What's new in OpenTofu 1.10?
This page will run you through the most important changes in OpenTofu 1.10:
New features​
New built-in functions​
New builtin provider functions added (#2306) :
provider::terraform::decode_tfvars- Decode a TFVars file content into an object.provider::terraform::encode_tfvars- Encode an object into a string with the same format as a TFVars file.provider::terraform::encode_expr- Encode an arbitrary expression into a string with valid OpenTofu syntax.
Moved for different resource types​
movedblock can now be used to migrate between different types of resources (docs).- Builtin provider now supports migration from
null_resourcetoterraform_dataresource.
Improvements to existing features​
External programs as encryption key providers (experimental)​
State encryption now supports using external programs as key providers. Additionally, the PBKDF2 key provider now supports chaining via the chain parameter. For details, see the related documentation
This functionality is experimental and may be changed in future OpenTofu versions.
Smaller improvements​
- OpenTofu will now recommend using
-excludeinstead of-target, when possible, in the error messages about unknown values incountandfor_eacharguments, thereby providing a more definitive workaround. (#2154)
Deprecations​
Using ghcr.io/opentofu/opentofu as a base image​
Using the ghcr.io/opentofu/opentofu image as a base image for custom images is deprecated and doesn't work as of OpenTofu 1.10. The reason behind this change is security: while we regularly update OpenTofu itself when security-relevant updates arise, providing a base image would require an update roughly once a week, which we are currently not equipped to do.
However, we have added instructions on building your own base image in the containerized installation instructions.
Bugfixes​
OpenTofu 1.10 changed how workspace creation locking works. It is unsafe to
use pg backend with multiple OpenTofu versions (under 1.10) in parallel if those
are sharing the same underlying database.