OpenTofu has been making significant strides in the Infrastructure-as-Code (IaC) landscape, now more than a year into its journey. With a rapidly growing user base and increasing adoption, OpenTofu has established itself as the leading open-source alternative to Terraform. The community has played a crucial role in its momentum, driving feature releases and shaping the project’s evolution.
As we approach KubeCon, and unbelievably our third OpenTofu Day, we’d love to share some of the features that have positioned OpenTofu beyond a mere Terraform competitor as a truly viable alternative. This enthusiasm isn’t abstract—users are already sharing how OpenTofu’s improvements are solving real-world challenges. For example, a recent LinkedIn post highlighted how the introduction of the.tofu extension has been a game-changer in managing module compatibility.
Below we’ll dive into some of the features exclusive to OpenTofu that all IaC enthusiasts should know about. You also won’t want to miss the talk on this topic at OpenTofu Day in London.
.tofu File Extension – A Safe Testing Ground
One of the most practical additions is the .tofu file extension, which enables users to test OpenTofu-specific features without fully committing to migration. Previously, testing new capabilities meant either fully transitioning a project or maintaining separate configurations, both of which created unnecessary complexity. With the addition of .tofu file extension support, OpenTofu provides a sandbox-like approach where users can experiment with features without Terraform recognizing the file, making it easier to explore advanced functionality before making long-term decisions.
Beyond individual adoption, .tofu files also provide a significant advantage for module authors. They enable the creation of modules that are agnostic to whether they are being used with Terraform or OpenTofu. By defining different version constraints or selectively enabling OpenTofu-specific functionality within .tofu files, module authors can offer broader compatibility while taking advantage of OpenTofu’s unique features when available. This ensures that modules can be maintained for both tools without requiring entirely separate codebases, reducing maintenance overhead and providing flexibility for users running either tool.
This flexibility has already proven valuable to module developers like the team at Masterpoint. They needed a way to specify a different required_version value for OpenTofu and Terraform users without disrupting compatibility. The .tofu extension allowed them to define a separate versions.tofu file specifically for OpenTofu while keeping versions.tf untouched for Terraform users. Instead of forcing an unnecessary version bump across their user base, they could apply OpenTofu-specific functionality only where needed, ensuring a seamless experience across different IaC ecosystems. This is just one use case that makes this feature highly useful for multi-framework environments.
State Encryption – Enhanced Security for Your Configurations
State encryption in OpenTofu provides built-in security for infrastructure state files, addressing concerns about storing sensitive configuration details such as credentials, secrets, and infrastructure metadata. While Terraform requires external solutions like encrypted backend storage to secure state files, OpenTofu integrates encryption directly into its state management, giving users an out-of-the-box way to protect their infrastructure data.
This feature is particularly useful for organizations that need to store state files securely but may not be using an encrypted backend like AWS S3 with KMS, HashiCorp Vault, or Google Cloud Storage. By encrypting state at rest, OpenTofu ensures that even if state files are accessed unintentionally or stored in an insecure location, their contents remain protected. This provides an added layer of security for teams operating in regulated industries, handling multi-cloud environments, or managing infrastructure across multiple accounts where consistent encryption policies are critical.
Early Evaluation – Dynamic Configuration without Hardcoding
Another recently released feature and significant enhancement is early evaluation, which solves a longstanding Terraform limitation. In Terraform, certain parts of a configuration—such as backend settings—must be hardcoded, preventing the use of variables or locals for dynamic configuration. This lack of flexibility often required workarounds that added unnecessary complexity.
OpenTofu now allows variables and locals to be used in configurations that need to be determined at init time. These previously had to be hardcoded because Terraform required these values to be known before plan or apply could run. This meant users had to manage separate configurations or rely on external tools to inject values dynamically, adding unnecessary complexity to automation workflows.
While Terraform provided the -backend-config flag as an alternative, it required explicitly selecting a backend at runtime, making it necessary to enforce backend choices within pipeline execution. Choosing the wrong backend could result in an error, adding operational risk and requiring additional safeguards. With OpenTofu’s early evaluation, these backend configurations can now be defined using variables, removing the need for pipeline-level configuration management in many cases.
Similarly, module sources can now reference variables for versioning, eliminating the need to manually update every module instance when making changes. This improvement reduces duplication, enables cleaner automation, and removes brittle workarounds, making OpenTofu more flexible and easier to maintain than Terraform in scenarios that require dynamic configuration.
This is particularly beneficial in multi-environment setups where infrastructure settings need to be adjusted dynamically without requiring entirely separate configurations. By eliminating this constraint, OpenTofu allows for cleaner, more reusable configurations, making automation pipelines and IaC workflows significantly more efficient.
Exclude Flag – A Long-Awaited Game Changer
The introduction of the exclude flag addresses one of the most common frustrations Terraform users have faced for years. Terraform has historically forced users to apply an entire plan, even when they only needed to update specific resources. Workarounds existed, but they were cumbersome, requiring users to manage complex dependency graphs manually. OpenTofu’s exclude flag allows users to apply only the resources they need—along with their dependencies—without affecting the entire stack.
Terraform did introduce the widely used -target flag, which allows users to specify particular resources to include in a plan or apply. However, this approach required explicitly listing every resource that should be included, which quickly became impractical for large configurations. Users often wanted a more convenient way to exclude a specific resource or set of resources rather than having to explicitly specify everything else they wanted to apply. OpenTofu’s exclude flag solves this by allowing users to omit specific resources from a deployment, providing a much cleaner and more intuitive workflow.
This is particularly useful in scenarios where an issue with a specific service requires temporarily skipping its deployment while continuing to apply changes elsewhere. For example, if a resource has drifted and requires investigation, users can exclude it from an immediate update without blocking the rest of the infrastructure changes. Similarly, if a service is experiencing a known problem and needs to be handled separately, the exclude flag makes it easy to move forward with other deployments while delaying changes to that specific resource.
This feature has been widely requested and was the most upvoted feature request in Terraform, all of which were rejected. OpenTofu finally delivers this capability, making it easier to isolate changes and reduce unnecessary deployments. It is especially useful for teams managing large infrastructures where applying changes to an entire stack can be costly, risky, or time-consuming.
Provider Iterations – Simplifying Multi-Region Deployments
Provider iterations introduce a major improvement for teams managing multi-region cloud deployments. In Terraform, achieving this required duplicating configurations across workspaces or maintaining separate pipelines, adding operational overhead. OpenTofu eliminates this complexity by enabling dynamic provider instances and assignments, allowing users to define a provider once and iterate over multiple regions without duplicating configuration files.
This dramatically simplifies scaling infrastructure across cloud environments like AWS, GCP, and Azure, making multi-region deployments significantly more efficient. Instead of maintaining separate pipelines for each region, teams can now define and deploy infrastructure dynamically, reducing operational overhead and improving overall scalability.
Community Excitement and the Road Ahead
As KubeCon approaches, excitement continues to grow within the OpenTofu community, with improvements that directly address long-standing IaC limitations, making OpenTofu an increasingly attractive choice for organizations looking to modernize their IaC workflows. Looking ahead, OpenTofu’s 1.10 Milestone includes further advancements like allowing the creation of provider and module registries with OCI, as well as dynamic configuration and performance optimizations. With OpenTofu Day at KubeCon on the horizon, there’s much more to look forward to.
OpenTofu is no longer just an alternative—it’s setting a new standard for open-source Infrastructure-as-Code. Its rapid iteration and responsiveness to community feedback ensure that it continues to evolve based on real-world needs.
KubeCon + CloudNativeCon EU 2025 is coming to London from April 1-4, bringing together cloud-native professionals, developers, and industry leaders for an exciting week of innovation, collaboration, and learning. Don’t miss your chance to be part of the premier conference for Kubernetes and cloud-native technologies. Secure your spot today by registering now! Learn more and register here.
