By Sebastian Stadil

What is OpenTofu?

OpenTofu has emerged as the community-driven answer to Terraform's controversial licensing shift, offering infrastructure engineers a truly open-source alternative with enhanced security, advanced state management, and developer-focused features. This powerful code tool addresses the concerns of terraform users while introducing innovations long requested by the community but never implemented in the original product.

How a licensing change sparked the terraform fork

The story begins on August 10, 2023, when HashiCorp suddenly changed Terraform's licensing from the Mozilla Public License v2.0 (MPL v2.0) to a more restrictive business source license (BSL). This unexpected shift created immediate uncertainty among users and companies in the Terraform ecosystem.

The BSL is not an actual open-source license but rather a "source-available" license that prohibits using the software in ways that compete with HashiCorp's commercial offerings. The ambiguity in these terms left many organizations questioning whether their use cases would violate the new licensing.

In response, several prominent companies including Gruntwork, Spacelift, Harness, Env0, and Scalr formed the OpenTF initiative (later renamed OpenTofu) with two clear goals:

  1. Appeal to HashiCorp to revert the license change
  2. Create a fork if necessary to preserve true open source access

When HashiCorp maintained its position, the initiative proceeded with a terraform fork from version 1.5.6 (the last MPL-licensed version). By September 2023, OpenTofu had officially joined the Linux Foundation, ensuring vendor-neutral governance and long-term stability.

The technical foundations of OpenTofu

OpenTofu functions as a drop-in replacement for Terraform, preserving compatibility with existing configurations while adding significant enhancements. The tool uses human-readable configuration files written in HashiCorp Configuration Language (HCL) to define infrastructure resources declaratively.

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  
  tags = {
    Name = "example-instance"
  }
}

These configuration files allow engineers to define their desired infrastructure state rather than writing procedural scripts. OpenTofu then builds a resource graph to determine dependencies and apply changes efficiently.

State file management and security

A critical aspect of OpenTofu's functionality is its management of state files. The state file serves as the source of truth that maps configured resources to real-world infrastructure objects and tracks metadata. OpenTofu's approach to state management offers several advantages:

  • Efficient change detection through state comparison
  • Resource dependency tracking for proper ordering of operations
  • Performance optimization for large infrastructures
  • Secure collaboration through remote state backends

One of OpenTofu's most significant innovations is built-in state file encryption, a feature implemented in version 1.7 that was requested by the Terraform community for years but never delivered. This encryption protects sensitive data at rest using multiple key provider options:

terraform {
  encryption {
    key_provider "pbkdf2" "mykey" {
      passphrase = "secure-passphrase"
      key_length = 32
      iterations = 600000
    }
    method "aes_gcm" "default" {
      key_provider = key_provider.pbkdf2.mykey
    }
    state {
      method = method.aes_gcm.default
    }
  }
}

This feature addresses a longstanding security concern in the infrastructure as code community, making OpenTofu more suitable for organizations with strict security requirements.

The OpenTofu community: A new model for IaC development

The OpenTofu community has grown rapidly since the project's inception. With over 25,000 GitHub stars and more than 70 active contributors, OpenTofu has established itself as a vibrant open source project with broad support from both individuals and organizations.

What distinguishes the OpenTofu community is its governance model. As a Linux Foundation project, OpenTofu is guided by a Technical Steering Committee representing multiple companies rather than being controlled by a single vendor. This structure ensures decisions are made in the best interest of the community rather than to serve commercial goals.

Community input drives development priorities through:

  • Public issue tracking and feature voting
  • An open Request for Comments (RFC) process for major changes
  • Weekly community meetings for transparent discussion
  • Active Slack channels for real-time collaboration

The contribution process uses standard pull requests with clear guidelines. All code contributions require a Developer Certificate of Origin sign-off, ensuring proper attribution and licensing compliance. Major features undergo community discussion before implementation, allowing diverse perspectives to shape the project's direction.

Key differences between OpenTofu and Terraform

While OpenTofu maintains compatibility with Terraform configurations, several key differences have emerged as the projects diverge:

1. Licensing

The most fundamental difference is licensing: OpenTofu uses the Mozilla Public License v2.0, a true open-source license recognized by the Open Source Initiative. This ensures users can freely use, modify, and distribute the software without ambiguity about competitive restrictions.

2. Governance

OpenTofu follows a community-driven development model under the Linux Foundation's neutral governance. In contrast, Terraform is controlled by HashiCorp (now an IBM company), with development priorities set by commercial interests.

3. Feature innovation

OpenTofu has implemented several features long requested by the community but never added to Terraform:

  • State file encryption (v1.7): Protects sensitive infrastructure data at rest
  • Early variable evaluation (v1.8): Allows variables in previously restricted contexts like module sources
  • Provider iteration with for_each (v1.9): Simplifies multi-region deployments
  • Exclusion flag (v1.9): Enables selectively skipping resources during operations

4. File extensions

OpenTofu supports both .tf and .tofu file extensions. When both exist with the same name, OpenTofu prioritizes the .tofu file, enabling module authors to provide OpenTofu-specific functionality while maintaining Terraform compatibility.

Working with terraform providers

OpenTofu maintains full compatibility with existing terraform providers, ensuring access to thousands of infrastructure providers without modification. The OpenTofu Registry at registry.opentofu.org mirrors and extends the Terraform provider ecosystem.

Providers are declared in the required_providers block, just as in Terraform:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

One of OpenTofu's innovative features is provider iteration using for_each (added in version 1.9), which allows dynamic provider configurations:

provider "aws" {
  for_each = toset(var.regions)
  alias    = each.key
  region   = each.key
}

This significantly reduces code duplication for multi-region deployments and makes configuration more maintainable.

Alternatives to Terraform Cloud

With the shift to OpenTofu, many organizations seek alternatives to Terraform Cloud for collaborative infrastructure management. Several platforms have emerged as viable options:

1. Scalr

Scalr offers comprehensive support for OpenTofu workflows with features including:

  • OPA integration for policy enforcement
  • Organizational structure with RBAC
  • Custom hooks for workflow customization
  • State management and version control

2. env0

As a founding member of the OpenTofu initiative, env0 provides:

  • Native OpenTofu support
  • Advanced RBAC with granular permissions
  • Secure secrets management
  • Policy enforcement

3. Spacelift

Spacelift delivers enterprise-grade features for OpenTofu teams:

  • Multi-IaC workflows combining different tools
  • Policy as Code for governance
  • Custom integrations and automation
  • Self-service infrastructure through Blueprints

4. Self-hosted options

For teams preferring self-hosted solutions, open-source alternatives include:

  • Terrakube: An open-source alternative to Terraform Enterprise
  • Terralist: Registry for OpenTofu modules and providers
  • Atlantis: Pull request automation

Current version and development status

As of May 2025, OpenTofu has made significant progress with regular releases:

Terraform version Equivalent OpenTofu Key additions
1.6.x OpenTofu 1.6 Initial stable release
1.7.x OpenTofu 1.7 State encryption, dynamic functions
1.8.x OpenTofu 1.8 Early variable evaluation, .tofu files
1.9.x OpenTofu 1.9 Provider for_each, exclusion flag

The latest stable release is OpenTofu 1.9.1, with version 1.10.0 currently in beta testing. This upcoming release will introduce OCI registry integration, native S3 locking without DynamoDB, and OpenTelemetry tracing.

The future outlook for OpenTofu

The future looks promising for OpenTofu and its users. The project was accepted into the Cloud Native Computing Foundation (CNCF) in April 2025, further solidifying its position in the cloud-native ecosystem.

Development continues at a rapid pace, with 1.10.0 introducing significant new capabilities based on community priorities. The OpenTofu community has established a transparent roadmap using GitHub milestones, allowing users to see and influence upcoming features.

For terraform users considering migration, OpenTofu offers a seamless path with:

  • Full compatibility with existing configurations
  • A simple binary replacement in workflows
  • Access to the same provider ecosystem
  • Additional features like state encryption

Organizations looking for long-term stability can take comfort in OpenTofu's governance through the Linux Foundation and CNCF, ensuring the project remains community-driven and truly open source.

Conclusion

OpenTofu has successfully established itself as a powerful, community-driven alternative to Terraform. By maintaining compatibility with the existing Terraform ecosystem while introducing innovative features like state encryption and provider iteration, OpenTofu offers infrastructure engineers both stability and progress.

The project's commitment to true open source principles through the Mozilla Public License ensures users can deploy OpenTofu without concerns about licensing ambiguity. Meanwhile, its community-driven development approach means features that actually matter to practitioners take priority.

Whether you're a long-time Terraform user concerned about licensing changes or a new infrastructure engineer looking for the best code tool for your projects, OpenTofu provides a compelling option that combines mature infrastructure as code capabilities with open governance and continuous innovation.