Any opinions here on terraform vs opentofu? I'm ab...
# terraform
b
Any opinions here on terraform vs opentofu? I'm about to start building out some IaC and want to start on the right foot. We used terraform at my last company. I don't think the changes to their licensing will affect us, and welcome to feedback on both the licensing issue and technical differentiators.
t
I'm a big proponent of tofu. The licensing doesn't effect us either, but the amount of investment in the language that they're making eclipses Hashicorp's current investment. The first thing I would do though is look at https://cani.tf and see if any specific features are interesting to you.
w
@Brian Newton When people ask me this question, I recommend deciding based on OpenTofu's features. You will get the state encryption that improves your security stand. With for_each working not only for modules but also for providers, you can get rid of much unnecessary boilerplate. There are also a few Reddit threads where people share how simple the migration is and how easier it is to work with IaC after moving to OpenTofu. You might also take a look at the talks from the OpenTofu day at KubeCon Paris and SaltLake. (disclaimer: I am a member of OpenTofu Technical Steering Committee)
b
Great information, thanks. I have heard similar advice on reddit (look at the features). I know a few folks from Spacelift as well and I know they're very keen to get people using it. Does the state encryption matter if I'm storing state in an encrypted s3 bucket? Not sure what that buys me. I'll look a bit deeper into the features. I'll mostly be creating infra in AWS, so as long as that is supported and I can find some good recipes I'll be set.
m
we were affected by the licensing change, as our gitops tools wont support terraform with the new license. we're stuck on 1.5.7 until we make a shift to opentf
t
That is definitely a thing. Some platforms allow you to custom install later versions of Terraform yourself, but don't support anything later than 1.5.7 natively. Fortunately, migrating from 1.5.7 to tofu is really easy
r
@Brian Newton state in s3 is still readable if a user or service reads that state due to an improper bucket policy or a role with too many privileges. though this is mostly solved by using kms on the bucket, its even more added security to use the tofu based encryption which would require yet another key. TLDR: slightly more security than s3+kms
w
@Brian Newton State encryption is another layer of security—as @Regan Manning wrote—that protects you from somebody unauthorised gaining access to your state file due to, e.g., improper bucket policy.
b
Makes sense. I control bucket policies so that's not a top concern. I am leaning tofu though. This was great info and much appreciated. Thanks for the input and thoughts.
r
Random question I can google if no one knows offhand, but are there any providers not available to OpenTofu?
I am assuming OpenTofu uses the same provider code terraform does
t
There's some issues with some providers that haven't uploaded GPG keys, but for the most part yes.
l
Terraform vs. OpenTofu: Simple Breakdown 1. Licensing • Terraform: Not fully open-source anymore (Hashicorp controls it). Free for most, but future changes could limit you. • OpenTofu: Truly open-source (Linux Foundation backs it). No risk of licensing surprises. 2. Features (Right Now) • Both do the same thing (OpenTofu is a fork of Terraform 1.5). • Terraform has better cloud integrations (if you pay for Terraform Cloud). • OpenTofu will evolve independently—could get cool new open-source features. 3. Which Should You Pick? • Use OpenTofu if: ◦ You want open-source freedom. ◦ You don’t need HashiCorp’s paid tools. ◦ You’re starting fresh and want no future licensing headaches. • Use Terraform if: ◦ You rely on Terraform Cloud/Enterprise. ◦ You’re okay with HashiCorp calling the shots. Final Answer For most new projects, OpenTofu is the better choice it’s the same as Terraform but without the licensing risk. Only stick with Terraform if you need HashiCorp’s paid features.
c
There's a project risk related whitepaper available which I wrote last year. It focus's more on the migration aspect. If you're starting from scratch OpenTofu would be my choice. But the article might interest you anyway as other tooling and options are also discussed and considered. Managing HashiCorp & Terraform Risks: Best Mitigations | LiveWyer
173 Views