OpenTofu: A Beginners Guide to a Terraform Fork Including Migration From Terraform
Working with OpenTofu
Demo OpenTofu Commands
Welcome to this hands-on lab on OpenTofu commands. Here, you’ll learn how to visualize, validate, plan, and apply your infrastructure-as-code (IaC) configurations using the tofu CLI. By the end of this guide, you’ll be comfortable generating dependency graphs, troubleshooting HCL errors, and managing provider plugins.
1. Visualizing Resources
To inspect resource dependencies, generate a DOT graph:
tofu graph > graph.dot
You can then render graph.dot with Graphviz to visualize your IaC topology.
| Subcommand | Purpose | Example |
|---|---|---|
| tofu graph | Generate DOT-format dependency graph | tofu graph > graph.dot |
| tofu validate | Validate HCL configuration | tofu validate |
| tofu plan | Create an execution plan | tofu plan |
| tofu apply | Apply the planned changes | tofu apply |
| tofu fmt | Format Terraform/OpenTofu files | tofu fmt |
| tofu state | Inspect or modify the state file | tofu state show local_file.key_data |
| tofu providers | Manage provider plugins | tofu providers --help |
2. Validating Configuration
Before creating any resources, validate your HCL syntax and catch typos:
- Change into your project directory:
cd /root/opentofu-projects/project-shazam - Run the validator:
tofu validate
If you see:
Error: An argument named "dsa_bits" is not expected here.
on main.tf line 8, in resource "tls_private_key" "private_key":
8: dsa_bits = 2048
Did you mean "rsa_bits"?
Warning
Always match algorithm-specific arguments. In this case, replace dsa_bits with rsa_bits for an RSA key.
Correct the block in main.tf:
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
Re-run tofu validate until no errors remain.
3. Planning and Applying
3.1 Generating a Plan
Create an execution plan to preview changes:
tofu plan
You’ll see which resources will be added, changed, or destroyed.
3.2 First Apply Attempt
Apply the plan:
tofu apply
If you encounter:
Error: Provider produced inconsistent final plan
...
inconsistent values for sensitive attribute
it means the syntax was valid but some resource arguments are incompatible.
4. Fixing the TLS Resource Block
Ensure your main.tf includes only RSA-compatible settings and the local file resource:
resource "local_file" "key_data" {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.pem
file_permission = "0400"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_cert_request" "csr" {
private_key_pem = file("/tmp/.pki/private_key.pem")
depends_on = [local_file.key_data]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
Re-initialize, plan, and apply:
tofu init
tofu plan
tofu apply
If tofu apply completes without errors, your configuration is now correct.
5. Formatting Code
Keep your files consistent:
tofu fmt
This enforces HCL canonical style across all .tf files.
6. Inspecting State
Query the state for a specific resource:
cd ~/opentofu-projects/project-shazam
tofu state show local_file.key_data
Check the filename attribute (e.g., /tmp/.pki/private_key.pem) to confirm it matches expectations.
7. Providers Subcommands
OpenTofu uses providers to interact with external APIs. To list available provider commands:
tofu providers --help
Common subcommands include:
- mirror
- list
- install
- remove
8. Reviewing Downloaded Providers
Without browsing the directory directly, list installed plugins:
tofu providers
You should see entries like:
registry.opentofu.org/hashicorp/awsregistry.opentofu.org/hashicorp/local
Links and References
Watch Video
Watch video content
Practice Lab
Practice lab