OpenTofu — Commands & Recipes
# Install OpenTofu
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
chmod +x install-opentofu.sh && ./install-opentofu.sh --install-method deb
# Migrate: literally rename binary — same state, same config
# 1. Replace `terraform` with `tofu` in your CI scripts
# 2. Run: tofu init (downloads same providers)
tofu init
tofu plan # identical to terraform plan
tofu apply # identical to terraform apply
State Encryption (Key Differentiator)
# Enable state encryption with AWS KMS
terraform {
encryption {
method "aes_gcm" "default" {
keys = key_provider.aws_kms.my_key
}
key_provider "aws_kms" "my_key" {
kms_key_id = "alias/tofu-state-key"
region = "us-east-1"
}
state {
method = method.aes_gcm.default
}
plan {
method = method.aes_gcm.default
}
}
}
# Simple passphrase-based encryption (dev/test)
terraform {
encryption {
method "aes_gcm" "default" {
keys = key_provider.pbkdf2.dev
}
key_provider "pbkdf2" "dev" {
passphrase = var.encryption_passphrase
}
state {
method = method.aes_gcm.default
}
}
}
Core Workflow
# Same as Terraform — drop-in replacement
tofu init
tofu plan -out=plan.tfplan
tofu apply plan.tfplan
tofu destroy
tofu state list
tofu import aws_instance.web i-1234567890abcdef0
Sources