Skip to content

Migrate Tofu Controller to OpenTofu #1675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexandermarston merged 16 commits into from
Jan 15, 2026
Merged

Migrate Tofu Controller to OpenTofu #1675

alexandermarston merged 16 commits into from
Jan 15, 2026

Conversation

@alexandermarston
Copy link
Collaborator

@alexandermarston alexandermarston commented Dec 12, 2025
edited
Loading

For some time, Tofu Controller has only supported up to version 1.5.7 of Terraform due to the licensing changes Hashicorp announced and implemented in 2023. As we have not been able to update to a newer version of Terraform and had not completed the migration to OpenTofu, users have been forced to deploy their own custom runner images.

This PR starts the process of moving away from Hashicorp Terraform and to the OpenTofu implementation.

For this change, a few changes have been made:

  • GitHub workflows now setup OpenTofu binaries, rather than Terraform.
  • Various Test Cases have been updates to account for OpenTofu specific CLI output.
  • Runner Images have been updated to make the tofu binary available to the runner, pulling this in from the OpenTofu minimal images rather than downloading architecture specific binaries.
  • Tofu Controller (and the runner) will now try to use the terraform binary by default, but will fall back to tofu if it cannot be found. As we only ship the tofu binary in the runner base image, this should be the default for standard deployments of Tofu Controller.

@artem-nefedov
Copy link
Contributor

artem-nefedov commented Dec 12, 2025

This probably needs to be highlighted as a breaking change for those who build their own runner images and update terraform binary there

@alexandermarston alexandermarston changed the title Implement opentofu Migrate Tofu Controller to OpenTofu Dec 13, 2025
@alexandermarston alexandermarston marked this pull request as draft December 16, 2025 11:34
@mloiseleur
Copy link
Contributor

mloiseleur commented Dec 18, 2025

This PR may fix #1437

OS-alexandrebrito added a commit to OS-alexandrebrito/tofu-controller that referenced this pull request Jan 9, 2026
@OS-alexandrebrito
feat: Add dual binary support with separate Dockerfiles
e6cb9fe 
  Implements support for both Terraform and OpenTofu binaries using
  separate Dockerfiles with minimal code changes. This enables teams
  to use either binary while maintaining security compliance, with
  OpenTofu as the default and a clear deprecation path for Terraform.

  Changes:
  - Updated runner.Dockerfile and runner-azure.Dockerfile to OpenTofu v1.11.2
  - Created runner-terraform.Dockerfile and runner-terraform-azure.Dockerfile
  - Updated CI/CD workflows to build all 4 image variants
  - Added binary detection in runner/server.go
  - Added Terraform v1.14.3 support via separate images
  - Updated documentation for binary selection
  - Removed unnecessary BINARY_TYPE build arguments

  Images published:
  - OpenTofu (default): v{VERSION}, latest
  - Terraform: v{VERSION}-terraform, latest-terraform

  Binary versions:
  - OpenTofu: 1.11.2
  - Terraform: 1.14.3 (up from 1.5.7)

  Breaking changes for Terraform users:
  - S3 backend role_arn deprecated (use assume_role block)
  - -state flag deprecated (use backend configuration)
  - See IMPLEMENTATION_VERIFICATION.md for migration guidance

  Related to PR flux-iac#1675
@OS-alexandrebrito OS-alexandrebrito mentioned this pull request Jan 9, 2026
Draft
OS-alexandrebrito
OS-alexandrebrito reviewed Jan 12, 2026
View reviewed changes
@alexandermarston alexandermarston marked this pull request as ready for review January 13, 2026 16:01
artem-nefedov
artem-nefedov reviewed Jan 13, 2026
View reviewed changes
@alexandermarston
switch bin priority
1ac1be4 
Signed-off-by: Alex Marston <[email protected]>
@artem-nefedov
Copy link
Contributor

artem-nefedov commented Jan 15, 2026

lgtm 👍 (I don't have permissions to approve)

ricardo-mng
ricardo-mng reviewed Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@ricardo-mng ricardo-mng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM my only concern is the tofu version, we should probably first migrate to version 1.6.2

ricardo-mng
ricardo-mng previously approved these changes Jan 15, 2026
View reviewed changes
@alexandermarston
Copy link
Collaborator Author

alexandermarston commented Jan 15, 2026

We will have to upgrade to a version newer than 1.6.2 because of the vulnerabilities. Deciding what version.

@alexandermarston alexandermarston merged commit 1a291c1 into flux-iac:main Jan 15, 2026
15 checks passed
@alexandermarston alexandermarston mentioned this pull request Jan 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ricardo-mng ricardo-mng ricardo-mng approved these changes

+2 more reviewers

@artem-nefedov artem-nefedov artem-nefedov left review comments

@OS-alexandrebrito OS-alexandrebrito OS-alexandrebrito left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@alexandermarston @artem-nefedov @mloiseleur @ricardo-mng @OS-alexandrebrito