4 min read

The Definitive Guide for Shifting from Terraform to OpenTofu

Ori Yemini
Ori Yemini

CTO & Co-founder

Ori Yemini
Ori Yemini

CTO & Co-founder

Intro

So, you decided to make the big leap and migrate your IaC framework from Terraform to OpenTofu.
In this short blog article, we’ll provide a step-by-step guide on how to do it; honestly, it’s much easier than you would imagine.

For all versions lower than 1.6, OpenTofu is a drop-in replacement for Terraform. It already becomes dependent on using various features as you progress through the versions. The technical side of the migration is quite trivial; instead of running the terraform command, all you have to do is run the tofu command.
Let’s start with what a migration looks like.

The Migration Procedure

  1. Let’s assume I have a directory with Terraform code that manages some resources in my staging account. Up until now, I used the ‘Terraform’ command to run this code. Before moving to OpenTofu, I want to make sure my code is still valid and I don’t have any drifts. So, the first step would be to run the ‘terraform init’ command to get things going.

    Directory with Terraform code that can perform terraform init
  2. Now I’m going to run ‘terraform apply‘ just to make sure that there are no drifts and that my code perfectly represent my running resources.

    Run terraform apply

  3. Ok, the big moment has arrived. I’m going to switch my IaC engine to OpenTofu 🙂
    In order for us to run this code with OpenTofu, the first step would be to run ‘tofu init -upgrade‘.

    Run tofu init -upgrade

    The reason for the ‘upgrade’ flag is to download the providers and the modules (if any) from the OpenTofu registry, not from the HashiCorp registry.
  4. Ok, the next step would be to run ‘tofu apply‘ to refresh my state file and to validate that there are no drifts.



    Voilà! Migration done!

What to Watch out for

Another important consideration when performing the migration is ensuring your code doesn’t directly use the HashiCorp registry. What does that mean?
That means that your code shouldn’t use the fully qualified name of a module/provider from HashiCorp’s registry. For example:
Ensure your code doesn’t use the HashiCorp registry

Here, I’m using the AWS provider from the HashiCorp registry. Using this when running the OpenTofu command is against the BSL licensing (Note: this is not legal advice; I’m not a lawyer, and it’s my understanding from the license change).
Since I use a fully qualified name with registry.terraform.io, the provider will be downloaded from the HashiCorp registry.
Let’s see how it looks like if I’m running this code with the ‘tofu’ command:

tofu init command output

How to fix it? It’s very simple: Don’t use fully qualified names. For example, in this example, instead of writing ‘registry.terraform.io/hashicorp/aws’, you should write ‘hashicorp/aws’.

To sum up, after completing the migration, be sure to check that your codebase does not reference Hashicorp’s registry.

Challenge at Scale

As always, the challenge comes in when you have big-scale environments or large terraform codebase to manage.
Migrating a single Terraform stack is pretty straightforward, but what if you have hundreds or thousands of stacks that you want to migrate?
What about inspecting your code to ensure it doesn’t reference HashiCorp’s registry using a fully qualified name?
You’ll probably need some automation to run on all of your Terraform stacks, perform the check, and provide a final report of what went well, what went wrong, and what’s your OpenTofu compatibility.
It’s more of a management challenge than a technical one.

Summary

As you can see, the migration procedure from Terraform to OpenTofu is pretty straightforward.
The real challenges occur when you have large and complex environments with hundreds or thousands of stacks.
If you’re thinking of shifting your IaC framework to Terraform, we would love to jump on a call and let you know how the ControlMonkey Terraform Automation platform can help you throughout the process.

Recommended from Control Monkey
4 min read
ControlMonkey Top 10 Features
Adopt a Proactive DevOps Strategy and prevent 90% of Production Issues with ControlMonkey's solutions for Terraform Operations....
Aharon Twizer
Aharon Twizer

CEO & Co-Founder

Aharon Twizer
Aharon Twizer

CEO & Co-Founder

7 min read
The Unsung Hero of Infrastructure Management: Version Control
Learn why version control system is an essential part of the infrastructure delivery revolution, just like it was for the...
Patrick Pushor
Patrick Pushor

Guest Blogger

Patrick Pushor
Patrick Pushor

Guest Blogger

6 min read
Leveraging AWS CloudTrail to fight ClickOps
Amending cloud resources directly through the AWS console, commonly referred to as "ClickOps," is not the best practice. Learn how...
Aharon Twizer
Aharon Twizer

CEO & Co-Founder

Aharon Twizer
Aharon Twizer

CEO & Co-Founder

4 min read
Infra-as-Code: Critical Aspect for Your Disaster Recovery Plan
Learn why Infrastructure as Code should be a key component of your disaster recovery plan....
Aharon Twizer
Aharon Twizer

CEO & Co-founder

Aharon Twizer
Aharon Twizer

CEO & Co-founder

Compliant AWS environments in minutes, with Self-service Infrastructure
Learn how to enable other teams such as Dev and QA to launch pre-defined compliant AWS environments in minutes, by using Terraform.

Contact us

We look forward to hearing from you

AWS Governance & DevOps Productivity with Terraform

Learn how how to shift-left cloud governance with Terraform in this webinar brought to you by AWS and ControlMonkey.

We look forward to hearing from you!

ControlMonkey

Terraform Best Practices with ControlMonkey Webinar

Check out our latest webinar with DoIT International.

In this webinar we showcase together with DoIT how ControlMonkey is helping DevOps teams to make the transition from ClickOps to GitOps easily with Terraform.

This website uses cookies. We use cookies to ensure that we give you the best experience on our website. Privacy policy