OpenTofu: A Beginners Guide to a Terraform Fork Including Migration From Terraform
OpenTofu Modules
Demo OpenTofu Modules
Welcome to this hands-on lesson on managing OpenTofu modules. You’ll learn how to inspect, configure, and apply a module to create an AWS IAM user.
1. Inspecting the Module Configuration
First, navigate to the project directory and open main.tf
:
cd /root/OpenTofu/projects/Project\ Sapphire
module "iam_iam-user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "5.28.0"
# insert the 1 required variable here
}
Key details:
- A single
module
block namediam_iam-user
. - Source:
terraform-aws-modules/iam/aws//modules/iam-user
- Version:
5.28.0
- Requires one input:
name
(registry docs).
2. Supplying the Required Input
To create an IAM user named max, update the block:
module "iam_iam-user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "5.28.0"
name = "max"
}
3. Initializing and Planning
Initialize your working directory and generate a plan:
openTofu init
openTofu plan
You’ll see three resources slated for creation:
module.iam_iam-user.aws_iam_access_key.this_no_pgp[0] will be created
module.iam_iam-user.aws_iam_user.this[0] will be created
module.iam_iam-user.aws_iam_user_login_profile.this[0] will be created
Plan: 3 to add, 0 to change, 0 to destroy.
The extra resources result from default boolean inputs.
Note
By default, the iam-user
module defines these inputs:
Variable | Type | Default | Required |
---|---|---|---|
name | string | — | yes |
create_iam_access_key | bool | true | no |
create_iam_user_login_profile | bool | true | no |
4. Restricting Resource Creation
To limit the module to only create the IAM user, disable the access key and login profile:
module "iam_iam-user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
version = "5.28.0"
name = "max"
create_iam_access_key = false
create_iam_user_login_profile = false
}
Reinitialize and apply:
openTofu init
openTofu apply
The new plan shows only the user resource:
Plan: 1 to add, 0 to change, 0 to destroy.
module.iam_iam-user.aws_iam_user.this[0]: Creating...
module.iam_iam-user.aws_iam_user.this[0]: Creation complete after 0s [id=max]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
5. Summary
You have now configured the iam-user
module to create a single IAM user, controlling exactly which resources are deployed.
References
Watch Video
Watch video content
Practice Lab
Practice lab