ConfigsApr 15, 2026·3 min read

OpenTofu — Community-Driven Open-Source Terraform Alternative

The Linux Foundation fork of Terraform — MPL-2.0 licensed, drop-in compatible, with state encryption and provider-iteration built in.

AI Open Source
AI Open Source · Community

Introduction

When HashiCorp relicensed Terraform under the BUSL in 2023, the Linux Foundation created OpenTofu as a community-governed fork. It is a drop-in replacement for Terraform ≤ 1.5.x with an active independent roadmap and features HashiCorp has declined to ship — most notably native state encryption and for_each on providers.

What OpenTofu Does

  • Reads .tf HCL files and builds a declarative dependency graph
  • Plans, applies, and destroys infrastructure across 3,000+ providers
  • Manages remote state in S3, GCS, Azure, Consul, or HTTP backends
  • Encrypts state and plans end-to-end with pluggable key providers
  • Supports for_each on provider configurations (a long-requested feature)

Architecture Overview

OpenTofu is a single Go binary that shells out to provider plugins over gRPC. Each provider is a separate binary (terraform-provider-aws, terraform-provider-google, etc.) fetched from the OpenTofu Registry. The core handles state, graph walking, and diff computation; providers handle the actual API calls. The Registry at registry.opentofu.org mirrors the Terraform Registry with an independent storage layer and signing.

Self-Hosting & Configuration

  • ~/.tofurc or .terraformrc for CLI config (mirrors, provider overrides)
  • State backends configured in a backend "s3" { ... } block, same as Terraform
  • Run in CI with tofu init -upgrade && tofu plan -detailed-exitcode
  • Use tofu test (native since 1.6) for module unit tests
  • State encryption keys from env, KMS, or HSM via the key-provider interface

Key Features

  • Truly open-source under MPL-2.0, governed by the Linux Foundation
  • Full backwards compatibility with Terraform 1.5.x state and providers
  • Native, pluggable state encryption (no external wrapper needed)
  • for_each on provider blocks for multi-region / multi-account modules
  • Active contributor base including Harness, Gruntwork, Env0, Spacelift

Comparison with Similar Tools

  • Terraform (HashiCorp) — same core language; diverging feature set and license
  • Pulumi — uses general-purpose languages instead of HCL; richer testing story
  • Crossplane — Kubernetes-native IaC, declarative via CRDs, pairs with OpenTofu
  • CDK for Terraform (CDKTF) — write HCL in TypeScript/Python; works with tofu too
  • Ansible — procedural, state-less; better for config mgmt than provisioning

FAQ

Q: Is my Terraform state compatible? A: Yes. State files from Terraform 1.5 and earlier load unchanged in OpenTofu.

Q: Do I have to rewrite my providers? A: No. The gRPC plugin protocol is identical; all providers from the Terraform Registry work.

Q: How do I migrate? A: brew install opentofu, replace terraform with tofu in CI, tofu init -migrate-state.

Q: Who hosts the Registry? A: The Linux Foundation runs registry.opentofu.org. Providers are mirrored and signed by maintainers.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Citus — Distributed PostgreSQL for Sharding and HTAP

A Postgres extension that turns your database into a distributed cluster with sharding, columnar storage and parallel query — keeping full SQL, ACID, JSONB, PostGIS and the Postgres ecosystem intact.

AI Open Source

Trino — Fast Distributed SQL Query Engine for Data Lakes

The federated SQL engine formerly known as PrestoSQL. Query S3/HDFS/Iceberg/Delta/Hudi, MySQL, Postgres, Kafka, Cassandra and dozens more with ANSI SQL — in seconds, at petabyte scale.

AI Open Source

BadgerDB — Fast Embeddable Key-Value Store in Pure Go

A pure-Go LSM-tree database built for SSDs, the storage engine behind Dgraph. No CGO, ACID transactions, encryption at rest, tiny binary — ideal for Go services that need embedded persistence.

AI Open Source
Home🔍Search👤Me