Terraform vs OpenTofu: A Comprehensive Comparison for Infrastructure as Code
The infrastructure as code (IaC) landscape experienced a significant shift in August 2023 when HashiCorp changed Terraform’s license from the Mozilla Public License (MPL) to the Business Source License (BSL). This decision sparked controversy in the open-source community and led to the birth of OpenTofu, a fork of Terraform that maintains the open-source ethos. As organizations evaluate their IaC tooling strategies, understanding the differences, similarities, and implications of choosing between Terraform and OpenTofu has become crucial.
In this article, we’ll dive deep into both tools, compare their features, examine real-world examples, and help you make an informed decision for your infrastructure needs.
The Origin Story: Understanding the Fork
Terraform’s License Change
HashiCorp’s decision to move Terraform from MPL 2.0 to BSL 1.1 was justified by the company as necessary to prevent cloud providers from offering competing managed services without contributing back to the project. While understandable from a business perspective, this change meant that Terraform was no longer truly open source by the Open Source Initiative’s definition.
The BSL allows free use for most purposes but restricts competitive commercial use. After four years, the code converts to MPL 2.0, but this waiting period was enough to concern many organizations that had built their infrastructure automation on the promise of open-source software.
The Birth of OpenTofu
In response, the Linux Foundation announced OpenTofu in September 2023 as a truly open-source alternative. Led by a coalition of companies including Gruntwork, Spacelift, env0, Scalr, and others, OpenTofu aims to maintain backward compatibility with Terraform while providing a community-driven, vendor-neutral alternative.
The project quickly gained momentum, achieving its first general availability release (1.6.0) in January 2024, maintaining parity with Terraform 1.6 while adding new features and improvements.
Core Architecture: More Similar Than Different
At their core, both Terraform and OpenTofu share the same fundamental architecture because OpenTofu is a fork of Terraform 1.5. Understanding this shared foundation is important before we explore their differences.
The HCL Configuration Language
Both tools use HashiCorp Configuration Language (HCL) for defining infrastructure. Here’s a simple example that works identically in both:
# Define an AWS EC2 instance
resource "aws_instance" "web_server" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
tags = {
Name = "WebServer"
Environment = "Production"
ManagedBy = "IaC"
}
root_block_device {
volume_size = 20
volume_type = "gp3"
}
}
# Create a security group
resource "aws_security_group" "web_sg" {
name = "web-server-sg"
description = "Security group for web server"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
This configuration syntax remains identical between the two tools, which means existing Terraform configurations can generally be used with OpenTofu without modification.
State Management
Both tools use a state file to track resources. The state management approach is conceptually identical:
# Backend configuration for remote state
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/infrastructure.tfstate"
region = "us-west-2"
encrypt = true
dynamodb_table = "terraform-locks"
}
}
This same backend configuration works in OpenTofu, though OpenTofu has added support for additional backend types and enhanced encryption options.
Key Differences: Where They Diverge
While maintaining compatibility, OpenTofu has introduced several differentiating features and improvements.
1. Licensing and Governance
Terraform (BSL 1.1):
Restricts competitive commercial offerings
Four-year delay before converting to MPL 2.0
Controlled by HashiCorp’s business interests
OpenTofu (MPL 2.0):
Truly open source
Community-governed through the Linux Foundation
No restrictions on commercial use
Transparent decision-making process
2. State File Encryption
One of OpenTofu’s most significant innovations is native state file encryption. While Terraform relies on backend-level encryption (like S3 encryption), OpenTofu provides client-side encryption:
# OpenTofu state encryption configuration
terraform {
encryption {
key_provider "pbkdf2" "mykey" {
passphrase = var.state_passphrase
}
method "aes_gcm" "state_encryption" {
keys = key_provider.pbkdf2.mykey
}
state {
method = method.aes_gcm.state_encryption
}
}
}
This ensures that sensitive data in the state file is encrypted before it leaves your machine, providing an additional layer of security that Terraform doesn’t offer natively.
3. Enhanced Testing Framework
Both Terraform and OpenTofu support infrastructure testing through the test command introduced in Terraform 1.6. Here's an example of a test file that works in both tools:
# Test file: tests/vpc_test.tftest.hcl
variables {
environment = "test"
vpc_cidr = "10.0.0.0/16"
}
run "validate_vpc_creation" {
command = apply
assert {
condition = aws_vpc.main.cidr_block == var.vpc_cidr
error_message = "VPC CIDR does not match expected value"
}
assert {
condition = length(aws_subnet.private) == 3
error_message = "Expected 3 private subnets"
}
}
run "validate_internet_gateway" {
command = plan
assert {
condition = aws_internet_gateway.main.vpc_id == aws_vpc.main.id
error_message = "Internet gateway not attached to VPC"
}
}
Both tools provide similar testing capabilities, making infrastructure testing more accessible to teams.
4. Provider Development and Registry
Terraform:
Uses the official Terraform Registry (registry.terraform.io)
Provider development controlled by HashiCorp
BSL applies to provider development kit
OpenTofu:
Currently uses the same Terraform Registry providers
Has its own registry infrastructure (registry.opentofu.org)
Working on provider ecosystem independence
Maintains compatibility with existing providers
Planning to mirror and potentially fork critical providers if needed
Here’s how you declare providers (syntax is identical in both tools):
# Provider declaration works identically in both Terraform and OpenTofu
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23"
}
}
}
Currently, both tools use the same provider sources. OpenTofu’s registry serves as a fallback and metadata repository, ensuring long-term availability even if HashiCorp’s registry policies change.
Real-World Comparison: A Practical Example
Let’s examine a complete, real-world scenario: deploying a multi-tier application infrastructure.
Complete Infrastructure Module
# variables.tf
variable "project_name" {
description = "Name of the project"
type = string
}
variable "environment" {
description = "Environment name"
type = string
validation {
condition = contains(["dev", "staging", "prod"], var.environment)
error_message = "Environment must be dev, staging, or prod"
}
}
variable "vpc_cidr" {
description = "CIDR block for VPC"
type = string
default = "10.0.0.0/16"
}
# main.tf
terraform {
required_version = ">= 1.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# VPC Configuration
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "${var.project_name}-${var.environment}-vpc"
Environment = var.environment
ManagedBy = "IaC"
}
}
# Public Subnets
resource "aws_subnet" "public" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "${var.project_name}-${var.environment}-public-${count.index + 1}"
Type = "Public"
Environment = var.environment
}
}
# Private Subnets
resource "aws_subnet" "private" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + 3)
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.project_name}-${var.environment}-private-${count.index + 1}"
Type = "Private"
Environment = var.environment
}
}
# Application Load Balancer
resource "aws_lb" "app" {
name = "${var.project_name}-${var.environment}-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb.id]
subnets = aws_subnet.public[*].id
enable_deletion_protection = var.environment == "prod" ? true : false
tags = {
Name = "${var.project_name}-${var.environment}-alb"
Environment = var.environment
}
}
# Auto Scaling Group
resource "aws_autoscaling_group" "app" {
name = "${var.project_name}-${var.environment}-asg"
vpc_zone_identifier = aws_subnet.private[*].id
target_group_arns = [aws_lb_target_group.app.arn]
health_check_type = "ELB"
min_size = var.environment == "prod" ? 3 : 1
max_size = var.environment == "prod" ? 10 : 3
desired_capacity = var.environment == "prod" ? 3 : 1
launch_template {
id = aws_launch_template.app.id
version = "$Latest"
}
tag {
key = "Name"
value = "${var.project_name}-${var.environment}-app"
propagate_at_launch = true
}
}
# RDS Database
resource "aws_db_instance" "main" {
identifier = "${var.project_name}-${var.environment}-db"
engine = "postgres"
engine_version = "15.3"
instance_class = var.environment == "prod" ? "db.t3.medium" : "db.t3.micro"
allocated_storage = var.environment == "prod" ? 100 : 20
storage_type = "gp3"
storage_encrypted = true
db_name = "${var.project_name}_${var.environment}"
username = "dbadmin"
password = random_password.db_password.result
vpc_security_group_ids = [aws_security_group.database.id]
db_subnet_group_name = aws_db_subnet_group.main.name
backup_retention_period = var.environment == "prod" ? 7 : 1
skip_final_snapshot = var.environment != "prod"
tags = {
Name = "${var.project_name}-${var.environment}-db"
Environment = var.environment
}
}
# outputs.tf
output "vpc_id" {
description = "ID of the VPC"
value = aws_vpc.main.id
}
output "alb_dns_name" {
description = "DNS name of the load balancer"
value = aws_lb.app.dns_name
}
output "database_endpoint" {
description = "Connection endpoint for the database"
value = aws_db_instance.main.endpoint
sensitive = true
}
This module works identically in both Terraform and OpenTofu. However, with OpenTofu, you could add the native encryption layer:
# OpenTofu-specific enhancement
terraform {
encryption {
key_provider "aws_kms" "state" {
kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd"
key_spec = "AES_256"
}
method "aes_gcm" "state_encryption" {
keys = key_provider.aws_kms.state
}
state {
method = method.aes_gcm.state_encryption
}
}
}
Migration: Moving Between Terraform and OpenTofu
One of the most common questions is how difficult it is to migrate between these tools. The good news: it’s relatively straightforward.
Migrating from Terraform to OpenTofu
# Step 1: Install OpenTofu
# Using Homebrew (macOS/Linux)
brew install opentofu
# Using package manager (Ubuntu/Debian)
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh
# Step 2: Initialize with existing state
cd your-terraform-project
tofu init -upgrade
# Step 3: Verify plan
tofu plan
# Step 4: Apply (if everything looks good)
tofu apply
The migration is seamless because OpenTofu maintains state file compatibility. You can switch back to Terraform if needed, though you’d lose OpenTofu-specific features.
Migrating from OpenTofu to Terraform
# Step 1: Remove OpenTofu-specific features
# Comment out or remove encryption blocks and OpenTofu-only syntax
# Step 2: Initialize with Terraform
terraform init -upgrade
# Step 3: Verify and apply
terraform plan
terraform apply
Gradual Migration Strategy
For large organizations, a gradual approach might be preferable:
# Module that works with both tools
module "networking" {
source = "./modules/networking"
# Use only compatible features
vpc_cidr = "10.0.0.0/16"
environment = var.environment
}
# Conditional encryption (OpenTofu only)
dynamic "encryption" {
for_each = can(regex("tofu", version.current)) ? [1] : []
content {
# OpenTofu-specific encryption config
}
}
Feature Comparison Matrix
Let’s break down the key differences in a structured comparison:
Core Functionality
| Feature | Terraform | OpenTofu | Notes |
| HCL Syntax | ✅ | ✅ | Identical |
| State Management | ✅ | ✅ | Compatible |
| Provider Ecosystem | ✅ | ✅ | OpenTofu working toward independence |
| Module Support | ✅ | ✅ | Fully compatible |
| Workspaces | ✅ | ✅ | Identical functionality |
| Remote Backends | ✅ | ✅ | OpenTofu has additional options |
Advanced Features
| Feature | Terraform | OpenTofu | Notes |
| State Encryption | Backend-level | Native client-side | OpenTofu advantage |
| Testing Framework | Basic | Enhanced | OpenTofu has more features |
| For-each with sensitive | ⚠️ Limited | ✅ Full support | OpenTofu improvement |
| Removed block | ✅ 1.7+ | ✅ 1.6+ | OpenTofu implemented first |
Operational Aspects
| Aspect | Terraform | OpenTofu | Notes |
| License | BSL 1.1 | MPL 2.0 | OpenTofu is truly open source |
| Governance | HashiCorp | Linux Foundation | Community vs. corporate |
| Release Cycle | ~4 months | ~2-3 months | OpenTofu moves faster |
| Performance | Baseline | 10-30% faster | For large deployments |
| Cloud Provider Support | Excellent | Excellent | Both well-supported |
Real-World Use Cases and Recommendations
When to Choose Terraform
Scenario 1: HashiCorp Ecosystem Integration
If you’re heavily invested in HashiCorp products (Vault, Consul, Nomad), Terraform might provide smoother integration:
# Using Terraform with HashiCorp Vault
data "vault_generic_secret" "database" {
path = "secret/database/${var.environment}"
}
resource "aws_db_instance" "main" {
# ...
username = data.vault_generic_secret.database.data["username"]
password = data.vault_generic_secret.database.data["password"]
}
Scenario 2: Enterprise Support Requirements
Organizations requiring commercial support and SLAs from HashiCorp:
# Terraform Cloud/Enterprise features
terraform {
cloud {
organization = "my-company"
workspaces {
name = "production-infrastructure"
}
}
}
Scenario 3: Risk-Averse Organizations
Companies that prefer stability over innovation and have legal concerns about switching tools.
When to Choose OpenTofu
Scenario 1: Open Source Commitment
Organizations with strong open-source requirements can benefit from OpenTofu’s MPL 2.0 license and community governance model, while still using the same provider ecosystem.
Scenario 2: Security-First Environments
When client-side encryption is a requirement:
# OpenTofu state encryption for compliance
terraform {
encryption {
key_provider "pbkdf2" "compliance" {
passphrase = var.encryption_key
key_length = 32
iterations = 600000
}
method "aes_gcm" "state" {
keys = key_provider.pbkdf2.compliance
}
state {
method = method.aes_gcm.state
}
plan {
method = method.aes_gcm.state
}
}
}
Scenario 3: Community-Driven Innovation
Organizations that want to influence tool development:
# Using cutting-edge OpenTofu features
terraform {
required_version = "~> 1.7"
experiments = [
early_evaluation
]
}
Scenario 4: Cost Optimization
Teams looking to avoid potential future licensing costs:
# No vendor lock-in concerns
tofu init
tofu apply
# Free forever, no upgrade pressure
Community and Ecosystem
Community Support
Terraform:
Larger existing community (established 2014)
More Stack Overflow questions and answers
Extensive documentation and tutorials
HashiCorp-led conferences and events
OpenTofu:
Rapidly growing community
Active GitHub discussions and contributions
Linux Foundation backing
More transparent governance process
Provider Availability
Currently, both tools use the same provider ecosystem from the Terraform Registry:
# Provider configuration works identically in both tools
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23"
}
google = {
source = "hashicorp/google"
version = "~> 5.0"
}
}
}
OpenTofu maintains its own registry (registry.opentofu.org) that mirrors the Terraform Registry, ensuring long-term provider availability. The OpenTofu community is also working on a strategy to fork and maintain critical providers if HashiCorp’s licensing changes make this necessary, though currently all providers work seamlessly with both tools.
Future Outlook
Terraform’s Direction
HashiCorp is focusing on:
Enterprise features and Terraform Cloud
Improved CDKTF (Cloud Development Kit for Terraform)
Enhanced policy and governance
AI-assisted infrastructure coding
OpenTofu’s Roadmap
The OpenTofu project is prioritizing:
Complete provider registry independence
Enhanced testing and validation features
Improved performance optimizations
Community-driven feature development
Better integration with CI/CD pipelines
Decision Framework
Here’s a practical framework for choosing between these tools:
Decision Tree
Start Here
|
├─ Do you require open source licensing?
│ ├─ Yes → Consider OpenTofu
│ └─ No → Continue
|
├─ Do you need HashiCorp enterprise support?
│ ├─ Yes → Choose Terraform
│ └─ No → Continue
|
├─ Is state file encryption critical?
│ ├─ Yes → OpenTofu has advantage
│ └─ No → Continue
|
├─ Do you want community governance?
│ ├─ Yes → Choose OpenTofu
│ └─ No → Either works
|
└─ Default → Both are excellent choices
Evaluation Checklist
For organizations evaluating their options:
Technical Requirements:
Current Terraform version compatibility
Provider availability and versions needed
State management requirements
Encryption and security needs
Testing framework needs
Specific feature requirements (e.g., state encryption, provider functions)
Organizational Factors:
Open source policy compliance
Budget for commercial support
Risk tolerance for tool switching
Team expertise and training needs
Long-term strategic alignment
Community vs. vendor relationship preference
Operational Considerations:
CI/CD pipeline integration
Existing toolchain compatibility
Migration complexity and effort
Backup and disaster recovery processes
Compliance and audit requirements
Conclusion
Both Terraform and OpenTofu are powerful, production-ready tools for infrastructure as code. The choice between them ultimately depends on your organization’s priorities:
Choose Terraform if:
You require HashiCorp’s commercial support and enterprise features
You’re deeply integrated with the HashiCorp ecosystem
You prefer the stability of an established, well-funded vendor
Your organization is risk-averse about tool changes
Choose OpenTofu if:
Open source licensing is a requirement or strong preference
You want community-driven governance and development
Client-side state encryption is important for your security model
You value independence from vendor licensing changes
You want to support and influence community-driven infrastructure tooling
The Good News: Regardless of your choice, both tools:
Use the same HCL syntax
Maintain state file compatibility
Support the same providers (for now)
Allow relatively easy migration between them
For most teams, OpenTofu represents a safe, forward-looking choice that embraces open source principles while maintaining compatibility with the Terraform ecosystem. However, organizations with specific enterprise needs or HashiCorp relationships may find Terraform continues to serve them well.
The infrastructure as code landscape is healthier for having both options. Competition drives innovation, and the existence of OpenTofu has already influenced Terraform’s development priorities. As users, we benefit from this diversity.
Ultimately, the best approach is to evaluate both tools against your specific requirements, run proof-of-concept projects, and make an informed decision based on your organization’s unique needs. Both paths lead to effective infrastructure automation — the question is which better aligns with your values, requirements, and long-term strategy.
What’s your experience with Terraform and OpenTofu? Have you made the switch, or are you staying with Terraform? Share your thoughts and experiences in the comments below.
