Introduction

OpenTofu version 1.7.0 is live! This update includes several improvements, headlined by a long-requested, important feature: end-to-end state encryption.

Quick Refresh: What is OpenTofu?

OpenTofu is an infrastructure-as-code tool that enables users to declaratively provision and manage cloud resources across various providers. It was forked from Terraform after HashiCorp changed Terraform's license to the more restrictive Business Source License (BUSL). Like Terraform, OpenTofu uses a domain-specific language (DSL) called HashiCorp Configuration Language (HCL) to define resources and their desired state.

However, while OpenTofu and Terraform share many similarities, there are some important differences. OpenTofu is a community-driven fork that aims to embody the original spirit behind OSS Terraform, whereas mainline Terraform's future is linked to the commercial offerings of Hashicorp (now part of IBM).

OpenTofu 1.7.0 Key Features

The 1.7.0 release has delivered some incredible features, but it underscores an important point: an open-source alternative is giving users long-desired features that were being ignored in Terraform. While end-to-end state encryption has been a highly requested feature in mainline Terraform for years, OpenTofu has already managed to deliver a working feature in a production-ready release.

End-to-End State Encryption

One of the most significant additions in OpenTofu 1.7.0 is end-to-end state encryption. This feature ensures that the state files, which often contain sensitive values, are protected from unauthorized access. OpenTofu now allows users to encrypt their state files natively using a passphrase or via integration with key management systems like AWS KMS, GCP KMS, or OpenBao.

In the past, Terraform users had to depend on 3rd-party implementations to handle at-rest encryption of Terraform state data. For example, S3 buckets have often been used to store statefiles; encryption was handled via bucket-level configuration using either the Amazon-provided key, or a customer-managed one from AWS KMS or external tool. Even with bucket-level encryption, the statefile itself was still stored in plaintext, and if the bucket was compromised, the values in the statefile would be exposed. Now, the files themselves are natively encrypted and decrypted via OpenTofu.

Dynamic Provider-Defined Functions

OpenTofu 1.7.0 also introduces dynamic provider-defined functions, which enable providers to offer native functions that can be used directly in their configurations. This feature allows providers to dynamically define custom functions based on a specific configuration or language. For example, this livestream demonstrates native integration of Lua code into an OpenTofu configuration.

Other New Features

In addition to state encryption and dynamic provider functions, OpenTofu 1.7.0 includes several other new enhancements:

The removed block enables users to mark resources for removal from the state file while keeping the actual infrastructure intact. This feature is particularly useful for cleaning up state files without modifying the underlying resources. By using the removed block, users can maintain a cleaner state representation while preserving the infrastructure that’s been created.
Loopable import blocks simplify the process of bulk-importing resources into OpenTofu state, making large-scale migrations more manageable. When migrating existing infrastructure to OpenTofu, users often need to import multiple resources at once. With loopable import blocks, users can declaratively specify the resources to be imported, making imports less painful and error-prone.

OpenTofu Community Momentum

Since its initial release, OpenTofu has seen remarkable growth in its community and adoption. While exact user numbers are not tracked, the project has witnessed a consistent month-over-month increase in registry usage, with requests surpassing one million per day. The OpenTofu repository on GitHub has also garnered over 20,000 stars, indicating strong interest and support from the developer community.

The OpenTofu community has been actively contributing to the project, with 65 unique contributors involved in the 1.7.0 release alone. The community has opened hundreds of issues, submitted pull requests, and actively participated in spreading awareness about OpenTofu and its benefits.

The growing momentum behind OpenTofu can be attributed to several factors. First and foremost, the project’s commitment to keeping OpenTofu truly open-source and community-driven has resonated with many users who value transparency and collaboration; the things that helped grow the original Terraform community and were instrumental in helping it become the de-facto standard for cloud infrastructure-as-code. Hashicorp’s licensing changes resulted in a significant erosion of trust, and the continuing uncertainty around the legal implications of the license terms have caused users of all sizes to switch to OpenTofu.

Additionally, the regular release cadence and the introduction of new, requested features and enhancements provide a sharp contrast to mainline Terraform, which has been receiving constant criticism for ignored feature requests that have often languished for years. Case in point: one of the original proposals for Terraform statefile encryption was opened in 2016!

Conclusion

OpenTofu 1.7.0 is a solid release that delivers one of the most significant new features to the Terraform ecosystem in a long time. However, it’s not just the technical merits that deserve attention: the 1.7.0 release is symbolic as it represents the strength and momentum of an open-source fork that was able to deliver on a highly requested feature before the parent project could.

As OpenTofu continues to evolve, the future looks bright. The upcoming 1.8 release is already in the planning stages, with early proposals focusing on highly requested features like using variables as module sources and backend configurations. If you're interested in shaping the future of OpenTofu, now is the perfect time to get involved by opening issues, contributing code, and engaging with the OpenTofu community on Slack.

Features

Learn More

Learn

Connect