All Articles
terraformgitopscloud

OpenTofu Complete Guide 2026: The Open Source Alternative to Terraform

HashiCorp changed Terraform's license. OpenTofu stepped up as the community fork. Here's everything you need to know to understand, adopt, and use OpenTofu in 2026.

DevOpsBoysMar 12, 20267 min read
Share:Tweet

In August 2023, HashiCorp changed Terraform's license from MPL (Mozilla Public License) to BSL (Business Source License). The BSL restricts using Terraform to build competing commercial products — which alarmed a large chunk of the DevOps community that had built businesses, tools, and workflows around an open-source Terraform.

The response was swift: OpenTofu was born. It's a community-driven fork of Terraform, maintained under the Linux Foundation, committed to staying truly open source under MPL 2.0.

By 2026, OpenTofu is no longer just a protest fork. It's a mature, actively developed alternative that many teams are now choosing over Terraform — not just for ideological reasons, but for practical ones.

This is the complete guide.

What is OpenTofu?

OpenTofu is an open-source Infrastructure as Code (IaC) tool that lets you define, provision, and manage cloud infrastructure using declarative configuration files.

If you've used Terraform, OpenTofu will feel instantly familiar. The syntax is identical (HCL), the state management works the same way, and the provider ecosystem is compatible. This was intentional — the fork preserved full compatibility so teams could migrate with minimal friction.

OpenTofu vs Terraform at a glance:

FeatureOpenTofuTerraform
LicenseMPL 2.0 (open source)BSL 1.1 (source available)
GovernanceLinux FoundationHashiCorp (IBM)
HCL syntaxCompatibleOriginal
Provider registryOpenTofu Registry + TF registryTerraform Registry
State formatCompatibleOriginal
SpeedGenerally fasterStandard
Unique featuresNative state encryption, improved testingHCP Terraform integration

Installing OpenTofu

OpenTofu has installers for all major platforms.

macOS (Homebrew):

bash
brew install opentofu

Linux (official install script):

bash
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh

Verify installation:

bash
tofu version

You'll see output like:

OpenTofu v1.8.3
on linux_amd64

Note the command is tofu not terraform. This is the only breaking change for existing muscle memory.

Your First OpenTofu Configuration

OpenTofu uses the same HCL syntax as Terraform. Here's a complete example that provisions an AWS EC2 instance:

hcl
# main.tf
terraform {
  required_version = ">= 1.8"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}
 
provider "aws" {
  region = var.aws_region
}
 
variable "aws_region" {
  description = "AWS region to deploy to"
  type        = string
  default     = "us-east-1"
}
 
variable "instance_type" {
  description = "EC2 instance type"
  type        = string
  default     = "t3.micro"
}
 
data "aws_ami" "ubuntu" {
  most_recent = true
  owners      = ["099720109477"] # Canonical
 
  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-22.04-amd64-server-*"]
  }
}
 
resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = var.instance_type
 
  tags = {
    Name        = "opentofu-web-server"
    ManagedBy   = "opentofu"
    Environment = "production"
  }
}
 
output "instance_id" {
  description = "EC2 Instance ID"
  value       = aws_instance.web.id
}
 
output "public_ip" {
  description = "Public IP address"
  value       = aws_instance.web.public_ip
}

Run it:

bash
tofu init      # download providers
tofu plan      # preview changes
tofu apply     # apply changes

Exact same workflow as Terraform, just tofu instead of terraform.

Remote State with S3 + DynamoDB

For team workflows, you need remote state. OpenTofu supports the same S3 backend as Terraform:

hcl
# backend.tf
terraform {
  backend "s3" {
    bucket         = "my-opentofu-state"
    key            = "prod/main/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "opentofu-state-lock"
    encrypt        = true
  }
}

Create the S3 bucket and DynamoDB table first:

bash
# Create S3 bucket
aws s3api create-bucket \
  --bucket my-opentofu-state \
  --region us-east-1
 
# Enable versioning
aws s3api put-bucket-versioning \
  --bucket my-opentofu-state \
  --versioning-configuration Status=Enabled
 
# Create DynamoDB table for locking
aws dynamodb create-table \
  --table-name opentofu-state-lock \
  --attribute-definitions AttributeName=LockID,AttributeType=S \
  --key-schema AttributeName=LockID,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST

Then initialize:

bash
tofu init

For a detailed walkthrough of remote state patterns, check out our Terraform Remote State guide — everything applies to OpenTofu as well.

OpenTofu's Killer Feature: Native State Encryption

This is the biggest feature OpenTofu has that Terraform does not. State files can contain secrets — database passwords, API keys, private keys — and Terraform has always stored these in plaintext in the state file.

OpenTofu 1.7 introduced native state encryption. You can encrypt state at rest using a key from AWS KMS, GCP KMS, or a local passphrase:

hcl
# encryption.tf
terraform {
  encryption {
    key_provider "aws_kms" "my_key" {
      kms_key_id = "arn:aws:kms:us-east-1:123456789:key/mrk-abc123"
      region     = "us-east-1"
    }
 
    method "aes_gcm" "default_method" {
      keys = key_provider.aws_kms.my_key
    }
 
    state {
      method = method.aes_gcm.default_method
    }
 
    plan {
      method = method.aes_gcm.default_method
    }
  }
}

With this configuration, state files are encrypted before being written to S3. Even if someone gets access to your S3 bucket, they can't read the state without the KMS key. This is a compliance game-changer for teams in regulated industries.

Migrating from Terraform to OpenTofu

Migration is straightforward because the state format is compatible:

bash
# 1. Install OpenTofu
brew install opentofu
 
# 2. Navigate to your existing Terraform project
cd my-terraform-project
 
# 3. Initialize with OpenTofu (reads existing .terraform.lock.hcl)
tofu init
 
# 4. Verify state is intact
tofu state list
 
# 5. Run a plan to confirm no unexpected changes
tofu plan

That's it. OpenTofu reads the same state file, uses the same provider versions, and produces the same plan. If the plan shows no changes, you've migrated successfully.

Common issues during migration:

  • Provider versions in .terraform.lock.hcl that aren't in the OpenTofu registry → run tofu providers lock to regenerate
  • Terraform Cloud backend → OpenTofu doesn't support TFC, switch to S3 backend or Spacelift/Scalr
  • Terraform Enterprise features → evaluate OpenTF-compatible alternatives

CI/CD Integration

OpenTofu integrates with GitHub Actions easily. Here's a complete workflow:

yaml
# .github/workflows/opentofu.yml
name: OpenTofu CI/CD
 
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 
env:
  TF_VERSION: "1.8.3"
 
jobs:
  plan:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      pull-requests: write
 
    steps:
    - uses: actions/checkout@v4
 
    - name: Setup OpenTofu
      uses: opentofu/setup-opentofu@v1
      with:
        tofu_version: ${{ env.TF_VERSION }}
 
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
        aws-region: us-east-1
 
    - name: OpenTofu Init
      run: tofu init
 
    - name: OpenTofu Plan
      id: plan
      run: tofu plan -no-color -out=tfplan
 
    - name: Comment PR with Plan
      if: github.event_name == 'pull_request'
      uses: actions/github-script@v7
      with:
        script: |
          const { execSync } = require('child_process');
          const plan = execSync('tofu show -no-color tfplan').toString();
          github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: `## OpenTofu Plan\n\`\`\`\n${plan}\n\`\`\``
          });
 
  apply:
    needs: plan
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    environment: production
 
    steps:
    - uses: actions/checkout@v4
 
    - name: Setup OpenTofu
      uses: opentofu/setup-opentofu@v1
      with:
        tofu_version: ${{ env.TF_VERSION }}
 
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
        aws-region: us-east-1
 
    - name: OpenTofu Init
      run: tofu init
 
    - name: OpenTofu Apply
      run: tofu apply -auto-approve

OpenTofu Testing Framework

OpenTofu 1.8 improved the built-in testing framework (originally introduced in Terraform 1.7). You can write tests in .tftest.hcl files:

hcl
# tests/main.tftest.hcl
variables {
  aws_region    = "us-east-1"
  instance_type = "t3.micro"
}
 
run "creates_ec2_instance" {
  command = plan
 
  assert {
    condition     = aws_instance.web.instance_type == "t3.micro"
    error_message = "Expected t3.micro instance type"
  }
 
  assert {
    condition     = aws_instance.web.tags["ManagedBy"] == "opentofu"
    error_message = "ManagedBy tag should be opentofu"
  }
}

Run tests:

bash
tofu test

This runs your configuration against real infrastructure (or mocked providers in unit mode) and validates your assertions.

Should You Switch to OpenTofu?

Switch if:

  • You're starting a new project and want to stay fully open source
  • Your company's legal team has concerns about the BSL license
  • You want native state encryption
  • You're building a commercial product that uses IaC internally

Stay on Terraform if:

  • You're deeply integrated with Terraform Cloud or Terraform Enterprise
  • Your team has extensive Terraform expertise and no immediate reason to change
  • You depend on HashiCorp support contracts

The honest answer: for most infrastructure teams, OpenTofu and Terraform are functionally identical today. The differences are at the edges — licensing, state encryption, governance. Pick the one that fits your organization's values and constraints, and know that migrating between them is genuinely easy.

Resources to Learn More

OpenTofu's official docs are at opentofu.org and are excellent. The OpenTofu Registry lists all available providers and modules.

For hands-on practice with Infrastructure as Code at scale, KodeKloud's Terraform/OpenTofu course is the best structured learning path I've found — it covers state management, modules, testing, and production patterns with real cloud labs.

If you're deploying the infrastructure that OpenTofu provisions on cloud VMs, DigitalOcean is a great option for getting started without the complexity of AWS — simple pricing, great docs, and Terraform/OpenTofu providers that work out of the box.

Back to all articles
Share:Tweet
Newsletter

Stay ahead of the curve

Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.

Related Articles

Comments