It's Time to Switch to OpenTofu
26 comments
·January 22, 2025adamgordonbell
quchen
I’ve come to appreciate power-limited DSLs. The problem is, they are very tricky to design: too simple and users will start templating, or even worse: programming in them (e.g. Yaml+Sh); too powerful and you’ve got yourself another full programming language (e.g. Dhall). I found HCL, although frequently complaining its type system is clearly designed by Go people, to be pretty close to the sweet spot. For each if-loop and other horrid workarounds I’ve had to write, someone else did not write a tower of abstractions that when interpreted, yielded the right result. Maintenance is usually an architectural task, rather than computer science. There are no frameworks to learn, there is no flashy new package manager attached, there is no need to deal with Python pacakge management and such. And, since it’s usually good enough, the effort to add this is disproportionately large, so that nobody does it.
Coming from my Haskell background, I’ll say it like Gabriella Gonzalez once put it [1]: _worst practices should be hard_, and this is where and why I think Terraform/Tofu shine and succeeded.
[1]: https://www.haskellforall.com/2016/04/worst-practices-should...
steveBK123
Had a guy invent a DSL for his Greenfield project as an abstraction layer on top of Python. Within a few months he was asking people to write scripts to programmatically generate the DSL.
So now you have DSL-generating script & DSL to version control.
The use case of "people who are computer literate enough to operate within an DSL but not literate enough to program code" is always smaller than people think. And probably not who you want to hire.
taeric
What is HCL?
Comparing to yalm and such, I'm assuming it is using a templating tool that presents a "not programming" front? If so, I think I'm 100% in agreement.
It is complicated, I think, because declarative is nice. But the idea that you have to forego all execution to get declarative code is frustrating, in the extreme.
onei
HCL is Hashicorp Configuration Language: https://github.com/hashicorp/hcl.
It's basically a DSL used by a bunch of Hashicorp products.
It's sort of a programming language. Someone I worked with implemented 1 or 2 advent of code exercises with it a couple of years ago, but it's far from a general purpose language.
swiftcoder
> What is HCL?
It's that weird declarative language used in terraform configuration files
nikolay
Pulumi is not free. You can still use Code with Terraform/OpenTofu using CDKTF [0]!
the_rara_avis
Pulumi is free: "Pulumi is true open source, uses the Apache 2.0 license, and does not and never will depend on BSL-licensed software in any way, HashiCorp owned or otherwise." (https://www.pulumi.com/blog/pulumi-hearts-opensource/)
Pulumi Cloud (the SaaS offering) is (mostly) not free. There is a free tier for individuals/companies with minimal needs.
You may happily use Pulumi and manage your own state files, for free, and open source.
nikolay
I yet have to read/hear about somebody self-hosting Pulumi. It lacks the huge Terraform ecosystem and without the paid cloud offering, it's pretty rudimentary.
deweller
I found https://sst.dev/ to be a developer friendly experience. It is built on top of Pulumi.
I just pay the AWS costs under my own account and nothing else.
nikolay
This is great. Sorry, I've almost forgotten about it. Thanks!
jmarcher
It is possible to self-host it on GCS, S3, etc. We used to pay for their cloud offering, but using GCS as a backend was much more performant than using their backend and extremely cheap (a few cents to dollars per month).
nikolay
I've had a disastrous experience with Pulumi several months ago trying to set up some basic Azure setup - it wasn't anything like Terraform, so, I switched to CDKTF for that, and it was nice except that I first attempted using Go, but, ideally, it went with TypeScript as it was significantly more ergonomic.
janalsncm
Yeah this was one of the things about terraform that I never liked. After spending all day writing my imperative code, I’m going to write some declarative JSON to deploy it? Why?
There’s a good discussion here: https://news.ycombinator.com/item?id=42663231
zgoldberg
OpenTofu is now more secure (state encryption), maintainable (early variable evaluation), and powerful (provider iteration) than Terraform. This is the advantage of being truly open source, foundation-managed, and community-driven.
Now is a good time to make the switch!
nikolay
OpenTofu with v1.9 [0] has for_each for providers, something that HashiCorp blocked me on their GitHub, because I kept insisting for them to implement it and they kept giving excuses! One of my points there they didn't like is that instead of improving Terraform and Terraform Cloud so that it can AT LEAST run their own CDKTF, they invested time in GUI development and other useless stuff.
They also implemented the proprietary Terraform Stacks, which only work in their overpriced product now rebranded to the ridiculous HCP Terraform!
So, kudos to OpenTofu, not only is it free and fast-moving, but it now has unique features, which we were begging HashiCorp for during the years and they neglected even requests from paying customers!
Another unique OpenTofu feature is that you can use variables in places you couldn't with Terraform, for example, in the backend config. Of course, HashiCorp didn't care about that, because you don't need that if you use their paid product!
I totally understand that HashiCorp needs to make money, but they switch to BUSL, because their competitors such as Spacelift, Scalr, env0, and others were offering better and sometimes cheaper offering. Yeah, "sometimes", because some of them came out to be more expensive than even HCP Terraform, unfortunately.
The switch to "terraforming under influence (of RUM)" that HashiCorp made is a sign of disoriented greed! Basically, it pushes you NOT to use Terraform. For example, I terraformed GitHub repos. So, after their switch of pricing model, I had to pay for every GitHub repository label, for thousands and thousands of niceties, which with the RUM (Resource Under Management) turned every label to costs us money, which easily accumulated to tens of thousands of dollars!
[0]: https://github.com/opentofu/opentofu/releases/tag/v1.9.0
cube2222
Just to include this in the discussion, here's some major features that have been added over the last year (but there's a huge amount of small ones too):
- End-to-End State Encryption - lets you encrypt your state-file end-to-end, either with a key management system like AWS KMS, or static keys.
- Early Evaluation - the ability to parameterize initialiation-time values, like module versions and sources, backend configuration parameters, etc. and keep them DRY.
- Provider Iteration - lets you use for_each with providers, e.g. create one provider per region, something that currently requires a bunch of copy-paste, or tools like Terragrunt
- -exclude flag - the opposite of the -target flag, letting you skip planning/applying certain resources.
Probably the best way to see a summary is to check out the release blog posts for 1.7[0], 1.8[1], and 1.9[2], as well as TFA itself. If you'd like to learn more, I recommend taking a look at the related docs, too.
[0]: https://opentofu.org/blog/opentofu-1-7-0/
[1]: https://opentofu.org/blog/opentofu-1-8-0/
[2]: https://opentofu.org/blog/opentofu-1-9-0/
Disclaimer: involved in opentofu
null
l2dy
I've been waiting for https://github.com/opentofu/registry/pull/824 ("Revert commit that removed Russian providers") to be resolved, but it seems to have stalled.
Open source does not work as I envisioned, I guess.
theflyinghorse
"Code is cheap, show me your nationality" approach to opensource is an absolute disgrace to the world. Surely sharing knowledge and volunteer work in software is one place where nationality and politics should have no place
dgroshev
That's not about nationality though. That PR is about (re)enabling OpenTofu to work more smoothly with Russian SaaSes, which are either already sanctioned or are likely to be sanctioned.
Everything is political, being "apolitical" is a political choice. You can't escape politics.
iksn
Naming Spacelift, Env0, Scalr etc as suppprters without mentioning they had no other choice than to move away from Terraform feels like its missing some context. I would assume they could've licensed it from HashiCorp but for a huge sum.
thayne
> I would assume they could've licensed it from HashiCorp but for a huge sum.
Maybe. Maybe not. Maybe hashicorp would have agreed to sell a license to them with terms that allowed their usage of terraform in their products. But it is also quite likely that they would have refused to grant such a license to their competitors.
sausagefeet
It's also not a great idea to place one's future at the whim of a competitor. Maybe they get a good license deal today and next year it's 100x. No sane business would do this.
theflyinghorse
I haven't heard of OpenTofu till today. Will give it a shot.
null
Or use code instead of HCL.
I joined Pulumi because I believe that using the abstraction and tooling that a proper language allows is the way to go, but anything that's not config: CDK, Bicep, TF CDK, etc – is to me a step in the right direction.
It's not that HCL is bad, and I get that it's dominant. It's just the same complaint I have with yaml and yaml templating: You will want something more than a config file at some point. Start today.