Use OpenTofu as Docker Image
OpenTofu is available as OCI container images, and distributed via public GitHub Packages registry.
Do not use the OCI container image as a base image. This is not supported and will stop working with OpenTofu 1.10. Instead, follow the instructions below to build your own OpenTofu image.
Versions
Images are hosted as packages in the OpenTofu GitHub organization. See the list of available versions here.
The multi platform images are available using the following tags:
latest: latest overall version of OpenTofu,Major: a specific major version of OpenTofu,Major.Minor: a specific minor version of OpenTofu,Major.Minor.Patch: a specific patch version of OpenTofu.
To pull platform-specific images (amd64, arm, arm64, 386) use:
<Version>-<Platform>: a platform specific version of OpenTofu.
Usage
If you run into rate limiting issues with GitHub, create a Personal Access Token and log in to the registry.
In the examples below you should have at least one .tf file located in the folder you are running the docker command.
To pull the image from GitHub Packages registry:
docker pull ghcr.io/opentofu/opentofu:latest
To run OpenTofu as a Docker container:
# Init providers plugins
docker run \
--workdir=/srv/workspace \
--mount type=bind,source=.,target=/srv/workspace \
ghcr.io/opentofu/opentofu:latest \
init
# Creating plan file
docker run \
--workdir=/srv/workspace \
--mount type=bind,source=.,target=/srv/workspace \
ghcr.io/opentofu/opentofu:latest \
plan -out=main.plan
# Applying plan file
docker run \
--workdir=/srv/workspace \
--mount type=bind,source=.,target=/srv/workspace \
ghcr.io/opentofu/opentofu:latest \
apply "/srv/workspace/main.plan"
Building your own image
The OCI image published by OpenTofu is intended as a basic command line tool. If you need additional tools in the image or want to build services on top of OpenTofu, you will need to build your own image. This section outlines how to accomplish that.
Step 1: Obtaining the installation script
OpenTofu publishes POSIX/Powershell installation scripts. You can use these scripts to safely install OpenTofu in your
container image. Please follow the standalone installation instructions to obtain the installation
script and place it next to your Dockerfile/Containerfile.
Step 2: Creating a stage for installation
Next, you can start creating a download stage in your Dockerfile/Containerfile. For details on multi-stage builds
please read the Docker documentation.
FROM alpine:3.20 AS tofu
ADD install-opentofu.sh /install-opentofu.sh
RUN chmod +x /install-opentofu.sh
RUN apk add gpg
RUN ./install-opentofu.sh --install-method standalone --install-path / --symlink-path -
Step 3: Creating your own image
Now you can add your image below the installation stage and copy the tofu binary into it:
FROM alpine:3.20 AS tofu
ADD install-opentofu.sh /install-opentofu.sh
RUN chmod +x /install-opentofu.sh
RUN apk add gpg
RUN ./install-opentofu.sh --install-method standalone --install-path / --symlink-path -
## This is your stage:
FROM ubuntu
COPY --from=tofu /tofu /usr/local/bin/tofu
# Add your commands here