If you are cloud-native, you probably work with Terraform modules and providers. Since Terraform changed its license, some communities and companies have decided to keep the project open-source and create OpenTofu.
OpenTofu is a fork of Terraform created as an initiative by Gruntwork, Spacelift, Harness, Env0, Scalr, and others in response to HashiCorp’s switch from an open-source license to the BUSL. OpenTofu is open-source, community-driven, and managed by the Linux Foundation.
Users can use OpenTofu the same way they used Terraform. OpenTofu works with .tf files.
To add your new provider to the OpenTofu registry, creators should submit the provider and add the related Provider Signing Key to the OpenTofu registry. We have submitted Cisco-related OpenTofu providers and public keys to the registry.
OpenTofu providers available for use:
- Cisco Modeling Labs
- Meraki
- ACI
- MSO
- FMC/Secure Firewall
- ASA
- DCNM
- IOSXE
- SDWAN
- NXOS
- CDO
- IOSXR
- ISE
- Catalyst Center
- NSO
How the tofu init command works
- The tofu init command is used to initialize an OpenTofu working directory. When you run this command, several things happen:
Backend Initialization:
- OpenTofu configures the backend where the state will be stored.
Child Module Installation:
- If your configuration includes child modules, OpenTofu downloads and caches any modules referenced in the configuration.
Plugin Installation: OpenTofu downloads and installs the plugin(s) for any providers used in the configuration.
- OpenTofu first checks for providers in the following locations:
- User plugins directory (e.g.,
$XDG_DATA_HOME/opentofu/plugins
or~/.terraform.d/plugins/
on Linux) - Current working directory
- Provider installations directory
- User plugins directory (e.g.,
- OpenTofu downloads the required providers from the OpenTofu Registry or other specified sources if not found locally.
Verification: After downloading, OpenTofu verifies the integrity of the provider plugins.
PGP Public Key Verification
An expected output, without a valid PGP public key in the registry.
When OpenTofu downloads a provider plugin, it performs a series of checks to ensure the integrity and authenticity of the plugin. Here’s how the PGP public key verification works:
- Signature Download: OpenTofu downloads a detached signature file along with the provider binary.
- Public Key Retrieval: OpenTofu retrieves the provider’s public key. For community providers, the keys are typically downloaded from the registry.
- Signature Verification: OpenTofu uses the public key to verify the signature of the downloaded provider binary.
- Checksum Verification: OpenTofu also verifies the SHA256 checksum of the provider binary against the checksum provided by the registry.
An expected output, with a valid PGP public key added to the registry.