What's new in OpenTofu 1.7?

This page will run you through the most important changes in OpenTofu 1.7:

• State encryption
• Provider-defined functions
• Removed block
• Loopable import blocks
• Built-in function changes
• CLI changes
• Testing feature changes

State encryption​

State encryption is one of the flagship features of this release. We have prepared a full documentation for this feature.

Before you test this feature, please make a backup of your state file. You can then add the following block to enable state encryption:

terraform {
  encryption {
    key_provider "pbkdf2" "my_passphrase" {
      ## Enter a passphrase here:
      passphrase = ""
    }

    method "aes_gcm" "my_method" {
      keys = key_provider.pbkdf2.my_passphrase
    }

    ## Remove this after the migration:
    method "unencrypted" "migration" {
    }

    state {
      method = method.aes_gcm.my_method

      ## Remove the fallback block after migration:
      fallback{
        method = method.unencrypted.migration
      }
      ## Enable this after migration:
      #enforced = true
    }
  }
}

You can migrate back using the following syntax:

terraform {
  encryption {
    key_provider "pbkdf2" "my_passphrase" {
      ## Enter a passphrase here:
      passphrase = ""
    }

    method "aes_gcm" "my_method" {
      keys = key_provider.pbkdf2.my_passphrase
    }

    method "unencrypted" "migration" {
    }

    state {
      method  = method.unencrypted.migration
      enforced = false
      fallback{
        method = method.aes_gcm.my_method
      }
    }
  }
}

If you have access to an AWS, GCP account, or an OpenBao/MPL-licensed HashiCorp Vault installation, you can also test these key providers.

Provider-defined functions​

The new Terraform Plugin SDK added support for provider-defined functions that you can use directly in OpenTofu. This is a significant improvement over using data sources as provider-defined functions don't increase the size of your state file and require less code to write.

If you want to test provider-defined functions, you can use the corefunc provider by Ryan Parman:

terraform {
  required_providers {
    corefunc = {
      source = "northwood-labs/corefunc"
      version = "1.4.0"
    }
  }
}

provider "corefunc" {
}

output "test" {
  value = provider::corefunc::str_snake("Hello world!")
  # Prints: hello_world
}

What's more, we added an OpenTofu-only feature to let providers dynamically define custom functions based on your configuration. This enhancement allows you to fully integrate other programming languages as shown in our live stream. You can try out this functionality with our experimental Lua and Go providers.

Removed block​

The removed block lets you remove a resource from the state file but keep it on the infrastructure. We have prepared a full documentation for this feature. You can test it by creating a resource first:

resource "local_file" "test" {
  content = "Hello world!"
  filename = "test.txt"
}

After applying, you can replace the resource with a removed block:

removed {
  from = local_file.test
}

After the next apply, you will see that the local_file.test resource no longer exists in your state file, but the test.txt file should still exist on your disk. You can now remove the removed block safely.

Loopable import blocks​

We made several improvements to the declarative import blocks, most prominently you can now use the for_each instruction on the block. We have prepared a full documentation for this feature.

In previous OpenTofu versions, you could already use the import block to declaratively import resources, for example:

resource "random_id" "test_id" {
  byte_length = 8
}

import {
  to = random_id.test_id
  id = "Y2FpOGV1Mkk"
}

output "id" {
  value = random_id.test_id.b64_url
}

In this new version you can now also declaratively import resources in a loop:

variable "server_ids" {
  type = list(string)
}

resource "random_id" "test_id" {
  byte_length = 8
  count = 2
}

import {
  to = random_id.test_id[tonumber(each.key)]
  id = each.value
  for_each = {
    for idx, item in var.server_ids: idx => item
  }
}

output "id" {
  value = random_id.test_id.*.b64_url
}

The example above will let you specify some random IDs from a variable, and let others be automatically generated.

Built-in function changes​

This release also contains several new functions and changes to existing functions:

• New function: templatestring
• New function: base64gunzip
• New function: cidrcontains
• New function: urldecode
• New function: issensitive
• nonsensitive no longer returns an error when the applied values are not sensitive.
• templatefile now supports recursion up to a depth of 1024.

CLI changes​

There are also several changes to the CLI:

• tofu init now supports the -json flag for JSON output.
• tofu plan now has a -concise flag to shorten the plan output.
• tofu console now works on Solaris and AIX.
• The CLI now supports the XDG directory specification.
• Aliases for:
  • state list → state ls
  • state mv → state move
  • state rm → state remove

Testing feature changes​

• Tofu now reads the .tfvars file from the tests folder.