Skip to main content

Get ready for OpenTofu 1.7.0-beta1

Get ready for OpenTofu 1.7.0-beta1

This version includes provider-defined functions and significant improvements from the alpha version.

As with the alpha version, we did everything we could to test this version and would like to ask for the help of the community to help us test this version on non-production workloads. Grab your copy on GitHub and let us know what you think using a GitHub issue.

Downloading the beta release

The beta release is available exclusively from the GitHub Releases page. Please select the appropriate file for your platform. Here are some quick links:

Platform/DeviceDownload link
Desktop Windows computer
(64-bit)
tofu_1.7.0-beta1_windows_amd64.zip
MacOS
(Macbook M1 or higher; ARM64)
tofu_1.7.0-beta1_darwin_arm64.tar.gz
MacOS
(Macbook pre-M1 or lower; AMD64)
tofu_1.7.0-beta1_darwin_amd64.tar.gz
Intel/AMD Linux computer or server
(AMD64)
tofu_1.7.0-beta1_linux_amd64.tar.gz
ARM-based Linux computer
or
Raspberry Pi 3 or higher

(ARM64)
tofu_1.7.0-beta1_linux_arm64.tar.gz

For the releases above, please unpack the archive and you should find the tofu binary inside. You can also use the standalone installer to download the release with signature verification.

Provider-defined functions

The new Terraform Plugin SDK added support for provider-defined functions that you can use directly in OpenTofu. This is a significant improvement over using data sources as provider-defined functions don't increase the size of your state file and require less code to write.

If you want to test provider-defined functions, you can use the corefunc provider by Ryan Parman:

Code Block
terraform {
required_providers {
corefunc = {
source = "northwood-labs/corefunc"
version = "1.4.0"
}
}
}

provider "corefunc" {
}

output "test" {
value = provider::corefunc::str_snake("Hello world!")
# Prints: hello_world
}

Loopable import blocks

We made several improvements to the declarative import blocks, most prominently you can now use the for_each instruction on the block. We have prepared a full documentation for this feature.

In previous OpenTofu versions, you could already use the import block to declaratively import resources, for example:

Code Block
resource "random_id" "test_id" {
byte_length = 8
}

import {
to = random_id.test_id
id = "Y2FpOGV1Mkk"
}

output "id" {
value = random_id.test_id.b64_url
}

In this new version you can now also declaratively import resources in a loop:

Code Block
variable "server_ids" {
type = list(string)
}

resource "random_id" "test_id" {
byte_length = 8
count = 2
}

import {
to = random_id.test_id[tonumber(each.key)]
id = each.value
for_each = {
for idx, item in var.server_ids: idx => item
}
}

output "id" {
value = random_id.test_id.*.b64_url
}

The example above will let you specify some random IDs from a variable, and let others be automatically generated.

State encryption

State encryption is one of the flagship features of this release. We have prepared a full documentation for this feature. Since the alpha release we overhauled the migration process from unencrypted to encrypted state files and the rollback mechanism to make the syntax more explicit.

Before you test this feature, please make a backup of your state file. You can then add the following block to enable state encryption:

Code Block
terraform {
encryption {
key_provider "pbkdf2" "my_passphrase" {
## Enter a passphrase here:
passphrase = ""
}

method "aes_gcm" "my_method" {
keys = key_provider.pbkdf2.my_passphrase
}

## Remove this after the migration:
method "unencrypted" "migration" {
}

state {
method = method.aes_gcm.my_method

## Remove the fallback block after migration:
fallback{
method = method.unencrypted.migration
}
## Enable this after migration:
#enforced = true
}
}
}

You can migrate back using the following syntax:

Code Block
terraform {
encryption {
key_provider "pbkdf2" "my_passphrase" {
## Enter a passphrase here:
passphrase = ""
}

method "aes_gcm" "my_method" {
keys = key_provider.pbkdf2.my_passphrase
}

method "unencrypted" "migration" {
}

state {
method = method.unencrypted.migration
enforced = false
fallback{
method = method.aes_gcm.my_method
}
}
}
}

If you have access to an AWS, GCP account, or an OpenBao/MPL-licensed HashiCorp Vault installation, you can also test these key providers.

Removed block

The removed block lets you remove a resource from the state file but keep it on the infrastructure. We have prepared a full documentation for this feature. You can test it by creating a resource first:

Code Block
resource "local_file" "test" {
content = "Hello world!"
filename = "test.txt"
}

After applying, you can replace the resource with a removed block:

Code Block
removed {
from = local_file.test
}

After the next apply, you will see that the local_file.test resource no longer exists in your state file, but the test.txt file should still exist on your disk. You can now remove the removed block safely.

Built-in function changes

This release also contains several new functions and changes to existing functions:

CLI changes

There are also several changes to the CLI:

  • tofu init now supports the -json flag for JSON output.
  • tofu plan now has a -concise flag to shorten the plan output.
  • tofu console now works on Solaris and AIX.
  • The CLI now supports the XDG directory specification.
  • Aliases for:
    • state liststate ls
    • state mvstate move
    • state rmstate remove

Testing feature changes

  • Tofu now reads the .tfvars file from the tests folder.

Providing feedback

Thank you for taking the time to test this preview release. If you have any feedback, please use a GitHub issue or chat with us on the OpenTofu Slack.