In this post, we’ll take a closer look at OpenTofu, an open-source Infrastructure as Code (IaC) platform.

If you’re managing cloud infrastructure as code, you’ve likely heard about Terraform’s license change. But there’s good news: OpenTofu, a powerful community-driven alternative, is here. Let’s explore why developers worldwide are choosing OpenTofu and how to get started.

 

 

 

1. Why OpenTofu Was Created: The Story Behind the Fork

In August 2023, the infrastructure-as-code community received shocking news. HashiCorp announced that Terraform and all core products would switch from the Mozilla Public License (MPL) v2.0 to the Business Source License (BSL).

Why was this problematic? BSL isn’t technically an open-source license. While individual users and most companies face no issues, the license restricts commercial use for “competitive services.” The definition of “competitive services” was vague and concerning.

Many companies and developers felt uncertain. What if HashiCorp changes its policies later? Could cloud service providers suddenly violate the license?

On August 15, 2023, the OpenTF Manifesto was published (later renamed OpenTofu). Major companies including Gruntwork, Spacelift, Harness, Env0, and Scalr united to fork Terraform’s last open-source version (1.5.6) and maintain it as truly open source.

The community response was remarkable. Within one week, the project received over 6,000 GitHub stars, with 140+ companies and 700+ developers pledging support. On September 20, 2023, OpenTofu officially joined the Linux Foundation, establishing neutral and trustworthy governance.

The journey wasn’t entirely smooth. In April 2024, HashiCorp sent a cease and desist notice to the OpenTofu project, claiming it incorporated code from BSL-licensed Terraform without permission. However, the OpenTofu team demonstrated that the code originated from the MPL-licensed version, and the project continues to thrive with community support.

 

 

2. What Exactly Is OpenTofu?

OpenTofu is an open-source Infrastructure as Code (IaC) tool that lets you build, change, and version cloud and on-premises resources safely and efficiently. Think of it as managing AWS, Azure, Google Cloud, and other infrastructure with just a few lines of code.

The key feature of OpenTofu is being a drop-in replacement for Terraform. You can use existing Terraform code with minimal modifications. Commands are nearly identical: just replace terraform init with tofu init, terraform plan with tofu plan, and so on.

As of October 2025, OpenTofu is growing rapidly. According to the official website, it supports 3,900+ providers and 23,600+ modules, with over 10 million downloads on GitHub. The latest version is 1.10.0, released in June 2025, featuring OCI registry support and various new capabilities.

 

 

3. OpenTofu vs Terraform: Key Differences

Here’s a clear comparison of the main differences:

Feature	OpenTofu	Terraform
License	MPL 2.0 (Fully Open Source)	BSL (Limited Commercial Use)
Governance	Linux Foundation & Community	HashiCorp (Single Company)
Development	Community-Driven, Transparent RFC Process	Company-Led, Private Roadmap
State Encryption	Built-in	Requires Additional Setup
Provider Ecosystem	3,900+ (Terraform Compatible)	3,000+
Key Features	Provider for_each, OCI Registry, Early Variable Evaluation	Some Features Under BSL
Cost	Completely Free	Free for Individual/Small Scale, Restrictions Possible for Large Commercial Use

License: The Most Important Difference

The biggest difference is licensing. OpenTofu uses the MPL 2.0 license, allowing free use, modification, and distribution for any purpose, including commercial services.

Terraform uses the BSL license, restricting use for “competitive services.” IBM’s acquisition of HashiCorp in early 2025 has raised concerns about licensing policy uncertainty.

State Encryption: Essential for Security

OpenTofu provides state file encryption out of the box. This feature was requested by the Terraform community for over five years but never implemented. OpenTofu included it from the first release.

Encrypting state files containing sensitive infrastructure information is critical for security. While Terraform requires additional setup like S3 bucket encryption or versioning, OpenTofu handles it automatically with a simple encryption key configuration.

New Features

OpenTofu rapidly evolves based on community needs:

• Provider for_each (1.9.0): Significantly reduces code duplication when deploying identical infrastructure across multiple regions.
• OCI Registry Support (1.10.0): Deploy and manage providers and modules like container registries.
• Early Variable Evaluation (1.8.0): Use variables in terraform blocks and module sources for more flexible configurations.

 

What is ‘Terraform’? IaC Tool for Managing Cloud Infrastructure”

 

 

4. Installing OpenTofu: Platform-Specific Guide

Getting started with OpenTofu begins with installation. It’s straightforward across all platforms.

Installing on Ubuntu/Debian

For Ubuntu or Debian users, install via the official repository:

# Install required tools
sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg

# Add OpenTofu GPG keys
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://get.opentofu.org/opentofu.gpg | sudo tee /etc/apt/keyrings/opentofu.gpg >/dev/null
curl -fsSL https://packages.opentofu.org/opentofu/tofu/gpgkey | sudo gpg --no-tty --batch --dearmor -o /etc/apt/keyrings/opentofu-repo.gpg >/dev/null
sudo chmod a+r /etc/apt/keyrings/opentofu.gpg /etc/apt/keyrings/opentofu-repo.gpg

# Add repository
echo \
"deb [signed-by=/etc/apt/keyrings/opentofu.gpg,/etc/apt/keyrings/opentofu-repo.gpg] https://packages.opentofu.org/opentofu/tofu/any/ any main" | \
sudo tee /etc/apt/sources.list.d/opentofu.list

# Install OpenTofu
sudo apt-get update
sudo apt-get install -y tofu

For a simpler approach, use the installation script:

# Download installation script
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh

# Grant execution permissions
chmod +x install-opentofu.sh

# Run installer
./install-opentofu.sh --install-method deb

# Remove script
rm -f install-opentofu.sh

Installing on macOS

macOS users can install with Homebrew in one line:

brew install opentofu

Installing on Windows

Windows users have multiple installation options:

Method 1: Using Chocolatey (Recommended)

Run PowerShell as Administrator:

choco install opentofu

Method 2: Manual Installation

1. Download Windows binary from OpenTofu GitHub Releases (e.g., tofu_1.10.0_windows_amd64.zip)
2. Extract the downloaded file
3. Copy to desired location (e.g., C:\Program Files\OpenTofu\)
4. Add the path to system PATH environment variable:
   • Search “Environment Variables” in Start Menu
   • Select Path in System Variables → Edit
   • Click New and add OpenTofu path
5. Open a new PowerShell window and verify with tofu version

Verify Installation

After installation, verify with:

tofu version

If successful, you’ll see OpenTofu’s version information.

 

 

5. Hands-On Learning: Your First OpenTofu Project

Now let’s use OpenTofu in practice. We’ll create an AWS S3 bucket through a simple example to learn the basic workflow.

Setting Up AWS Credentials

Before OpenTofu can manage AWS resources, configure your AWS credentials.

Method 1: Environment Variables (Recommended)

In your terminal:

# Linux/macOS
export AWS_ACCESS_KEY_ID="your-access-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-access-key"
export AWS_DEFAULT_REGION="us-east-1"

# Windows PowerShell
$env:AWS_ACCESS_KEY_ID="your-access-key-id"
$env:AWS_SECRET_ACCESS_KEY="your-secret-access-key"
$env:AWS_DEFAULT_REGION="us-east-1"

Method 2: AWS CLI Configuration File

If AWS CLI is installed, the ~/.aws/credentials file is automatically recognized:

aws configure

⚠️ Security Note: Never hardcode Access Keys in your code or commit them to version control!

Create Project Directory

mkdir my-first-opentofu
cd my-first-opentofu

Write Configuration File

Create main.tf with the following content:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "demo_bucket" {
  bucket = "opentofu-demo-${random_id.bucket_id.hex}"
  
  tags = {
    Name        = "OpenTofu Demo"
    Environment = "Learning"
  }
}

resource "random_id" "bucket_id" {
  byte_length = 8
}

output "bucket_name" {
  value       = aws_s3_bucket.demo_bucket.id
  description = "Created S3 bucket name"
}

What does this code do?

1. terraform block: Declares the AWS provider.
2. provider block: Sets AWS region to us-east-1.
3. aws_s3_bucket resource: Creates an S3 bucket with a unique name using random_id.
4. random_id resource: Generates an 8-byte random ID.
5. output block: Displays the created bucket name.

Initialize OpenTofu

Download required providers:

tofu init

This creates a .terraform directory and downloads the AWS provider. Run initialization once per project.

Check Execution Plan

Preview changes before applying:

tofu plan

OpenTofu compares current state with desired state, showing resources to create, modify, or delete. This step helps catch mistakes early.

Apply Infrastructure Changes

If the plan looks good, apply it:

tofu apply

Type yes when prompted. Shortly after, you’ll see the new S3 bucket in your AWS console.

Clean Up Resources

When done, destroy created resources:

tofu destroy

This removes all resources managed by OpenTofu. Always clean up to avoid unnecessary costs.

 

 

6. Migrating from Terraform to OpenTofu

If you’re already using Terraform, migrating to OpenTofu is straightforward.

Pre-Migration Checklist

1. Create Backup: Always backup your current state file.
2. Check Terraform Version: If using Terraform 1.6+, some compatibility issues may arise.
3. Test First: Try in a development environment before production.

Basic Migration Steps

1. Install OpenTofu (using methods described above)
2. Navigate to Project Directory

   cd your-terraform-project
   

3. Initialize OpenTofu

   tofu init
   

   This recognizes existing Terraform state files and downloads necessary providers.

4. Verify State

   tofu plan
   

   If it shows no changes, success! OpenTofu correctly read the existing Terraform state.

5. Update Commands Replace terraform with tofu:
   • terraform init → tofu init
   • terraform plan → tofu plan
   • terraform apply → tofu apply
   • terraform destroy → tofu destroy

Update CI/CD Pipeline

For GitHub Actions, simply change the action:

# Previous Terraform setup
- uses: hashicorp/setup-terraform@v2
  with:
    terraform_version: 1.5.0

# Change to OpenTofu
- uses: opentofu/setup-opentofu@v1
  with:
    tofu_version: 1.10.0

See the OpenTofu GitHub Actions repository for details.

 

 

7. Advanced Tips for Efficient OpenTofu Usage

Set Up VS Code Development Environment

OpenTofu provides an official VS Code extension. Install the OpenTofu Extension for VS Code for:

• Syntax Highlighting: Color-coded HCL for better readability.
• IntelliSense: Auto-completion for providers, resources, and data sources.
• Code Formatting: Automatic tofu fmt execution.
• Error Detection: Real-time syntax error checking.

Configure State File Encryption

Set up OpenTofu’s powerful state encryption feature. Add to main.tf:

terraform {
  encryption {
    key_provider "pbkdf2" "mykey" {
      passphrase = var.encryption_passphrase
    }

    method "aes_gcm" "example" {
      keys = key_provider.pbkdf2.mykey
    }

    state {
      method = method.aes_gcm.example
    }
  }
}

Manage encryption keys via environment variables or separate files. Never hardcode them!

Reuse Code with Modules

OpenTofu works with all Terraform modules. Find thousands of verified modules in the OpenTofu Registry or Terraform Registry.

For example, to create an AWS VPC using a module:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.0.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-east-1a", "us-east-1b"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = false
}

This handles complex VPC setup in just a few lines.

Leverage Provider for_each

OpenTofu 1.9.0’s provider for_each simplifies multi-region deployments:

# Deploy across multiple AWS regions
variable "aws_regions" {
  default = ["us-east-1", "us-west-2", "eu-west-1"]
}

provider "aws" {
  alias    = "multi_region"
  for_each = toset(var.aws_regions)
  region   = each.key
}

# Create S3 buckets in each region
resource "aws_s3_bucket" "regional_backup" {
  for_each = toset(var.aws_regions)
  provider = aws.multi_region[each.key]
  bucket   = "backup-${each.key}-${random_id.bucket_suffix.hex}"
}

This feature dramatically reduces code duplication and simplifies multi-region management.

 

 

8. Community and Learning Resources

OpenTofu has an active community. Use these resources when you need help:

Official Documentation

• Official Website: https://opentofu.org/
• Documentation: https://opentofu.org/docs/intro/
• GitHub Repository: https://github.com/opentofu/opentofu
• Migration Guide: https://opentofu.org/docs/intro/migration/

Community Participation

• OpenTofu Slack: Real-time questions and answers.
• GitHub Discussions: Feature suggestions and in-depth discussions.
• Community Meetings: Weekly meetings every Wednesday at 12:30 UTC.

Learning Materials

• Linux Foundation Course: Getting Started with OpenTofu (LFEL1009) for structured learning.
• Spacelift Blog: OpenTofu Tutorial with various examples.
• Awesome OpenTofu: https://awesome-opentofu.com/ for tools and resources.

 

 

9. Why Choose OpenTofu

Here’s why you should consider OpenTofu:

License Freedom

OpenTofu remains open source forever. Under Linux Foundation stewardship, it’s immune to single-company policy changes. Use it freely for commercial services, SaaS operations, or any purpose without licensing concerns.

Community-Driven Development

OpenTofu reflects actual user needs. Features like state encryption and provider for_each were implemented based on community requests. Anyone can propose and discuss features through the RFC (Request for Comments) process.

Proven Stability

OpenTofu started from Terraform’s proven codebase—stable code used in production environments for years. Plus, 18 full-time developers have committed to 5-year support.

Extensive Ecosystem

Supports 3,900+ providers and 23,600+ modules. Manage nearly every cloud platform and service including AWS, Azure, Google Cloud, Kubernetes, Docker, and GitHub.

Easy Transition

If you’re using Terraform, switching is simple. In most cases, just change commands while keeping existing code and state files.

 

 

10. Important Considerations

Before using OpenTofu, consider these points:

Feature Gap with Latest Terraform

Since OpenTofu forked from Terraform 1.5.6, some features from Terraform 1.6+ may not yet be available in OpenTofu. However, the community rapidly develops needed features, narrowing this gap over time.

Provider Compatibility

Most Terraform providers work well with OpenTofu, but newer or beta providers may need testing. Test thoroughly in development environments before production deployment.

Team-Wide Buy-In

Migrating existing Terraform projects requires team-wide agreement and understanding. Plan carefully, including updates to CI/CD pipelines, documentation, and training materials.

State File Backups Are Essential

State files are critical infrastructure components during migration and daily operations. Back them up regularly and use remote backends for secure storage.

Learning Curve

If IaC is new to you, expect a learning period. However, if you’re already using Terraform, you can start immediately with minimal additional learning.

 

 

OpenTofu isn’t just a Terraform alternative. It’s a next-generation IaC platform embodying true open-source principles and listening to community voices. As of 2025, it’s growing rapidly with many companies using it in production environments.

If you’re using Terraform, consider transitioning to OpenTofu. Escape licensing uncertainty and gain better features with community support. If you’re starting fresh with IaC, begin with OpenTofu from day one. 🙂