The latest release of OpenTofu (version 1.7) is now available!
It comes packed with new features, enhancements, and bug fixes that aim to elevate the user experience, improve overall functionality, and boost your infrastructure as code management.
Here are some highlights of the release:
- State encryption
- Import blocks with for_each
- Provider-defined functions
- Removed block
- New functions
You can get the release here. And the original release blog post here.
One of the most requested features in the IaC world in the last 5 years was state encryption for Terraform. This was not implemented inside Terraform for reasons only its maintainers know. Well, OpenTofu listened to the community and introduced optional end-to-end encryption to state files.
This feature enhances your overall security, by allowing you to protect your state file using AES GCM (other methods will be available in the future) encryption method. You can leverage key providers such as AWS KMS, GCP KMS, OpenBao, and Passphrase, via pbkdf2 to secure your data efficiently.
A backup of the state file is highly recommended before enabling state encryption if you are migrating from an unencrypted state to an encrypted one.
To take advantage of it, in your terraform block, you will add an encryption block in which you need to specify the key provider, the method, and a state block. It will look similar to this:
terraform {
encryption {
key_provider "pbkdf2" "passphrase" {
passphrase = ""
}
method "aes_gcm" "method" {
keys = key_provider.pbkdf2.passphrase
}
state {
method = method.aes_gcm.method
enforced = true
}
}
}With this feature, you won’t have to worry about sensitive data in the state anymore!
Importing resources in your IaC management tool can be a nightmare, but this is something many companies face as they address technical debt. The previous import implementation only lets you import only one resource at a time, and for a large enterprise that started with ClickOps, this could mean a ton of manual work spreading over weeks or months.
The new import block supports the for_each meta-argument, and this is a game-changer because it allows users to import multiple resources of the same kind in a single block, reducing manual effort and errors.
It keeps the same syntax with the “to” and “id” parameters and has a new “for_each” block similar to this:
variable "for_each_import" {
type = list(string)
}
resource "aws_vpc" "this" {
for_each = {for idx, vpc in var.for_each_import: "vpc${idx}" => idx}
}
import {
to = aws_vpc.this["vpc${each.value}"]
id = each.key
for_each = {for idx, vpc in var.for_each_import: vpc => idx}
}Provider-defined functions can be used directly inside of OpenTofu, and the biggest advantage they have over using data sources is that they don’t increase the size of your state file and require less code to write. To test this feature out, you can take advantage of the corefunc provider.
With the removed block, you can remove a resource from the state file, while keeping it in the infrastructure. First, you need to have a resource created, then you’ll add the removed block, specify what resource you want to remove, and then do a reapply to have that resource removed.
resource "aws_vpc" "this" {
cidr_block = "10.0.0.0/16"
}
removed {
from = aws_vpc.this
}Inside the removed block, you will need to specify the from keyword, and inside of it, you will add the resource you want to remove using resource_type.resource_name.
After you do the apply, and have the resource removed from the state, you will need to delete the “removed” block. The resource will still be available in the console.
There are a couple of new functions that were added to make engineers’ lives easier when they work with OpenTofu:
- templatestring – takes a string and renders it as a template using a set of template variables
- cidrcontains – determines if an address belongs to a certain prefix
- base64gunzip – takes a base64 encoded gzip string and returns the decompressed data as a string
- urldecode – decodes a url-encoded-string
- issensitive – determines if a value is sensitive or not
The S3 backend now aligns more closely with the AWS CLI and SDKs in terms of credential search behavior, preferring backend configuration over environment variables. The legacy workflow is deprecated, but to support the legacy credential search workflow, you can set the use_legacy_workflow option to true to keep using it, just keep in mind that it will be removed soon.
There are some cli changes available. You can now:
- See a shortened plan output
- Get a json output for terraform init
- Use aliases for a couple of state commands.
The testing feature also got an improvement: OpenTofu is now able to read the .tfvars files from the tests folder.
If you are looking for help in migrating from Terraform to OpenTofu, or if you are searching for an infrastructure management platform that supports top flavors of infrastructure as code (including OpenTofu 1.7), configuration management, and container Orchestration, don’t hesitate to reach out to Spacelift. As a founding partner of the initiative, Spacelift offers the native and commercial support you need to ensure your OpenTofu success. Learn more about OpenTofu Commercial Support & Services.
OpenTofu 1.7 is an exciting release that packs substantial new features and improvements, promising to make infrastructure as code more robust and secure. Download the latest binary, test the new features, and get back to the OpenTofu team with feedback, to continuously improve the OpenTofu ecosystem.
Don’t forget to check the issue ranking system and vote for what improvements you would like to see implemented sooner!
OpenTofu Commercial Support
Spacelift offers native and commercial support to ensure your OpenTofu success. If you need a reliable partner to run your critical workloads with OpenTofu, accelerate your migration, provide support coverage, or train your team – we are here to help.
