OpenTofu 指南：Terraform 开源替代方案、迁移教程与 Windows 路径要求详解

opentofu-guide by josiahsiegel/claude-plugin-marketplace

80 周安装量

21 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/josiahsiegel/claude-plugin-marketplace --skill opentofu-guide

云服务开发运维开源项目

🇨🇳中文介绍

🚨 关键指南

Windows 文件路径要求

强制要求：在 Windows 上始终对文件路径使用反斜杠

在 Windows 上使用编辑或写入工具时，必须在文件路径中使用反斜杠（\），而不是正斜杠（/）。

示例：

❌ 错误：D:/repos/project/file.tsx
✅ 正确：D:\repos\project\file.tsx

这适用于：

Edit 工具的 file_path 参数
Write 工具的 file_path 参数
Windows 系统上的所有文件操作

文档指南

除非用户明确要求，否则切勿创建新的文档文件。

优先级：更新现有的 README.md 文件，而不是创建新文档
仓库整洁性：保持仓库根目录清洁 - 除非用户另有要求，否则只保留 README.md
风格：文档应简洁、直接且专业 - 避免 AI 生成的语气

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

OpenTofu 专业知识与迁移指南

OpenTofu 是 Terraform 的开源分支，于 2023 年 HashiCorp 将 Terraform 的许可证从 MPL 2.0 更改为 BSL（商业源代码许可证）后创建。OpenTofu 由 Linux 基金会管理，并保持与 Terraform 1.5.x 的完全兼容性，同时增加了社区驱动的功能。

主要差异（2025年）

Terraform (HashiCorp):

自 2023 年 8 月起使用 BSL（商业源代码许可证）
对竞争产品的商业使用有限制
IBM 于 2024 年收购了 HashiCorp

MPL 2.0（Mozilla 公共许可证）
真正的开源
Linux 基金会治理
社区驱动开发

功能创新（2025年）

OpenTofu 1.7 功能：

状态加密：客户端加密（社区要求了 5 年以上）
可循环导入块：import 块中的 for_each
动态提供者函数：支持提供者定义的函数
早期变量求值：terraform 块中的变量

OpenTofu 1.8 功能（最新）：

OpenTofu 特定覆盖：平衡兼容性与创新
扩展的早期变量求值：在模块源中使用变量/局部变量
增强的提供者支持：改进的提供者 SDK

Terraform 优势：

HCP Terraform：包含 Stacks、HYOK、私有 VCS 访问的云平台
企业支持：直接的 HashiCorp/IBM 支持
更大的生态系统：更成熟的市场
Sentinel 策略：策略即代码框架（350+ NIST 策略）

HCL 语法（相同的语言）
提供者生态系统（相同的注册表访问）
状态文件格式（Terraform 1.5.x）
模块结构
CLI 命令

可替代 Terraform 1.5.x
无需更改代码
状态文件可移植（需考虑加密）

何时使用 OpenTofu 与 Terraform

在以下情况选择 OpenTofu：

开源要求：
- 组织政策要求使用开源工具
- 希望供应商中立
- 担心未来的许可证变更
需要状态加密：
- 合规性要求客户端加密
- 希望无需 HCP Terraform 即可加密
- 多云加密要求
成本优化：
- 希望免费的状态加密
- 不需要 HCP Terraform 功能
- 工具预算有限
社区驱动：
- 希望影响路线图
- 偏好 Linux 基金会治理
- 重视社区贡献

在以下情况选择 Terraform：

需要企业功能：
- 需要 HCP Terraform Stacks
- 需要 HYOK（持有您自己的密钥）
- 需要私有 VCS 访问
- 需要 Sentinel 策略强制执行
企业支持：
- 希望获得直接的 HashiCorp/IBM 支持
- 需要 SLA 保证
- 需要合规性认证
高级功能：
- 临时值（1.10+）
- Terraform Query（1.14+）
- Actions 块（1.14+）
- 优先获得最新的提供者功能
成熟的生态系统：
- 现有的 HCP Terraform 投资
- 紧密的集成需求
- 成熟的工具要求

从 Terraform 迁移到 OpenTofu

步骤 1：评估兼容性

# 检查 Terraform 版本
terraform version
# 必须是 1.5.x 或兼容版本

# 检查提供者版本
terraform providers
# 所有提供者都兼容（相同的注册表）

步骤 2：安装 OpenTofu

# Chocolatey
choco install opentofu

# Scoop
scoop install opentofu

# 手动安装
# 从 https://github.com/opentofu/opentofu/releases 下载

# Homebrew
brew install opentofu

# 手动安装
curl -L https://github.com/opentofu/opentofu/releases/download/v1.8.0/tofu_1.8.0_darwin_amd64.tar.gz | tar xz
sudo mv tofu /usr/local/bin/

# Snap
snap install opentofu --classic

# Debian/Ubuntu
curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh

# 手动安装
wget https://github.com/opentofu/opentofu/releases/download/v1.8.0/tofu_1.8.0_linux_amd64.tar.gz
tar -xzf tofu_1.8.0_linux_amd64.tar.gz
sudo mv tofu /usr/local/bin/

步骤 3：测试兼容性

# 导航到 Terraform 目录
cd /path/to/terraform/project

# 使用 OpenTofu 初始化（非破坏性）
tofu init

# 验证配置
tofu validate

# 生成计划（与 Terraform plan 比较）
tofu plan

步骤 4：迁移状态（可选）

如果不使用状态加密：

# 状态兼容 - 无需迁移
# 只需将命令从 'terraform' 切换到 'tofu'

# 验证状态
tofu show

如果启用状态加密：

# 在 .tofu 文件中配置加密
cat > .tofu <<EOF
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "my_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }

  plan {
    method = "aes_gcm"
    keys {
      name = "my_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }
}
EOF

# 设置加密密钥
export TOFU_ENCRYPTION_KEY="your-secure-passphrase"

# 迁移状态（自动加密）
tofu init -migrate-state

步骤 5：更新 CI/CD

GitHub Actions：

# 之前（Terraform）
- uses: hashicorp/setup-terraform@v3
  with:
    terraform_version: 1.5.0

# 之后（OpenTofu）
- uses: opentofu/setup-opentofu@v1
  with:
    tofu_version: 1.8.0

# 或手动安装
- name: 安装 OpenTofu
  run: |
    curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
    tofu version

# 之前
- task: TerraformInstaller@0
  inputs:
    terraformVersion: '1.5.0'

# 之后
- task: Bash@3
  displayName: '安装 OpenTofu'
  inputs:
    targetType: 'inline'
    script: |
      curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
      tofu version

# 之前
image: hashicorp/terraform:1.5.0

# 之后
image: ghcr.io/opentofu/opentofu:1.8.0

状态加密（OpenTofu 独有）

# .tofu 或 terraform.tf
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "primary_key"
      passphrase = env.TOFU_STATE_ENCRYPTION_KEY
    }
  }
}

encryption {
  state {
    method = "aes_gcm"
    keys {
      # 新密钥
      name = "key_v2"
      passphrase = env.TOFU_KEY_V2

      # 旧密钥（用于解密）
      fallback {
        name = "key_v1"
        passphrase = env.TOFU_KEY_V1
      }
    }
  }
}

云 KMS 集成：

# AWS KMS
encryption {
  state {
    method = "aws_kms"
    keys {
      name = "aws_key"
      kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
  }
}

# Azure Key Vault
encryption {
  state {
    method = "azurerm_key_vault"
    keys {
      name = "azure_key"
      key_vault_key_id = "https://myvault.vault.azure.net/keys/mykey/version"
    }
  }
}

# GCP KMS
encryption {
  state {
    method = "gcp_kms"
    keys {
      name = "gcp_key"
      kms_crypto_key = "projects/PROJECT_ID/locations/LOCATION/keyRings/RING/cryptoKeys/KEY"
    }
  }
}

安全存储密钥：

# 切勿提交密钥
echo "TOFU_ENCRYPTION_KEY=xxx" >> .env
echo ".env" >> .gitignore

# 使用 CI/CD 密钥
# GitHub：仓库设置 → 密钥
# Azure DevOps：流水线 → 变量 → 密钥

定期轮换密钥：

# 生成新密钥
NEW_KEY=$(openssl rand -base64 32)

# 添加到备用密钥，更新配置
# 迁移状态
tofu init -migrate-state

备份未加密状态：

# 在启用加密之前
terraform state pull > backup-unencrypted.tfstate

# 启用加密
tofu init -migrate-state

# 验证
tofu state pull  # 在后端应该是加密的

可循环导入块（OpenTofu 1.7+）

Terraform 1.5+（单次导入）：

import {
  to = azurerm_resource_group.example
  id = "/subscriptions/.../resourceGroups/my-rg"
}

OpenTofu 1.7+（循环导入）：

# 导入多个资源组
locals {
  resource_groups = {
    "rg1" = "/subscriptions/.../resourceGroups/rg1"
    "rg2" = "/subscriptions/.../resourceGroups/rg2"
    "rg3" = "/subscriptions/.../resourceGroups/rg3"
  }
}

import {
  for_each = local.resource_groups
  to       = azurerm_resource_group.imported[each.key]
  id       = each.value
}

resource "azurerm_resource_group" "imported" {
  for_each = local.resource_groups
  name     = each.key
  location = "eastus"
}

早期变量求值（OpenTofu 1.7+）

Terraform 1.5.x：

# terraform 块中不允许使用变量
terraform {
  required_version = ">= 1.5.0"  # 仅静态值

  backend "azurerm" {
    resource_group_name  = "terraform-state"  # 仅静态值
    storage_account_name = "tfstate"
  }
}

OpenTofu 1.7+：

# terraform 块中允许使用变量
variable "environment" {
  type = string
}

terraform {
  required_version = ">= 1.7.0"

  backend "azurerm" {
    resource_group_name  = "terraform-state-${var.environment}"
    storage_account_name = "tfstate${var.environment}"
    key                  = "${var.environment}.tfstate"
  }
}

OpenTofu 1.8+（模块源）：

variable "module_version" {
  type    = string
  default = "v1.0.0"
}

module "networking" {
  source  = "git::https://github.com/org/module.git?ref=${var.module_version}"
  # 动态模块版本！
}

示例 1：小型项目迁移

# 1. 备份现有状态
terraform state pull > backup.tfstate

# 2. 安装 OpenTofu
brew install opentofu

# 3. 测试兼容性
tofu init
tofu plan

# 4. 切换到 OpenTofu
alias terraform=tofu  # 可选：保持肌肉记忆

# 5. 验证一切正常
tofu apply

示例 2：带加密的企业迁移

# 1. 生成加密密钥
ENCRYPTION_KEY=$(openssl rand -base64 32)
echo "TOFU_ENCRYPTION_KEY=$ENCRYPTION_KEY" >> .env.production

# 2. 创建加密配置
cat > .tofu <<EOF
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "prod_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }

  plan {
    method = "aes_gcm"
    keys {
      name = "prod_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }
}
EOF

# 3. 带加密迁移
source .env.production
tofu init -migrate-state

# 4. 验证加密
tofu state pull  # 状态现在在后端是加密的

示例 3：CI/CD 迁移

# .github/workflows/terraform.yml
name: 基础设施

on: [push, pull_request]

jobs:
  opentofu:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: 设置 OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: 1.8.0

      - name: 初始化
        run: tofu init
        env:
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

      - name: 计划
        run: tofu plan
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

      - name: 应用
        if: github.ref == 'refs/heads/main'
        run: tofu apply -auto-approve
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

所有 Terraform 命令在 OpenTofu 中工作方式相同（只需将 terraform 替换为 tofu）：

# Terraform          # OpenTofu
terraform init      → tofu init
terraform plan      → tofu plan
terraform apply     → tofu apply
terraform destroy   → tofu destroy
terraform state     → tofu state
terraform import    → tofu import
terraform validate  → tofu validate
terraform fmt       → tofu fmt
terraform output    → tofu output

OpenTofu 社区：

GitHub：https://github.com/opentofu/opentofu
Slack：OpenTofu Workspace
论坛：OpenTofu Discussions
注册表：registry.opentofu.org

Terraform 社区：

论坛：HashiCorp Discuss
GitHub：hashicorp/terraform
注册表：registry.terraform.io
支持：HashiCorp 支持门户

因素	Terraform	OpenTofu
许可证	BSL（专有）	MPL 2.0（开源）
状态加密	通过 HCP Terraform（付费）	内置（免费）
企业功能	HCP Terraform（Stacks、HYOK）	社区替代方案
治理	HashiCorp/IBM	Linux 基金会
支持	商业支持可用	社区驱动
创新	HCP 导向	社区导向
成本	免费 CLI，付费云	完全免费
兼容性	向前兼容	Terraform 1.5.x 兼容

在以下情况从 OpenTofu 开始：

构建新基础设施
不需要 HCP Terraform 功能
希望无需云成本即可进行状态加密
偏好开源工具
预算有限

在以下情况继续使用 Terraform：

使用 HCP Terraform Stacks
需要 Sentinel 策略
需要企业支持
希望优先获得最新功能（1.10+）
已建立 HCP 投资

两者都是可行的长期选择
大多数项目的迁移时间 < 1 小时
状态文件可移植
可以在不承诺的情况下评估两者

此技能为 terraform-expert 代理提供了全面的 OpenTofu 知识。

🇺🇸English

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

MANDATORY: Always Use Backslashes on Windows for File Paths

When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).

Examples:

❌ WRONG: D:/repos/project/file.tsx
✅ CORRECT: D:\repos\project\file.tsx

This applies to:

Edit tool file_path parameter
Write tool file_path parameter
All file operations on Windows systems

Documentation Guidelines

NEVER create new documentation files unless explicitly requested by the user.

Priority : Update existing README.md files rather than creating new documentation
Repository cleanliness : Keep repository root clean - only README.md unless user requests otherwise
Style : Documentation should be concise, direct, and professional - avoid AI-generated tone
User preference : Only create additional .md files when user specifically asks for documentation

OpenTofu Expertise and Migration Guide

Overview

OpenTofu is the open-source fork of Terraform, created in 2023 after HashiCorp changed Terraform's license from MPL 2.0 to BSL (Business Source License). OpenTofu is stewarded by the Linux Foundation and maintains full compatibility with Terraform 1.5.x while adding community-driven features.

Key Differences (2025)

Licensing

Terraform (HashiCorp):

BSL (Business Source License) since August 2023
Restrictions on commercial use for competing products
IBM acquired HashiCorp in 2024

OpenTofu:

MPL 2.0 (Mozilla Public License)
True open-source
Linux Foundation governance
Community-driven development

Feature Innovations (2025)

OpenTofu 1.7 Features:

State Encryption : Client-side encryption (community requested for 5+ years)
Loop-able Import Blocks : for_each in import blocks
Dynamic Provider Functions : Provider-defined functions support
Early Variable Evaluation : Variables in terraform block

OpenTofu 1.8 Features (Latest):

OpenTofu-Specific Overrides : Balance compatibility with innovation
Early Variable Evaluation Expanded : Use variables/locals in module sources
Enhanced Provider Support : Improved provider SDK

Terraform Advantages:

HCP Terraform : Cloud platform with Stacks, HYOK, Private VCS Access
Enterprise Support : Direct HashiCorp/IBM support
Larger Ecosystem : More established marketplace
Sentinel Policies : Policy-as-code framework (350+ NIST policies)

Compatibility

100% Compatible:

HCL syntax (same language)
Provider ecosystem (same registry access)
State file format (Terraform 1.5.x)
Module structure
CLI commands

Migration Path:

Drop-in replacement for Terraform 1.5.x
No code changes required
State files portable (with encryption consideration)

When to Use OpenTofu vs Terraform

Choose OpenTofu When:

Open-Source Requirements:
- Organization policy requires open-source tools
- Want vendor neutrality
- Concerned about future license changes
State Encryption Needed:
- Compliance requires client-side encryption
- Want encryption without HCP Terraform
- Multi-cloud encryption requirements
Cost Optimization:
- Want free state encryption
- No need for HCP Terraform features
- Budget constraints on tooling
Community-Driven:
- Want to influence roadmap
- Prefer Linux Foundation governance
- Value community contributions

Choose Terraform When:

Enterprise Features Required:
- Need HCP Terraform Stacks
- Require HYOK (Hold Your Own Key)
- Want Private VCS Access
- Need Sentinel policy enforcement
Enterprise Support:
- Want direct HashiCorp/IBM support
- Need SLA guarantees
- Require compliance certifications
Advanced Features:
- Ephemeral values (1.10+)
- Terraform Query (1.14+)
- Actions blocks (1.14+)
- Latest provider features first
Established Ecosystem:
- Existing HCP Terraform investment
- Tight integration needs
- Mature tooling requirements

Migration from Terraform to OpenTofu

Step 1: Assess Compatibility

# Check Terraform version
terraform version
# Must be 1.5.x or compatible

# Check provider versions
terraform providers
# All providers compatible (same registry)

Step 2: Install OpenTofu

Windows:

# Chocolatey
choco install opentofu

# Scoop
scoop install opentofu

# Manual
# Download from https://github.com/opentofu/opentofu/releases

macOS:

# Homebrew
brew install opentofu

# Manual
curl -L https://github.com/opentofu/opentofu/releases/download/v1.8.0/tofu_1.8.0_darwin_amd64.tar.gz | tar xz
sudo mv tofu /usr/local/bin/

Linux:

# Snap
snap install opentofu --classic

# Debian/Ubuntu
curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh

# Manual
wget https://github.com/opentofu/opentofu/releases/download/v1.8.0/tofu_1.8.0_linux_amd64.tar.gz
tar -xzf tofu_1.8.0_linux_amd64.tar.gz
sudo mv tofu /usr/local/bin/

Step 3: Test Compatibility

# Navigate to Terraform directory
cd /path/to/terraform/project

# Initialize with OpenTofu (non-destructive)
tofu init

# Validate configuration
tofu validate

# Generate plan (compare with Terraform plan)
tofu plan

Step 4: Migrate State (Optional)

If NOT using state encryption:

# State is compatible - no migration needed
# Just switch from 'terraform' to 'tofu' commands

# Verify state
tofu show

If ENABLING state encryption:

# Configure encryption in .tofu file
cat > .tofu <<EOF
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "my_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }

  plan {
    method = "aes_gcm"
    keys {
      name = "my_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }
}
EOF

# Set encryption key
export TOFU_ENCRYPTION_KEY="your-secure-passphrase"

# Migrate state (automatically encrypts)
tofu init -migrate-state

Step 5: Update CI/CD

GitHub Actions:

# Before (Terraform)
- uses: hashicorp/setup-terraform@v3
  with:
    terraform_version: 1.5.0

# After (OpenTofu)
- uses: opentofu/setup-opentofu@v1
  with:
    tofu_version: 1.8.0

# Or manual install
- name: Install OpenTofu
  run: |
    curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
    tofu version

Azure DevOps:

# Before
- task: TerraformInstaller@0
  inputs:
    terraformVersion: '1.5.0'

# After
- task: Bash@3
  displayName: 'Install OpenTofu'
  inputs:
    targetType: 'inline'
    script: |
      curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
      tofu version

GitLab CI:

# Before
image: hashicorp/terraform:1.5.0

# After
image: ghcr.io/opentofu/opentofu:1.8.0

State Encryption (OpenTofu Exclusive)

Configuration

Basic Encryption:

# .tofu or terraform.tf
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "primary_key"
      passphrase = env.TOFU_STATE_ENCRYPTION_KEY
    }
  }
}

Key Rotation:

encryption {
  state {
    method = "aes_gcm"
    keys {
      # New key
      name = "key_v2"
      passphrase = env.TOFU_KEY_V2

      # Old key (for decryption)
      fallback {
        name = "key_v1"
        passphrase = env.TOFU_KEY_V1
      }
    }
  }
}

Cloud KMS Integration:

# AWS KMS
encryption {
  state {
    method = "aws_kms"
    keys {
      name = "aws_key"
      kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
    }
  }
}

# Azure Key Vault
encryption {
  state {
    method = "azurerm_key_vault"
    keys {
      name = "azure_key"
      key_vault_key_id = "https://myvault.vault.azure.net/keys/mykey/version"
    }
  }
}

# GCP KMS
encryption {
  state {
    method = "gcp_kms"
    keys {
      name = "gcp_key"
      kms_crypto_key = "projects/PROJECT_ID/locations/LOCATION/keyRings/RING/cryptoKeys/KEY"
    }
  }
}

Best Practices

Store Keys Securely:

# Never commit keys
echo "TOFU_ENCRYPTION_KEY=xxx" >> .env
echo ".env" >> .gitignore

# Use CI/CD secrets
# GitHub: Repository Settings → Secrets
# Azure DevOps: Pipeline → Variables → Secret

Rotate Keys Regularly:

# Generate new key
NEW_KEY=$(openssl rand -base64 32)

# Add to fallback, update configs
# Migrate state
tofu init -migrate-state

Backup Unencrypted State:

# Before enabling encryption
terraform state pull > backup-unencrypted.tfstate

# Enable encryption
tofu init -migrate-state

# Verify
tofu state pull  # Should be encrypted in backend

Loop-able Import Blocks (OpenTofu 1.7+)

Terraform 1.5+ (Single Imports):

import {
  to = azurerm_resource_group.example
  id = "/subscriptions/.../resourceGroups/my-rg"
}

OpenTofu 1.7+ (Loop Imports):

# Import multiple resource groups
locals {
  resource_groups = {
    "rg1" = "/subscriptions/.../resourceGroups/rg1"
    "rg2" = "/subscriptions/.../resourceGroups/rg2"
    "rg3" = "/subscriptions/.../resourceGroups/rg3"
  }
}

import {
  for_each = local.resource_groups
  to       = azurerm_resource_group.imported[each.key]
  id       = each.value
}

resource "azurerm_resource_group" "imported" {
  for_each = local.resource_groups
  name     = each.key
  location = "eastus"
}

Early Variable Evaluation (OpenTofu 1.7+)

Terraform 1.5.x:

# Variables NOT allowed in terraform block
terraform {
  required_version = ">= 1.5.0"  # Static only

  backend "azurerm" {
    resource_group_name  = "terraform-state"  # Static only
    storage_account_name = "tfstate"
  }
}

OpenTofu 1.7+:

# Variables allowed in terraform block
variable "environment" {
  type = string
}

terraform {
  required_version = ">= 1.7.0"

  backend "azurerm" {
    resource_group_name  = "terraform-state-${var.environment}"
    storage_account_name = "tfstate${var.environment}"
    key                  = "${var.environment}.tfstate"
  }
}

OpenTofu 1.8+ (Module Sources):

variable "module_version" {
  type    = string
  default = "v1.0.0"
}

module "networking" {
  source  = "git::https://github.com/org/module.git?ref=${var.module_version}"
  # Dynamic module version!
}

Practical Migration Examples

Example 1: Small Project Migration

# 1. Backup existing state
terraform state pull > backup.tfstate

# 2. Install OpenTofu
brew install opentofu

# 3. Test compatibility
tofu init
tofu plan

# 4. Switch to OpenTofu
alias terraform=tofu  # Optional: maintain muscle memory

# 5. Verify everything works
tofu apply

Example 2: Enterprise Migration with Encryption

# 1. Generate encryption key
ENCRYPTION_KEY=$(openssl rand -base64 32)
echo "TOFU_ENCRYPTION_KEY=$ENCRYPTION_KEY" >> .env.production

# 2. Create encryption config
cat > .tofu <<EOF
encryption {
  state {
    method = "aes_gcm"
    keys {
      name = "prod_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }

  plan {
    method = "aes_gcm"
    keys {
      name = "prod_key"
      passphrase = env.TOFU_ENCRYPTION_KEY
    }
  }
}
EOF

# 3. Migrate with encryption
source .env.production
tofu init -migrate-state

# 4. Verify encryption
tofu state pull  # State is now encrypted in backend

Example 3: CI/CD Migration

# .github/workflows/terraform.yml
name: Infrastructure

on: [push, pull_request]

jobs:
  opentofu:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: 1.8.0

      - name: Init
        run: tofu init
        env:
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

      - name: Plan
        run: tofu plan
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

      - name: Apply
        if: github.ref == 'refs/heads/main'
        run: tofu apply -auto-approve
        env:
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TOFU_ENCRYPTION_KEY: ${{ secrets.TOFU_ENCRYPTION_KEY }}

Command Compatibility

All Terraform commands work identically in OpenTofu (just replace terraform with tofu):

# Terraform          # OpenTofu
terraform init      → tofu init
terraform plan      → tofu plan
terraform apply     → tofu apply
terraform destroy   → tofu destroy
terraform state     → tofu state
terraform import    → tofu import
terraform validate  → tofu validate
terraform fmt       → tofu fmt
terraform output    → tofu output

Community and Support

OpenTofu Community:

GitHub: https://github.com/opentofu/opentofu
Slack: OpenTofu Workspace
Forum: OpenTofu Discussions
Registry: registry.opentofu.org

Terraform Community:

Forum: HashiCorp Discuss
GitHub: hashicorp/terraform
Registry: registry.terraform.io
Support: HashiCorp Support Portal

Decision Matrix

Factor	Terraform	OpenTofu
License	BSL (Proprietary)	MPL 2.0 (Open Source)
State Encryption	Via HCP Terraform (paid)	Built-in (free)
Enterprise Features	HCP Terraform (Stacks, HYOK)	Community alternatives
Governance	HashiCorp/IBM	Linux Foundation
Support	Commercial support available	Community-driven
Innovation	HCP-focused	Community-focused
Cost	Free CLI, paid cloud	Completely free
Compatibility

Recommendations

Start with OpenTofu if:

Building new infrastructure
No need for HCP Terraform features
Want state encryption without cloud costs
Prefer open-source tools
Budget-conscious

Stay with Terraform if:

Using HCP Terraform Stacks
Need Sentinel policies
Require enterprise support
Want latest features first (1.10+)
Established HCP investment

Easy to Switch:

Both are viable long-term
Migration takes < 1 hour for most projects
State files portable
Can evaluate both without commitment

This skill provides comprehensive OpenTofu knowledge for the terraform-expert agent.

Weekly Installs

Repository

josiahsiegel/cl…ketplace

GitHub Stars

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

opencode65

gemini-cli63

codex62

cursor58

claude-code57

github-copilot56