Operations¶
Scope
Production deployment patterns, operational procedures, performance tuning, and troubleshooting for OpenTofu.
Deployment¶
Installation¶
# Install via package manager
brew install opentofu
# or
curl -fsSL https://get.opentofu.org/install-opentofu.sh | sh
# Verify
tofu version
Migration from Terraform¶
# In existing Terraform directory
tofu init -upgrade # Reinitializes providers
tofu plan # Should match existing Terraform plan
Drop-in Replacement
OpenTofu is a drop-in replacement for Terraform < 1.6. State files, HCL configs, and providers are compatible. Replace terraform with tofu in all commands.
State Management¶
# State operations (same as Terraform)
tofu state list
tofu state show <resource>
tofu import <resource> <id>
tofu state mv <source> <dest>
Key Differences from Terraform¶
| Feature | OpenTofu | Terraform |
|---|---|---|
| License | MPL 2.0 (open source) | BSL 1.1 (source-available) |
| State encryption | Native (local + remote) | Terraform Cloud only |
| Registry | registry.opentofu.org | registry.terraform.io |
| Provider locking | Compatible | Compatible |
Common Issues¶
| Issue | Fix |
|---|---|
| Provider not found | Add registry.opentofu.org mirror or use required_providers block |
| State encryption setup | tofu init with encryption block in backend config |
| Module incompatibility | Check for Terraform Cloud-specific features |
Commands & Recipes¶
Migration from Terraform¶
# Install OpenTofu
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
chmod +x install-opentofu.sh && ./install-opentofu.sh --install-method deb
# Migrate: literally rename binary — same state, same config
# 1. Replace `terraform` with `tofu` in your CI scripts
# 2. Run: tofu init (downloads same providers)
tofu init
tofu plan # identical to terraform plan
tofu apply # identical to terraform apply
State Encryption (Key Differentiator)¶
# Enable state encryption with AWS KMS
terraform {
encryption {
method "aes_gcm" "default" {
keys = key_provider.aws_kms.my_key
}
key_provider "aws_kms" "my_key" {
kms_key_id = "alias/tofu-state-key"
region = "us-east-1"
}
state {
method = method.aes_gcm.default
}
plan {
method = method.aes_gcm.default
}
}
}
# Simple passphrase-based encryption (dev/test)
terraform {
encryption {
method "aes_gcm" "default" {
keys = key_provider.pbkdf2.dev
}
key_provider "pbkdf2" "dev" {
passphrase = var.encryption_passphrase
}
state {
method = method.aes_gcm.default
}
}
}
Core Workflow¶
# Same as Terraform — drop-in replacement
tofu init
tofu plan -out=plan.tfplan
tofu apply plan.tfplan
tofu destroy
tofu state list
tofu import aws_instance.web i-1234567890abcdef0