Terraform has been the go-to tool for IaC development within the DevOps community for some time now. Why? It’s open source. Adoption is easy. And multiple cloud providers support it. However, after their move to BSL (Business Source License), the tool was no longer free. That led to the creation of the OpenTofu Manifesto: a move toward keeping the IaC tool open-source.

Our latest blog post will explore the difference between Terraform and OpenTofu, how to set up OpenTofu in your local machine, the steps to migrate your Terraform state to OpenTofu state, and the challenges faced during migration.

What version of Terraform did OpenTofu fork?

OpenTofu (originally called OpenTF) is a fork of Terraform version 1.5.6 and an open-source alternative to Terraform.

As of today, OpenTofu is supported by 163 companies, has 12 projects, 1 foundation, and 792 individuals supporting it. Still, there are some concerns about the tool among the developer community.

A Look at OpenTofu Migration Concerns

Let’s look at some of the concerns DevOps engineers have before we migrate to OpenTofu. Common questions engineers have include:

How does OpenTofu work? Is OpenTofu compatible with Terraform? And is OpenTofu production ready?

OpenTofu is fully compatible with Terraform’s configurations, providers, and state files. It works like Terraform, using providers, reusable modules, and resources in your IaC configuration files — and it's production-ready and supports managing infrastructure at scale.

Why Migrate to OpenTofu?

With OpenTofu, you still get all the Terraform features before the release of version 1.6, and the commands are almost the same. For example, you just need to replace the ‘terraform’ with ‘tofu’ in your terraform commands like terraform init or terraform plan to tofu init or tofu plan to get started. 

With OpenTofu, you can improve your infrastructure management experience. Here are some of the key features of OpenTofu:

  • Open Source: OpenTofu is fully open-source, meaning everyone can build and maintain it rather than rely on a single company. This gives users the freedom to fix issues, add new features, or improve the tool based on the industry’s requirements. 
  • OpenTofu Registry UI: OpenTofu has its own registry UI, which helps you quickly find reusable modules, resources, and providers all in one place without searching through different documentation. These are well-documented with examples, helping the DevOps engineers to easily manage their IaC.
  • Avoid Vendor Lock-in: With OpenTofu, you aren’t stuck with one company’s decisions. Unlike Terraform, OpenTofu is independent. This is helpful if an organization changes its pricing or licensing rules. For example, if a company starts charging for certain features, OpenTofu keeps the community in control so everyone can keep using it without any unexpected changes.
  • Backward Compatibility: Switching from Terraform to OpenTofu is a smooth experience without losing the functionality and stability of the existing setup. It is well maintained and compatible with Terraform to continue to provide the same IaC value. For example, if you have a Terraform project using loops, and map functions, they behave similarly in OpenTofu.
  • Community-Oriented Development: Since OpenTofu is driven by the community, it updates based on the needs of the industry rather than corporate priorities. This makes the development process faster and more responsive. For example, if there is a requirement for support for a new cloud provider, the community can implement it quickly without waiting for a company’s product release schedule.

Comparing Terraform and OpenTofu

While you debate which one to use between Terraform and OpenTofu for your infrastructure needs, it’s important to understand their similarities and differences. Here's a breakdown of what sets them apart:

  • Ownership: OpenTofu is completely community-driven. It’s managed by developers worldwide, focusing on actual industry needs instead of corporate goals.
  • Licensing: HashiCorp changed the licensing for Terraform, which limits how the tool is used in some cases with pricing models. OpenTofu, however, remains fully open-source and free to use without restrictions, giving users more freedom and flexibility in how they use the tool.
  • State Encryption: OpenTofu has built-in state file encryption that works out of the box, keeping your state file secure when you store them remotely. However, with Terraform, you usually need to make additional changes, like enabling versioning in an S3 bucket, to protect this state file.
  • Community Development: With Terraform, new features or updates follow HashiCorp’s release schedule, which might not always align with what users want or need. In contrast, OpenTofu is built by the community, allowing for faster updates and changes. If there’s a new cloud provider feature or bug fix needed, the community can quickly address it without waiting for a corporate release cycle.

While both tools offer the same core functionality, OpenTofu gives users more control and freedom by being community-driven and free from corporate limitations.

But what do they have in common?

OpenTofu started as a fork of Terraform, so they both function in very similar ways. Both tools support a wide range of cloud providers like AWS, Google Cloud, and Azure, allowing you to manage resources across different platforms without switching tools. They also let you fetch providers or reusable, saving you time and effort.

Since OpenTofu shares nearly the same syntax as Terraform, you can use the same configuration files and commands with only slight changes, making it easy to switch between the two without rewriting your code. Both tools also use a state file to track the current state of your infrastructure. Additionally, Terraform and OpenTofu can both be integrated into CI/CD pipelines, which allows you to automate infrastructure setup and deployment.

Getting Ready for the Migration: Best Practices and Challenges

Before migrating from Terraform to OpenTofu, it’s important to make sure your current setup is ready for the migration. Here's a simple checklist that will help you prepare:

  • Module compatibility: Make sure all the reusable modules and providers you're using in Terraform are compatible with OpenTofu. Both tools use the same structure, so most modules and providers should work without any changes. However, it’s always a good idea to double-check compatibility, especially if you're using custom providers, to ensure that OpenTofu supports them.
  • Backup state file and Terraform code: Make sure your Terraform state files are in order. Since both Terraform and OpenTofu use state files to track infrastructure, you'll need to ensure they are correctly stored and updated. One important step is to set up a backend to securely store your state files, whether you're using AWS S3, Google Cloud Storage, or EKS. This will help keep your state files safe and ensure they are easily accessible during and after the migration.

Following this checklist, you can ensure a smooth and easy migration from Terraform to OpenTofu without any unexpected issues.

Setting Up OpenTofu

Before setting up OpenTofu, let's take a look at the Terraform code creating AWS resources such as VPC, IAM role, and S3 bucket. Here is the Terraform code:

provider "aws" { region = "us-east-1" } resource "aws_vpc" "firefly_vpc_01" { cidr_block = "10.0.0.0/16" tags = { Name = "firefly-vpc_01" } } resource "aws_iam_role" "firefly_iam_role_02" { name = "firefly_iam_role_02" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } } ] }) tags = { Name = "firefly_iam_role_02" } } resource "aws_s3_bucket" "firefly_s3_bucket_01" { bucket = "firefly-basic-s3-bucket-01" acl = "private" tags = { Name = "firefly-s3-bucket" } } terraform { backend "s3" { bucket = "firefly-migration-from-terraform-to-opentofu" key = "opentofu/state" region = "us-east-1" encrypt = true } }

Remember, these resources have already been deployed using Terraform, and the state file is stored in an S3 bucket.

Now, let's install OpenTofu on your local machine. Follow the official installation guide, as per your OS (macOS, Linux, or Windows), and run the commands to set up quickly.

Moving Your Terraform State to OpenTofu

The first step is to get a list of all the current resources in your Terraform state. We can do that by running terraform state list.

This command will show all the resources that Terraform is currently managing. It’s important to review this information before migrating to OpenTofu to ensure nothing is missed during the migration.

Even though the state file is stored in the backend (S3 bucket), it's good to back up the state file to our local before migrating because the S3 bucket backend will also switch to OpenTofu after the migration. To pull the state file to your local, use the following command:

terraform state pull > terraform.tfstate.backup

You can see the backed-up terraform.tfstate.backup file within your local directory. In this file, we can see that the provider key points to the AWS provider in the Terraform Registry. 

Next, run the tofu init --upgrade command to download the provider plugins and modules from the OpenTofu registry and configure the backend accordingly, as shown below:

OpenTofu is now initialized, and the provider in the state file has been updated to the OpenTofu registry. This means that OpenTofu will now handle your AWS provider, making sure all updates and changes to your infrastructure go through OpenTofu instead of the Terraform registry.

Like Terraform, you can run the tofu plan command to check if there are any changes in your infrastructure.

This means that OpenTofu has verified your setup, and there are no changes, confirming that your migration was successful. 

Now, since it is safe, you can complete the migration and update the state file by running tofu apply command. 

This will apply any changes you've made to your configuration, making sure that your infrastructure is fully aligned with your state file. 

You're now all set to manage your infrastructure using OpenTofu.

Stay Prepared: Challenges You Might Face During Migration

While migrating from Terraform to OpenTofu is pretty straightforward, you might face some challenges. Let’s discuss some of the common challenges you may encounter:

  • Provider compatibility issues: One of the main challenges is to make sure that all your providers are fully compatible with OpenTofu. While most providers will work as expected, some custom providers may require updates or adjustments. It's important to check if OpenTofu supports the providers you're using before making the switch.
  • CI/CD pipeline adjustments: If you're using Terraform within CI/CD pipelines, such as GitHub Actions, to maintain your deployments, you’ll need to make some minor changes. This includes updating all the commands from terraform to tofu within your pipeline. 

By taking care of these challenges early, you can make the migration smoother and reduce any issues while migrating from Terraform to OpenTofu.

During Migration: Monitoring and Observability With Firefly

When migrating from Terraform to OpenTofu, monitoring your infrastructure to ensure operational stability is important. Firefly is a helpful platform that lets you track your resources during and after the migration. It can easily identify drifted, ghosted, and unmanaged resources within the dashboard.

Firefly supports many popular IaC tools like Pulumi and Terraform, and it also works well with OpenTofu. This makes deploying your infrastructure with OpenTofu faster and more efficient, while helping you catch any issues early on.

Firefly gives you a clear view of your infrastructure and helps you with:

  • Drifted resources: These are resources that have changed through the cloud provider console or outside of your IaC files. Firefly helps you catch drifted resources so you can fix any mismatches.
  • Ghosted resources: These are resources that exist in your cloud environment but aren’t managed by your IaC anymore. Firefly can detect these so nothing gets overlooked.
  • Unmanaged resources: These are resources created manually or outside of your OpenTofu setup. Firefly finds these so you can manage them properly or remove them if needed.

Additionally, Firefly offers governance features to ensure your infrastructure follows best practices and security policies during the migration. Firefly's governance dashboard provides an overview of your compliance with standards like PCI DSS and SOC 2. 

Using Firefly, you can monitor and govern your infrastructure for smooth migrations and keep everything in sync with your OpenTofu setup. Firefly helps you keep track of the resources, enforce best practices, and maintain compliance standards, making sure that all your resources are properly managed within your infrastructure.

To see Firefly in action, try the product yourself, or request a demo from one of our cloud management experts.