OpenTofu: A Beginners Guide to a Terraform Fork Including Migration From Terraform
OpenTofu Beyond Basics
Features in v1
In this guide, we explore two powerful features introduced in OpenTofu v1.7.0:
- Robust state encryption to secure your plan and state files at rest.
- The
removedblock to drop resources from your state without tearing down real infrastructure.
These enhancements empower teams to maintain compliance, secure sensitive data, and streamline state management.
1. State Encryption
OpenTofu v1.7.0 adds native support for encrypting both local and remote state and plan files. You can also leverage this capability when reading remote state via a Terraform Remote State data source.
1.1. How It Works
| Component | Description |
|---|---|
| key_provider | Derives a strong key from a passphrase (PBKDF2) |
| method | Defines the encryption algorithm (AES-GCM) |
| state | Configures how encrypted/unencrypted state is read and written |
Note
Using state encryption requires OpenTofu v1.7.0 or later and support from your chosen backend.
1.2. Enabling Encryption on an Existing State
- Create a backup of your current
terraform.tfstate. - Update your configuration:
terraform {
encryption {
key_provider "pbkdf2" "my_passphrase" {
passphrase = "" # Enter a strong passphrase here
}
method "aes_gcm" "my_method" {
keys = key_provider.pbkdf2.my_passphrase
}
}
state {
method = method.aes_gcm.my_method
fallback {} # Allows reading unencrypted state during migration
}
}
Run:
OpenTofu apply
This setup:
- Derives an AES-GCM key from your passphrase.
- Encrypts new state and plan files.
- Uses
fallbackto read existing unencrypted state during the migration.
Warning
After migration, your state and plan files are unrecoverable without the correct passphrase. Store it securely.
1.3. Migrating Back to an Unencrypted State
To revert to unencrypted state files:
terraform {
encryption {
key_provider "pbkdf2" "my_passphrase" {
passphrase = "" # Use the same passphrase
}
method "aes_gcm" "my_method" {
keys = key_provider.pbkdf2.my_passphrase
}
}
state {
fallback {
method = method.aes_gcm.my_method
}
}
}
By omitting method in the state block, OpenTofu writes future state files unencrypted while still decrypting the current state.
2. Removing Resources Without Destruction
The removed block lets you forget resources from your state without destroying the actual infrastructure, ideal for drift repair or state cleanup.
2.1. Create a Sample Resource
Define and apply a simple file resource:
resource "local_file" "test" {
content = "Hello world!"
filename = "test.txt"
}
OpenTofu apply
This creates test.txt on disk.
2.2. Drop the Resource from State
- Comment out or delete the
local_fileblock. - Add a
removedblock in your configuration:
removed {
from = local_file.test
}
- Preview the change:
OpenTofu plan
OpenTofu will show that local_file.test is removed from the state but will not delete test.txt.
Note
The removed block only affects your state file. It does not alter real-world resources.
Links and References
Watch Video
Watch video content