OpenTofu vs Terraform: Open Source IaC in 2026
TL;DR
In August 2023, HashiCorp changed Terraform's license from MPL (open source) to BSL 1.1 (Business Source License — not open source). OpenTofu was forked from Terraform under the Linux Foundation with the original MPL 2.0 license and has been independently maintained since. For most teams: use OpenTofu. It's a drop-in replacement, still uses HCL, reads Terraform configs without changes, and has added features Terraform hasn't shipped. Terraform makes sense only if you're already paying for Terraform Cloud/Enterprise.
Key Takeaways
- HashiCorp BSL change (Aug 2023): Terraform is no longer open source — BSL restricts competing commercial use
- OpenTofu: MPL 2.0 (truly open source), Linux Foundation project, ~25K GitHub stars, drop-in Terraform replacement
- Migration:
terraform init→tofu init— for most projects, that's the entire migration - OpenTofu ahead on features: state encryption, provider mocking in tests, removed license nag
- IBM acquired HashiCorp (2024) — Terraform's future is corporate-driven; OpenTofu's roadmap is community-driven
- Terraform still works: If you're on Terraform and not hitting BSL restrictions, no urgent reason to migrate
What Happened to Terraform?
Terraform was open source (MPL 2.0) from 2014 to 2023. Then:
- August 10, 2023: HashiCorp announced Terraform, Vault, Consul, and other products would switch to the Business Source License (BSL) 1.1
- BSL 1.1 is not open source: It restricts use by "competitive offerings" — anyone building a product that competes with HashiCorp's paid products needs a commercial license
- September 2023: The OpenTofu community formed, forked the last MPL-licensed Terraform (1.5.x), and donated it to the Linux Foundation
- January 2024: OpenTofu 1.6.0 released — the first stable GA release of the fork
- April 2024: IBM acquired HashiCorp for $6.4B — Terraform is now an IBM product
This follows a familiar pattern: MongoDB, Elastic, Redis, and now HashiCorp have all switched away from open source to protect commercial revenue. In each case, the community forked the last open source version.
Comparison Overview
| Feature | Terraform | OpenTofu |
|---|---|---|
| License | BSL 1.1 (not OSS) | MPL 2.0 (open source) |
| GitHub Stars | ~43K | ~25K |
| Latest Version | 1.10.x | 1.9.x |
| Configuration | HCL | HCL (identical) |
| Provider Registry | registry.terraform.io | registry.opentofu.org |
| Terraform Cloud | ✅ (paid) | N/A (use Spacelift, Env0) |
| State encryption | ❌ | ✅ (v1.7+) |
| Provider mocking (tests) | Limited | ✅ (v1.7+) |
| Backed by | IBM / HashiCorp | Linux Foundation |
| Community governance | Corporate | Open governance |
OpenTofu: The Open Source Fork
OpenTofu is governed by the Linux Foundation and maintained by a coalition of companies including Spacelift, env0, Gruntwork, and many others who rely on Terraform tooling.
Drop-In Replacement
OpenTofu is binary-compatible with Terraform configurations. For most projects, migration is one command:
# Install OpenTofu (Linux):
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh
# macOS:
brew install opentofu
# Run (same syntax as Terraform):
tofu init
tofu plan
tofu apply
Existing .tf files, modules, and state files work without changes.
Provider Registry
OpenTofu maintains its own provider registry at registry.opentofu.org. All major providers are available (AWS, GCP, Azure, Kubernetes, etc.):
# Works identically in both Terraform and OpenTofu:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
OpenTofu's registry is compatible with Terraform's provider format — the same provider binaries work with both.
Features OpenTofu Added First
State encryption (v1.7+):
# Encrypt Terraform state at rest — OpenTofu only:
terraform {
encryption {
key_provider "pbkdf2" "my_passphrase" {
passphrase = var.state_passphrase
}
method "aead_gcm_hcl" "my_method" {
keys = key_provider.pbkdf2.my_passphrase
}
state {
method = method.aead_gcm_hcl.my_method
}
}
}
This is a significant security improvement — Terraform state files contain secrets in plaintext.
Provider mocking in tests (v1.7+):
# Mock provider for testing without real credentials:
mock_provider "aws" {
mock_resource "aws_s3_bucket" {
defaults = {
id = "mock-bucket-id"
arn = "arn:aws:s3:::mock-bucket"
}
}
}
Previously, testing infrastructure code required real cloud credentials. OpenTofu's mocking enables pure unit testing.
Terraform: The Commercial Incumbent
Terraform (now from HashiCorp/IBM) remains the most widely used IaC tool. Its ~43K GitHub stars, massive module registry, and deep CI/CD integrations mean you'll find Terraform support everywhere.
When Terraform Still Makes Sense
- Terraform Cloud/Enterprise users: If you're paying for Terraform Cloud (remote state, collaboration, Sentinel policies), staying on Terraform makes sense — OpenTofu doesn't have an equivalent managed offering yet (though Spacelift and env0 fill this gap)
- Existing workflows: If everything is working and BSL doesn't affect your use case, there's no urgent reason to migrate
- Enterprise contracts: Companies with existing HashiCorp enterprise agreements should evaluate before switching
BSL Restrictions in Practice
The BSL 1.1 restriction covers building "a competitive service with the same functionality." For most users:
- Using Terraform to manage your own infrastructure: Fine under BSL, no restrictions
- Building a managed Terraform service: Requires a commercial license
- Internal tooling built on Terraform: Generally fine
The risk is more about future restrictions and the precedent — BSL is version 1.1, and future versions could change terms.
Migration Guide: Terraform → OpenTofu
For most projects, migration is straightforward:
Step 1: Install OpenTofu
# Linux:
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh
# macOS:
brew install opentofu
# Verify:
tofu version
Step 2: Run the Migration Script
OpenTofu provides an official migration tool:
# In your Terraform project directory:
tofu init
OpenTofu reads your existing .terraform.lock.hcl and terraform.tfstate without any conversion.
Step 3: Update Any Terraform Registry References
If your code references registry.terraform.io explicitly (unusual), update to registry.opentofu.org:
# Before (explicit registry — most code doesn't have this):
source = "registry.terraform.io/hashicorp/aws"
# After (OpenTofu default):
source = "hashicorp/aws"
# (OpenTofu resolves this from registry.opentofu.org automatically)
Step 4: Update CI/CD
Replace terraform with tofu in your workflows:
# GitHub Actions — Before:
- name: Terraform Init
run: terraform init
# After:
- name: OpenTofu Init
uses: opentofu/setup-opentofu@v1
- run: tofu init
- run: tofu plan
- run: tofu apply -auto-approve
What Stays the Same
Everything:
.tffile syntax (HCL — identical)- Provider configurations
- Module sources
- State file format
terraform.tfvars/*.auto.tfvars- Backend configurations (S3, GCS, Azure Blob, etc.)
State Backend Examples (Both Work Identically)
# S3 backend — works for both Terraform and OpenTofu:
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/terraform.tfstate"
region = "us-east-1"
# DynamoDB for state locking:
dynamodb_table = "terraform-state-lock"
encrypt = true
}
}
HCL Example: AWS Infrastructure
Identical syntax in both tools:
# main.tf
variable "environment" {
type = string
default = "production"
}
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = {
Name = "${var.environment}-vpc"
Environment = var.environment
ManagedBy = "opentofu"
}
}
resource "aws_subnet" "public" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.environment}-public-${count.index + 1}"
}
}
output "vpc_id" {
value = aws_vpc.main.id
}
Decision Guide
Use OpenTofu if:
→ New project starting from scratch
→ You care about open source licensing
→ You want state encryption (v1.7+ feature)
→ You need provider mocking for testing
→ You're self-hosting everything (no Terraform Cloud dependency)
→ Your company has FOSS policies
Stay on Terraform if:
→ You're an active Terraform Cloud/Enterprise customer
→ Your organization has existing HashiCorp support contracts
→ Your BSL compliance lawyers say it's fine for your use case
→ You're migrating to Pulumi anyway (different ecosystem entirely)
Consider Pulumi if:
→ You prefer TypeScript/Python/Go over HCL
→ You want programmatic loops, conditionals, and abstractions
→ You're building complex IaC that benefits from a real programming language
Alternatives to Both
| Tool | Language | License | Best For |
|---|---|---|---|
| OpenTofu | HCL | MPL 2.0 | Terraform compatibility, open source |
| Pulumi | TS/Python/Go/C# | Apache 2.0 | Programmatic IaC, teams that prefer code |
| Ansible | YAML | GPL 3.0 | Configuration management, idempotent playbooks |
| CDK (AWS) | TS/Python | Apache 2.0 | AWS-native, generates CloudFormation |
| Crossplane | YAML/Go | Apache 2.0 | Kubernetes-native, GitOps workflows |
Methodology
- License information: HashiCorp BSL announcement (August 2023), OpenTofu charter (Linux Foundation, September 2023)
- GitHub stars: Verified March 2026 (opentofu/opentofu ~25K, hashicorp/terraform ~43K)
- Feature comparison: OpenTofu 1.7+ release notes, Terraform changelog
- IBM acquisition: HashiCorp press release (April 2024)
See all open source alternatives to HashiCorp products at OSSAlt.com/alternatives/terraform.