flux-iac · alexandermarston · Jan 15, 2026 · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025
diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml
@@ -25,13 +25,13 @@ jobs:
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: go.mod
-      - name: Setup Terraform
+      - name: Setup OpenTofu
         run: |
-          export TF_VERSION=1.3.9
-          wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
-          unzip -q terraform_${TF_VERSION}_linux_amd64.zip
-          mv terraform /usr/local/bin
-          terraform --version
+          export TOFU_VERSION=1.11.3
+          wget https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip
+          unzip -q tofu_${TOFU_VERSION}_linux_amd64.zip tofu
+          mv tofu /usr/local/bin
+          tofu --version
       - name: Set up yq
         uses: frenck/action-setup-yq@c4b5be8b4a215c536a41d436757d9feb92836d4f # v1.0.2
         with:

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -105,11 +105,11 @@ jobs:
 
           kubectl -n tofu-system rollout status deploy/source-controller --timeout=1m
           kubectl -n tofu-system rollout status deploy/tofu-controller --timeout=1m
-      - name: Get terraform version
+      - name: Get OpenTofu version
         run: |
-          # Terraform binary will be moved from the ToFu-controller image to TF-runner, so we check TF's version there
+          # OpenTofu binary will be moved from the ToFu-controller image to TF-runner, so we check OpenTofu's version there
           VERSION="e2e-${GITHUB_SHA::8}"
-          docker run --rm --entrypoint=/usr/local/bin/terraform test/tf-runner:$VERSION version
+          docker run --rm --entrypoint=/usr/local/bin/tofu test/tf-runner:$VERSION version
       - name: Add git repository source
         run: |
           kubectl -n tofu-system apply -f ./config/testdata/source

diff --git a/.github/workflows/targeted-test.yaml b/.github/workflows/targeted-test.yaml
@@ -21,13 +21,13 @@ jobs:
           cache-dependency-path: |
             **/go.sum
             **/go.mod
-      - name: Setup Terraform
+      - name: Setup OpenTofu
         run: |
-          export TF_VERSION=1.3.9
-          wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
-          unzip -q terraform_${TF_VERSION}_linux_amd64.zip
-          mv terraform /usr/local/bin
-          terraform --version
+          export TOFU_VERSION=1.11.3
+          wget https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip
+          unzip -q tofu_${TOFU_VERSION}_linux_amd64.zip tofu
+          mv tofu /usr/local/bin
+          tofu --version
       - name: Setup Kustomize
         if: "!github.event.pull_request.head.repo.fork"
         uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -66,13 +66,13 @@ jobs:
           cache-dependency-path: |
             **/go.sum
             **/go.mod
-      - name: Setup Terraform
+      - name: Setup OpenTofu
         run: |
-          export TF_VERSION=1.3.9
-          wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
-          unzip -q terraform_${TF_VERSION}_linux_amd64.zip
-          mv terraform /usr/local/bin
-          terraform --version
+          export TOFU_VERSION=1.11.3
+          wget https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip
+          unzip -q tofu_${TOFU_VERSION}_linux_amd64.zip tofu
+          mv tofu /usr/local/bin
+          tofu --version
       - name: Setup Kustomize
         if: "!github.event.pull_request.head.repo.fork"
         uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
@@ -93,13 +93,13 @@ jobs:
           cache-dependency-path: |
             **/go.sum
             **/go.mod
-      - name: Setup Terraform
+      - name: Setup OpenTofu
         run: |
-          export TF_VERSION=1.3.9
-          wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip
-          unzip -q terraform_${TF_VERSION}_linux_amd64.zip
-          mv terraform /usr/local/bin
-          terraform --version
+          export TOFU_VERSION=1.11.3
+          wget https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip
+          unzip -q tofu_${TOFU_VERSION}_linux_amd64.zip tofu
+          mv tofu /usr/local/bin
+          tofu --version
       - name: Setup Kustomize
         if: "!github.event.pull_request.head.repo.fork"
         uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main

diff --git a/Makefile b/Makefile
@@ -30,7 +30,7 @@ SHELL = /usr/bin/env bash -o pipefail
 # Allows for defining additional Docker buildx arguments, e.g. '--push'.
 BUILD_ARGS ?=
 
-# Set architecture for the binaries we build as well as the terraform binary that get bundled in the images
+# Set architecture for the binaries we build as well as the tofu binary that get bundled in the images
 TARGETARCH ?= amd64
 
 .PHONY: all
@@ -114,7 +114,7 @@ test-internal: manifests generate download-crd-deps fmt vet envtest api-docs ##
 
 .PHONY: gen-grpc
 gen-grpc: protoc protoc-gen-go protoc-gen-go-grpc
-	env PATH=$(shell pwd)/bin:$$PATH $(PROJECT_DIR)/bin/protoc --go_out=. --go_opt=Mrunner/runner.proto=runner/ --go-grpc_out=. --go-grpc_opt=Mrunner/runner.proto=runner/ runner/runner.proto
+	env PATH="$(shell pwd)/bin:$$PATH" $(PROJECT_DIR)/bin/protoc --go_out=. --go_opt=Mrunner/runner.proto=runner/ --go-grpc_out=. --go-grpc_opt=Mrunner/runner.proto=runner/ runner/runner.proto
 
 ##@ Build
 
@@ -225,14 +225,25 @@ kustomize: ## Download kustomize locally if necessary.
 	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/[email protected])
 
 PROTOC = $(PROJECT_DIR)/protoc
-PROTOC_V ?= 31.1
+PROTOC_V ?= 33.4
+PROTOC_URL := https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_V}/protoc-${PROTOC_V}
 .PHONY: protoc
 protoc: ## Download protoc locally if necessary.
 	# download and unzip protoc
 	mkdir -p $(PROJECT_DIR)
-	curl -qLO https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_V)/protoc-$(PROTOC_V)-linux-x86_64.zip
-	unzip -q -o protoc-$(PROTOC_V)-linux-x86_64.zip bin/protoc -d $(PROJECT_DIR)
-	rm protoc-$(PROTOC_V)-linux-x86_64.zip
+	if [ "$(shell uname)" == "Darwin" ]; then \
+		curl -qLO ${PROTOC_URL}-osx-x86_64.zip ;\
+		unzip -q -o protoc-${PROTOC_V}-osx-x86_64.zip bin/protoc -d $(PROJECT_DIR) ;\
+		rm protoc-${PROTOC_V}-osx-x86_64.zip ;\
+	elif [ "$(shell uname -m)" == "aarch64" ]; then \
+		curl -qLO ${PROTOC_URL}-linux-aarch_64.zip ;\
+		unzip -q -o protoc-${PROTOC_V}-linux-aarch_64.zip bin/protoc -d $(PROJECT_DIR) ;\
+		rm protoc-${PROTOC_V}-linux-aarch_64.zip ;\
+	else \
+		curl -qLO ${PROTOC_URL}-linux-x86_64.zip ;\
+		unzip -q -o protoc-${PROTOC_V}-linux-x86_64.zip bin/protoc -d $(PROJECT_DIR) ;\
+		rm protoc-${PROTOC_V}-linux-x86_64.zip ;\
+	fi ;\
 
 # Find or download controller-gen
 PROTOC_GEN_GO = $(GOBIN)/protoc-gen-go

diff --git a/controllers/tc000031_plan_only_with_showplan_as_cm_no_outputs_test.go b/controllers/tc000031_plan_only_with_showplan_as_cm_no_outputs_test.go
@@ -185,7 +185,7 @@ func Test_000031_plan_only_with_showplan_as_cm_no_outputs_test(t *testing.T) {
 Changes to Outputs:
   + hello_world = "Hello, World!"
 
-You can apply this plan to save these new output values to the Terraform
+You can apply this plan to save these new output values to the OpenTofu
 state, without changing any real infrastructure.
 `,
 	}))

diff --git a/controllers/tc000074_varsfrom_accepts_many_secrets_with_last_supplied_key_precedence_test.go b/controllers/tc000074_varsfrom_accepts_many_secrets_with_last_supplied_key_precedence_test.go
@@ -67,8 +67,8 @@ func Test_000074_varsfrom_accepts_many_secrets_with_last_supplied_key_precedence
 	workDir, err := os.MkdirTemp("", terraformName+"*")
 	g.Expect(err).Should(BeNil())
 
-	By("looking up the path of the terraform binary")
-	execPath, err := exec.LookPath("terraform")
+	By("looking up the path of the opentofu binary")
+	execPath, err := exec.LookPath("tofu")
 	g.Expect(err).Should(BeNil())
 
 	By("creating a new TF resource with slice of ConfigMaps")

diff --git a/...llers/tc000082_varsfrom_accepts_many_configmaps_with_last_supplied_key_precedence_test.go b/...llers/tc000082_varsfrom_accepts_many_configmaps_with_last_supplied_key_precedence_test.go
@@ -67,8 +67,8 @@ func Test_000082_varsfrom_accepts_many_configmaps_with_last_supplied_precedence(
 	workDir, err := os.MkdirTemp("", terraformName+"*")
 	g.Expect(err).Should(BeNil())
 
-	By("looking up the path of the terraform binary")
-	execPath, err := exec.LookPath("terraform")
+	By("looking up the path of the opentofu binary")
+	execPath, err := exec.LookPath("tofu")
 	g.Expect(err).Should(BeNil())
 
 	By("creating a new TF resource with slice of ConfigMaps")

diff --git a/controllers/tc000150_manual_apply_should_report_and_loop_when_drift_detected_test.go b/controllers/tc000150_manual_apply_should_report_and_loop_when_drift_detected_test.go
@@ -278,7 +278,7 @@ func Test_000150_manual_apply_should_report_and_loop_when_drift_detected_test(t
 		"Type":    "Ready",
 		"Status":  string(metav1.ConditionFalse),
 		"Reason":  infrav1.DriftDetectedReason,
-		"Line[1]": "Terraform used the selected providers to generate the following execution",
+		"Line[1]": "OpenTofu used the selected providers to generate the following execution",
 	}))
 
 }
diff --git a/controllers/tc000260_runner_pod_test.go b/controllers/tc000260_runner_pod_test.go
@@ -474,7 +474,7 @@ func Test_000260_runner_pod_test_env_vars_proxy_output(t *testing.T) {
 						},
 						{
 							Name:  "NO_PROXY",
-							Value: "cluster.local,terraform.io,registry.terraform.io,releases.hashicorp.com",
+							Value: "cluster.local,terraform.io,registry.terraform.io,releases.hashicorp.com,registry.opentofu.org,github.com,release-assets.githubusercontent.com",
 						},
 					},
 				},
@@ -539,7 +539,7 @@ func Test_000260_runner_pod_test_env_vars_proxy_output(t *testing.T) {
 		"Namespace":         "flux-system",
 		"Value HTTPS_PROXY": "http://runner_pod_test_env_vars_proxy_output:1234",
 		"Value HTTP_PROXY":  "http://runner_pod_test_env_vars_proxy_output:1234",
-		"Value NO_PROXY":    "cluster.local,terraform.io,registry.terraform.io,releases.hashicorp.com",
+		"Value NO_PROXY":    "cluster.local,terraform.io,registry.terraform.io,releases.hashicorp.com,registry.opentofu.org,github.com,release-assets.githubusercontent.com",
 		"OwnerRef[0]":       string(createdHelloWorldTF.UID),
 	}
 	g.Eventually(func() (map[string]string, error) {

diff --git a/controllers/tf_controller_backend.go b/controllers/tf_controller_backend.go
@@ -179,19 +179,24 @@ terraform {
 		tfrcFilepath = processCliConfigReply.FilePath
 	}
 
+	// The priority is to use the Terraform binary first, and then fall back to OpenTofu
+	// The Terraform binary is not included in the latest runner images, so standard behaviour is to use OpenTofu
 	lookPathReply, err := runnerClient.LookPath(ctx,
 		&runner.LookPathRequest{
-			File: "terraform",
-		})
+			Files: []string{"terraform", "tofu"},
+		},
+	)
 	if err != nil {
-		err = fmt.Errorf("cannot find Terraform binary: %s in %s", err, os.Getenv("PATH"))
+		err = fmt.Errorf("cannot find any of the required binaries (terraform, tofu): %s", err)
+
 		return infrav1.TerraformNotReady(
 			terraform,
 			revision,
 			infrav1.TFExecNewFailedReason,
 			err.Error(),
 		), tfInstance, tmpDir, err
 	}
+
 	execPath := lookPathReply.ExecPath
 
 	log.Info("new terraform", "workingDir", workingDir)

diff --git a/docs/use-tf-controller/build-and-use-a-custom-runner-image.md b/docs/use-tf-controller/build-and-use-a-custom-runner-image.md
@@ -1,29 +1,28 @@
 # Build and Use a Custom Runner Image
 
-To build a custom runner image, you need a Dockerfile that extends the base image and that adds Terraform, plus any additional required tooling. The repository that contains the base images is [here](ghcr.io/flux-iac/tf-runner). All base image tags follow the following format: `${TF_CONTROLLER_VERSION}-base`.
+To build a custom runner image, you need a Dockerfile that extends the base image and that adds OpenTofu (plus any additional required tooling).
+
+The repository that contains the base images is [here](ghcr.io/flux-iac/tf-runner).
+
+All base image tags follow the following format: `${TF_CONTROLLER_VERSION}-base`.
 
 ## Prerequisites
 
 You need Docker and Git to build the image.
 
 ## Build the Image
 
-1. Create a `Dockerfile` that extends the base image and that adds Terraform, plus any additional required tooling. For example:
+1. Create a `Dockerfile` that extends the base image and that adds the OpenTofu binary, plus any additional required tooling. For example:
 
     ```Dockerfile
     ARG BASE_IMAGE
-    FROM $BASE_IMAGE
+    ARG TOFU_VERSION=1.11.3
 
-    ARG TARGETARCH
-    ARG TF_VERSION=1.5.7
+    FROM ghcr.io/opentofu/opentofu:${TOFU_VERSION}-minimal AS tofu
 
-    # Switch to root to have permissions for operations
-    USER root
+    FROM $BASE_IMAGE
 
-    ADD https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_${TARGETARCH}.zip /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip
-    RUN unzip -q /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin/ && \
-        rm /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip && \
-        chmod +x /usr/local/bin/terraform
+    COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
     # Switch back to the non-root user after operations
     USER 65532:65532
@@ -34,14 +33,13 @@ You need Docker and Git to build the image.
 2. Build the image from the directory containing the `Dockerfile` you created above:
 
     ```bash
-    export TF_CONTROLLER_VERSION=v0.16.0-rc.3
-    export TF_VERSION=1.5.7
+    export TF_CONTROLLER_VERSION=v0.16.0-rc.7
+    export TOFU_VERSION=1.11.3
     export BASE_IMAGE=ghcr.io/flux-iac/tf-runner:${TF_CONTROLLER_VERSION}-base
-    export TARGETARCH=amd64
     export REMOTE_REPO=ghcr.io/my-org/custom-runnner
     docker build \
         --build-arg BASE_IMAGE=${BASE_IMAGE} \
-        --build-arg TARGETARCH=${TARGETARCH} \
+        --build-arg TOFU_VERSION=${TOFU_VERSION} \
         --tag my-custom-runner:${TF_CONTROLLER_VERSION} .
     docker tag my-custom-runner:${TF_CONTROLLER_VERSION} $REMOTE_REPO:${TF_CONTROLLER_VERSION}
     docker push $REMOTE_REPO:${TF_CONTROLLER_VERSION}

diff --git a/runner-azure.Dockerfile b/runner-azure.Dockerfile
@@ -1,24 +1,13 @@
 ARG BASE_IMAGE
+ARG TOFU_VERSION=1.11.3
 
 FROM mcr.microsoft.com/azure-cli:2.50.0 AS azcli
+FROM ghcr.io/opentofu/opentofu:${TOFU_VERSION}-minimal AS tofu
 
 FROM $BASE_IMAGE
 
-ARG TARGETARCH
-ARG TF_VERSION=1.3.9
-
-# Switch to root to have permissions for operations
-USER root
-
-ADD https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_${TARGETARCH}.zip /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip
-RUN unzip -q /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin/ && \
-    rm /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip && \
-    chmod +x /usr/local/bin/terraform
-
-# Copy az cli
 COPY --from=azcli /usr/local/bin/az /usr/local/bin/az 
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
 # Switch back to the non-root user after operations
-USER 65532:65532
-
-ENV GNUPGHOME=/tmp
+USER 65532:65532
diff --git a/runner.Dockerfile b/runner.Dockerfile
@@ -1,16 +1,11 @@
 ARG BASE_IMAGE
-FROM $BASE_IMAGE
+ARG TOFU_VERSION=1.11.3
 
-ARG TARGETARCH
-ARG TF_VERSION=1.5.7
+FROM ghcr.io/opentofu/opentofu:${TOFU_VERSION}-minimal AS tofu
 
-# Switch to root to have permissions for operations
-USER root
+FROM $BASE_IMAGE
 
-ADD https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_${TARGETARCH}.zip /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip
-RUN unzip -q /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin/ && \
-    rm /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip && \
-    chmod +x /usr/local/bin/terraform
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
 # Switch back to the non-root user after operations
-USER 65532:65532
+USER 65532:65532
diff --git a/runner.Dockerfile.dev b/runner.Dockerfile.dev
@@ -1,3 +1,7 @@
+ARG TARGETARCH
+ARG TOFU_VERSION=1.11.3
+FROM ghcr.io/opentofu/opentofu:${TOFU_VERSION}-minimal AS tofu
+
 FROM alpine:3.22 AS base
 
 LABEL org.opencontainers.image.source="https://github.com/flux-iac/tofu-controller"
@@ -25,19 +29,7 @@ ENTRYPOINT [ "/sbin/tini", "--", "tf-runner" ]
 
 FROM base
 
-ARG TARGETARCH
-ARG TF_VERSION=1.5.7
-
-# Switch to root to have permissions for operations
-USER root
-
-ADD https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_${TARGETARCH}.zip /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip
-RUN unzip -q /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip -d /usr/local/bin/ && \
-    rm /terraform_${TF_VERSION}_linux_${TARGETARCH}.zip && \
-    chmod +x /usr/local/bin/terraform
-
-# Switch back to the non-root user after operations
-USER 65532:65532
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
 COPY bin/tf-runner /usr/local/bin/