August of last year, Hashicorp decided to move its products away from open source licenses to a source-available license with fuzzy parameters on its use in production. Shortly afterwards, the community forked Terraform as OpenTF and then it was endorsed and picked up by the Linux Foundation as OpenTofu. Now the project is ready to declare a stable release that it says is a production-ready “drop-in replacement for Terraform.”

OpenTofu isn’t a direct clone of Terraform, however. Kuba Martin, the interim technical lead of OpenTofu, says that the project is working to include client-side state encryption and other features that the community has proposed. Read the post for more details, but it looks like the project has made some strong strides in just a few months.

As I wrote last year on The New Stack about the OpenTofu fork, the Linux Foundation made the right call to endorse this fork. Companies and open source projects had adopted Terraform as part of their infrastructure and contributed to its success under the idea that it was open source. The abrupt change to a non-OSI license – and one that’s poorly understood and intentionally vague – set organizations scrambling.

Zero day licensing event

I’ve been thinking of this as a “zero day” licensing event, which is in some ways worse than a security incident. One hopes when an open source product or project has a major security hole, it’s unintentional. It’s also something that the larger community had an opportunity to participate in and try to head off before it happened.

A zero day licensing event, however, is fully intentional and opaque to the larger community until it happens. More on that soon, because I expect we’ll be seeing more of this in 2024 – though the LF’s intervention here might give other companies pause before they go this direction.

Your OpenTofu is served…

There was a bit of skepticism at first when there was talk of a fork. Much less when the LF endorsed and picked up the fork. I still think it’s a silly name, but I doubt that will affect anybody’s production use.

Kudos to all of the contributors who made this release happen. If you’re looking to deploy OpenTofu 1.6, you’ll find the release on GitHub with Debian packages and RPMs for Arm 64, x86_64, 386(!), and some of the BSDs, macOS, Windows, and (of course) source code if you’d like to compile it yourself.