OpenTofu Vs. Terraform: The Great IaC Dilemma

Terraform, the leading IaC (Infrastructure as Code orchestrator), was created 9 years ago by HashiCorp and is considered today as the de facto tool for managing cloud infrastructure with code. What started as an open-source tool quickly became one of the largest software communities in the world, and for every problem you may encounter, someone has already found and published a solution.

At the end of the day, DevOps managers are looking for a simple, predictable, drama-free way to manage their infrastructure, and this is probably why many have chosen Terraform, which is a well-known, well-established tool with a very large community.

I too, as a CTO, took the plunge and chose Terraform as our cloud management tool because it ticked all the boxes. One of the most important criteria for selecting any tool is to avoid vendor lock-in.
Just as choosing the main programming language and database was important for us, our cloud management tool needed to also meet this criterion.

In August of last year, following HashiCorp’s announcement of upcoming changes to the Terraform license, several players in the DevOps community united to create the fork of Terraform known as OpenTofu. OpenTofu is an open-sourced IaC (Infrastructure as Code) framework that is community-driven and managed by the Linux Foundation. It was created and developed to provide Terraform users with an option that is truly open-source.

In this article, we will deep dive into both of these frameworks for a better understanding and explore core features, highlighting the key differences, to provide you with all the necessary information and insights on whether or not you should shift from Terraform to OpenTofu.

Hashicorp’s License Change

So What Does the New License Practically Mean?

A company cannot use Terraform in its production chain unless it meets the required conditions. Currently, the required condition is not being a competitor of one of HashiCorp's products. 

And yes, it is very vague. Any company that develops a product that competes with one of HashiCorp's products, cannot use Terraform. In case you meet the criteria today does not necessarily mean that you will meet it in the future. If the company you work for develops a logging product and in the future HashiCorp acquires a startup that deals with logging, from that moment on you become a HashiCorp competitor. 

Right now there is a cloud of uncertainty around Terraform, and this level of uncertainty, in my opinion, should be taken very seriously into consideration when choosing a tool that manages your infrastructure.

Changes in Terraform Registry

The change that I think is more interesting and kind of went under the radar is that a few days after the change of Terraform's license, without official notification, they changed the terms of their registry. In fact, "improper" use of the HashiCorp registry is also a legal violation.

Now what does that mean? It's very unclear. 

For those who are not aware, the registry contains all the providers’ mappings available to Terraform. But the story that emerges here is that one day HashiCorp can decide that every call to its registry will cost a dollar, and then what?

The control of the project is by one entity, and that's how the problem begins.

Terraform is not another project that has become a closed source; Terraform today is the foundation for millions of people around the world for infrastructure and configuration management. 

Many companies have built amazing things on top of Terraform and therefore this project is simply too important to be under the control of one entity.

So what are we doing? What does it mean to be open source?

The Rise of OpenTofu

HashiCorp’s license change is what created OpenTofu with one clear goal and that is to restore the project to being truly open source as it was in its original form. 

From a technical point of view, OpenTofu is a fork of the Terraform project, but some will say (and I am amongst them) that a drastic license change is a fork and OpenTofu is the natural continuation of Terraform.

To this end, from the beginning, many efforts were invested to bring the project under the umbrella of the Linux Foundation, and this, in my opinion, is the most central part of the OpenTofu initiative. From the moment the project came under this umbrella, it is guaranteed that decisions regarding the features and the direction of the project will be guided by a technological committee that is independent, interest-free, and whose role is to resolve conflicts that will arise between the various contributors, like any large project that is worked on by several people with different opinions.

It is guaranteed that the decisions will be made according to the best interest of the community and not according to the interest of a single player. Does this mean that every feature request will be accepted? No. But the decisions will be completely transparent. The main example of this is the PR that Hashicorp refused to approve since 2016 that allows encryption of the Terraform State File.
Why is Hashicorp refusing to approve this PR? Because it conflicts with their commercial offering.
This requested feature is going to be released in version 1.7 of OpenTofu.

OpenTofu: Deep Dive

In the short term, the project will be used as a "super set" of Terraform. According to this definition, every functionality of Terraform will be in an OpenTofu form, and the Tofu project will contain additional features. In the long run, it is very likely that along the way the projects will take completely different directions in their plans. There will be features in Terraform that will not be available in a Tofu way and vice versa.

For the most part, the open-source community tends to innovate more than large enterprises.
It's not because the ideas are better, it's simply a matter of execution and agility.

This is thanks to the mobilization and contribution of the community to the project. In the last few years, if you look at the number of HashiCorp employees who have contributed to Terraform over the years, the number does not exceed 5.

With the significant contributions from various companies in the community, it appears that the development of OpenTofu will likely surpass that of Terraform.
Here are the features released or about to be released in OpenTofu:

• 1.6 - Dedicated OpenTofu Registry
• 1.6 - Testing Framework
• 1.6 - Enhanced S3 backend
• 1.7 - Removed block
• 1.7 - Mock data
• 1.7 - Client-side state encryption

Migrating From Terraform To OpenTofu

Let’s discuss how to migrate from Terraform to OpenTofu.

For all versions lower than 1.6, OpenTofu is a drop-in replacement for Terraform. It already becomes dependent on using various features as you progress through the versions. The technical side of the migration is quite trivial, instead of running the terraform command, all you have to do is run the tofu command.

Let’s have a look:

• Let’s assume I have a directory with Terraform code that I can perform terraform init:
  

• I run terraform apply and we see that there are no changes:
  
• Now let's run this code with OpenTofu, so the first step would be to run
  tofu init -upgrade.
  The reason for the upgrade is to download the providers and the modules (if any) from the OpenTofu registry and not from the HashiCorp registry.
  

• Now let's run tofu apply and we see that there are no changes:
  

Voilà! Migration done!

I would also like to mention that migrating one “stack” is pretty straightforward. The challenge arises when you have 100s or 1000s of stacks that you want to initiate with OpenTofu and make sure there are no diffs. It’s more of a management challenge than it is a technical challenge.

Another important consideration when performing the migration is ensuring your code doesn’t use the HashiCorp registry. That means that nobody uses the fully qualified name of a module/provider. For example:

Since I use the fully qualified name with registry.terraform.io, the provider will be downloaded from HashiCorp’s registry, which is forbidden according to their license.

• Here is the tofu init command output:
  
  

Conclusion: Should I Migrate or Not?

Deciding whether to shift from Terraform to OpenTofu depends on several factors. I think that the most important one is: are you willing to use a source-available project with only a single commercial product out there you can buy (Terraform Cloud/Enterprise)? What are the implications of not being able to choose from different Terraform Operations platforms?

Other factors include:

• What if tomorrow the license changes again?
• What if tomorrow HashiCorp is going to release a product that competes with mine?

At the end of the day, as a technical manager, you need to make decisions. Choosing the IaC tool for your organization is probably a decision with an impact on the next few years. On one hand, HashiCorp is a public, experienced company with a proven track record of building Terraform, and on the other hand, are you willing to commit to a project with a single commercial product? That’s a question each manager will have to answer on his own.