu to the Linux Foundation, and OpenTofu’s aim of maintaining feature parity with Terraform for future releases reduces the technical risks.

How to Install OpenTofu

APT Packages for Debian and Ubuntu

You can install the latest revision for a particular version by including the version in the apt install command, as follows:

sudo apt install tofu=1.4.4-*

Yum/DNF Packages for RHEL, CentOS, and Fedora

If you are using a Yum-based distribution, add the repository using yum-config-manager as follows:

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.placeholderplaceholderplaceholder.com/$release/hashicorp.repo

If you are using a DNF-based distribution, add the repository using dnf config-manager as follows:

sudo dnf install -y dnf-plugins-core
sudo dnf config-manager --add-repo https://rpm.releases.placeholderplaceholderplaceholder.com/$release/hashicorp.repo

In both cases, the OpenTofu package name is tofu. For example:

yum install tofu

The Core OpenTofu Workflow

The core OpenTofu workflow has three steps:

1. Write – Author infrastructure as code.
2. Plan – Preview changes before applying.
3. Apply – Provision reproducible infrastructure.

This guide walks through how each of these three steps plays out in the context of working as an individual practitioner, how they evolve when a team is collaborating on infrastructure, and how a cloud backend enables this workflow to run smoothly for entire organizations.

Working as an Individual Practitioner​

Let’s first walk through how these parts fit together as an individual working on infrastructure as code.

Write​

You write OpenTofu configuration just like you write code: in your editor of choice. It’s common practice to store your work in a version controlled repository even when you’re just operating as an individual.

# Create repository
$ git init my-infra && cd my-infra

Initialized empty Git repository in /.../my-infra/.git/

# Write initial config
$ vim main.tf

# Initialize OpenTofu
$ tofu init

Initializing provider plugins...
# ...
OpenTofu has been successfully initialized!

As you make progress on authoring your config, repeatedly running plans can help flush out syntax errors and ensure that your config is coming together as you expect.

# Make edits to config
$ vim main.tf

# Review plan
$ tofu plan

# Make additional edits, and repeat
$ vim main.tf

This parallels working on application code as an individual, where a tight feedback loop between editing code and running test commands is useful.

Plan​

When the feedback loop of the Write step has yielded a change that looks good, it’s time to commit your work and review the final plan.

$ git add main.tf
$ git commit -m 'Managing infrastructure as code!'

[main (root-commit) f735520] Managing infrastructure as code!
 1 file changed, 1 insertion(+)

Because tofu apply will display a plan for confirmation before proceeding to change any infrastructure, that’s the command you run for final review.

$ tofu apply

An execution plan has been generated and is shown below.
# ...

Apply​

After one last check, you are ready to tell OpenTofu to provision real infrastructure.

Do you want to perform these actions?

  OpenTofu will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes

# ...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

At this point, it’s common to push your version control repository to a remote location for safekeeping.

$ git remote add origin https://github.com/*user*/*repo*.git
$ git push origin main

This core workflow is a loop; the next time you want to make changes, you start the process over from the beginning.

Notice how closely this workflow parallels the process of writing application code or scripts as an individual? This is what we mean when we talk about OpenTofu enabling infrastructure as code.

For more detailed information: https://opentofu.org/