Skip to main content

What's new in OpenTofu 1.11?

New features​

Ephemeral Resources / Write-Only Attributes​

Ephemeral values allow OpenTofu to work with data and resources that exist only in memory during a single OpenTofu phase, guaranteeing that those values will not be persisted in state snapshots or plan files.

You can now declare input variables and output values as being ephemeral, and you can use provider plugins that have been updated to include ephemeral resource types (e.g. for fetching a secret) or managed resource types with write-only attributes (e.g. for setting a password without saving it in OpenTofu state).

For more information, refer to Ephemerality.

Enabled meta-argument​

The new enabled meta-argument offers an alternative to the existing count and for_each meta-arguments for situations where a particular resource instance or module instance has either zero or one instances.

The initial form of this argument is nested inside a lifecycle block, rather than directly inside a resource or module declaration, to avoid conflicting with existing input variables or resource type arguments named enabled.

For more information, refer to the enabled meta-argument.

Improvements to existing features​

Tag support added to S3 backend​

The S3 backend now supports object tagging your backend, allowing you to add custom tags to your state files for better organization and cost tracking.

Deprecations​

  • Azure Backend (azurerm):

    • The endpoint and ARM_ENDPOINT configuration options are no longer supported
    • The msi_endpoint and ARM_MSI_ENDPOINT options are no longer supported
    • The environment and metadata_host arguments are now mutually exclusive

  • issensitive() Function: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.

  • Testing with Mocks: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.

  • S3 Module Installation: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.

  • TLS and SSH Security:

    • SHA-1 signatures are no longer accepted for TLS or SSH connections
    • SSH certificates must comply with the draft-miller-ssh-cert-03 specification

Full Changelog​

You can find the full changelog at https://github.com/opentofu/opentofu/blob/v1.11/CHANGELOG.md