OpenTofu 1.10.0-beta1
⚠️ Do not use this release for production workloads! ⚠️
We're pleased to announce the first beta release of OpenTofu 1.10.0! Thanks to your valuable feedback on our alpha releases, we've refined the features and fixed numerous bugs to bring you this more stable beta version.
Highlights
This release cycle introduces major new capabilities and integrations:
OCI Registry Support
Full integration with OCI registries for both provider and module distribution, valuable for organizations with private infrastructure-as-code components, air-gapped environments, or enhanced security requirements.
# Configure OCI registry mirrors in your CLI configuration:
provider_installation {
oci_mirror {
repository_template = "example.com/opentofu-providers/${namespace}/${type}"
include = ["registry.opentofu.org/*/*"]
}
}
# Use OCI modules directly in your configuration:
module "vpc" {
source = "oci://example.com/modules/vpc/aws"
}Native S3 Locking
Simplify your infrastructure by using S3's conditional writes capability for state locking, eliminating the need for a separate DynamoDB table.
terraform {
backend "s3" {
bucket = "tofu-state-backend"
key = "statefile"
region = "us-east-1"
use_lockfile = true # Enable native S3 locking
}
}OpenTelemetry Tracing
Gain insights into OpenTofu operations with experimental OpenTelemetry tracing, completely local and under your control.
# Launch a tracing backend like Jaeger
docker run -d --name jaeger \
-p 16686:16686 -p 4317:4317 \
jaegertracing/jaeger:2.5.0
# Configure OpenTofu to use OpenTelemetry
export OTEL_TRACES_EXPORTER=otlp
export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
export OTEL_EXPORTER_OTLP_INSECURE=true
# Run your operations and view traces at http://localhost:16686
tofu initResource Management with Target Files
Manage complex deployments more easily with the new -target-file and -exclude-file options, allowing version-controlled resource targeting patterns.
# Create a targets.txt file
# Critical infrastructure components
module.networking.aws_vpc.main
module.networking.aws_subnet.public[*]# Apply only those resources
tofu apply -target-file=targets.txt
# Similarly, create an excludes.txt file to skip certain resources
tofu plan -exclude-file=excludes.txtWhat's New in 1.10.0-beta1
OCI Registry Enhancements
- Added support for OCI registries that don't report
artifactTypeon layers - Improved e2e test verification for provider installation from OCI mirrors
- Enhanced documentation for OCI registry-based provider mirrors
- Fixed issues with OCI providers in air-gapped environments
Global Provider Cache Lock Improvements
The shared provider cache (set via the TF_PLUGIN_CACHE_DIR environment variable) now includes filesystem-level locking, making it safe to use with concurrent OpenTofu operations. This is particularly valuable for:
- CI/CD systems that run multiple
tofu initoperations in parallel - Orchestration tools that manage multiple OpenTofu pipelines simultaneously
- Large-scale Terragrunt setups with many projects
Bug Fixes and Quality-of-Life Improvements
- Better error messages when using
nullin invalid positions in thetransposefunction - Fixed loading of encryption key providers to better support
terraform_remote_state - Fixed handling of complex variable default values with incorrect types
- Fixed module downloads from GitHub branches containing slashes in the name
- Improved generation of OpenTofu configuration from
importblocks with nested attributes - Added warning when provider references are missing
required_providersentries - Fixed an issue where syntax errors in
required_providersblocks could cause panics - Improved the PostgreSQL backend to prevent state corruption with parallel runs
Other Major Features in 1.10.0
External Key Providers for State Encryption
Configure external commands to retrieve encryption keys, enabling flexible state encryption with your preferred tools:
terraform {
encryption {
key_provider "external" "password_manager" {
command = ["./state_encryption_key.sh", "some_parameter"]
}
}
}
# You can also chain key providers together:
terraform {
encryption {
key_provider "external" "password_manager" {
command = ["./get_password.sh", "some_parameter"]
}
key_provider "pbkdf2" "passphrase" {
chain = key_provider.external.password_manager
}
}
}Enhanced PostgreSQL Backend
The PostgreSQL backend now supports custom table and index names for multi-project state management:
terraform {
backend "pg" {
conn_str = "postgres://user:pass@db.example.com/database"
schema_name = "opentofu"
table_name = "project_a_state"
index_name = "project_a_index"
}
}Resource Type Migration
The moved block now supports migration between different resource types:
moved {
from = gpg_key.this
to = gpg_key_pair.this
}Fine-Grained Resource Removal
The removed block now supports lifecycle and provisioner configurations:
removed {
from = aws_instance.legacy_server
lifecycle {
destroy = true # Destroys the resource (default is false which just forgets it)
}
provisioner "local-exec" {
when = destroy
command = "echo 'Cleaning up before destroying resource'"
}
}Support for marking variables and outputs as deprecated
Module authors can now mark variables and outputs as deprecated which will raise a warning to the users of the module.
Warning
This feature is considered experimental and the final UX may change in the future.
variable "input" {
type = string
default = "input value"
deprecated = "This variable is deprecated. This will be removed entirely in a future version of the module."
}
output "out" {
value = "out value"
deprecated = "This output is deprecated and will be removed in a future version"
}Compatibility Notes
- Linux: Requires kernel version 3.2 or later
- macOS: Requires macOS 11 Big Sur or later
- The
ghcr.io/opentofu/opentofuimage is no longer supported as a base image - Windows: Symbolic links and junctions are now handled differently
- The PostgreSQL backend in OpenTofu 1.10 should not be used alongside older versions
Reference
Thank you for your continued support and testing of the OpenTofu project!