OK, hands up. Who deploys containers with Kubernetes, using infrastructure-as-code (IaC) to automate its provisioning, security, and maintenance? Right, many of you do. Until recently, that meant many of you also used HashiCorp’s Terraform. After HashiCorp changed its open source license, many Terraform developers forked the code into OpenTofu, and quite a few of you moved to OpenTofu.
If you’re among the DevOps who made that move, you have been rewarded with OpenTofu 1.7.0. The release’s major highlight is the introduction of end-to-end state encryption. This feature ensures that a state file remains shielded from unauthorized access across any storage backend.
While that capability matters to anyone doing DevOps, it notably works hand-in-glove with DevSecOps. With Terraform, you were strongly encouraged to use HashiCorp Vault as a centralized secrets manager. With this OpenTofu release, you can secure encryption passphrases through environment variables or opt for robust key management systems such as AWS Key Management Service (KMS), GCP KMS, or OpenBao, the open-source Vault fork.
OpenTofu lacks a policy-as-code enforcement framework, which HashiCorp Sentinel provides for Terraform. For OpenTofu, it would be best to use third-party, open source programs such as Open Policy Agent (OPA) that can embed security policies directly alongside an OpenTofu configuration. You can then store your OpenTofu and OPA configurations in a version control system like Git. This ensures that infrastructure changes are tracked and auditable and that they can be easily rolled back if necessary.
Another innovative addition in OpenTofu 1.7.0 is dynamic provider-defined functions. This allows providers to supply resources and offer native functions that can be used directly within OpenTofu code. An OpenTofu-exclusive feature lets these providers dynamically create custom functions based on user configurations, fostering a seamless integration of other programming languages. The OpenTofu team encourages users to explore this feature with the experimental Lua and Go providers.
Additional features are also included. Among them is the ability to mark specific resources for removal from the state file while retaining the underlying infrastructure. The new OpenTofu version also introduces loopable import blocks to simplify the bulk import of resources, greatly aiding large-scale migrations.
Building on its legacy as a drop-in replacement for Terraform 1.5, OpenTofu 1.7.0 promises easy migration paths, offers detailed migration guides, and includes comprehensive documentation with examples. That suggests an easy upgrade if you’re using Terraform for DevSecOps.
Since its inception, the OpenTofu community has seen remarkable growth. Despite eschewing user tracking, the registry’s usage has surged to over a million requests daily, with a doubling in just the past month. The release has drawn 65 unique contributors and garnered 20,000 stars on GitHub, underscoring a vibrant community engagement with over 200 new issues and numerous pull requests since January.
In short, OpenTofu appears to be a solid choice for both IaC and DevSecOps deployments, regardless of what happens with Hashicorp, IBM and Terraform.
Photo credit:Diana Polekhina on Unsplash