OpenTofu as an IaC solution
This article will explain what Infrastructure as Code means and why OpenTofu could be a reasonable choice as an IaC solution.
What is IaC?
Managing IT infrastructure is a necessary process but can time consuming, expensive and tedious if done manually. Infrastructure as code is a solution to deploy, update, destroy (basically manage) your infrastructure using configuration files and code. These files contain the infrastructure specifications and ensure you to provision the same environment every time.
Advantages
Consistency and reusability: IaC uses configuration files as a single source of truth which reduces the risk of human errors and also makes it easy to duplicate the same environment within minutes.
Structuring: Different elements of an infrastructure can be structured into separate modules, giving you the ability to conveniently manage them independently. It also means that these modules can be easily combined for different infrastructural needs.
Accountability: IaC solutions handles versioning for your stack which makes it possible to return to a previous version or just check the changes of a modification
IaC types
IaC tools use either a declarative or imperative programming language to execute configuration scripts. When you compare declarative and imperative programming, you’ll find that each solution comes with advantages and disadvantages that you need to consider before choosing your approach to IaC.
Declarative
In declarative programming, you specify the name and properties of the infrastructure resources you wish to provision, and then the IaC tool figures out how to achieve that end result on its own. You declare what you want, but not how to get there. It also means that a declarative approach keeps a list of the current state of your system objects, which makes it simpler to manage the infrastructure.
Pros
Declarative programming is a more popular approach to infrastructure as code. Declarative programming is highly idempotent, which means you can execute your commands over and over again and still achieve the same result.
The declarative paradigm also adapts well to configuration drift – the inevitable, slow changes to your infrastructure over time – because the provisioning steps are not explicitly defined.
Some declarative IaC tools:
Cons
The biggest drawback of the declarative approach is that you give up a lot of control over the individual steps in the provisioning process.
It’s also not the best choice for small fixes and updates that can be handled by a simple script. at certain scenarios it can overcomplicate and slow down the process.
Imperative
Imperative programming requires more scripting knowledge because you must write commands for every provisioning step. You tell your IaC tool how to create each environment using a sequence of command imperatives and will require you to figure out how changes should be applied.
The most popular tool for imperative IaC is Chef.
Pros
Imperative programming gives you control over how you accomplish infrastructure tasks, which is ideal when you need to make small changes and optimize for a specific purpose.
Cons
May not be a con but the biggest initial challenge to the imperative approach is that it requires a high level of skill with the programming language.
Imperative IaC scripts are often less idempotent as well as your predefined steps can lead to different results depending on the environment.
Also, imperative IaC scripts are so explicit that an error with one step can cause the whole process to fail.
What is OpenTofu?
OpenTofu is an open-source fork of HashiCorp Terraform 1.6, and on the technical level, OpenTofu is very similar feature-wise to Terraform 1.6.x. In the future as the project evolves, the feature sets are expected to diverge.
Repository: https://github.com/opentofu/opentofu
OpenTofu vs Terraform
As mentioned before, on the technical level there is not much of a difference yet, but there are some notable aspects that makes OpenTofu a reasonable choice over Terraform.
The main reason that might help us choose Tofu is the fog of uncertainty around Terraform’s user licence. The BSL and the additional use grant outlined by the HashiCorp team are ambiguous, which makes it challenging for companies, vendors, and developers to decide whether their actions could be interpreted as being outside the permitted scope of use.
OpenTofu advantages
There are 2 very strong reasons behind OpenTofu:
Open-soruce The fact that Tofu is open-source and is intended to stay that way frees us from the legal uncertainties when choosing a long-term tool to manage our infrastructure. The project also relies on public collaborators which helps to prevent the prevail of one point of view.
Basically Terraform The main reason OpenTofu managed to have such a successful career in such a short time is that Terraform was one of the most popular and most known IaC tool. Anyone who has used Terraform before can easily adopt to OpenTofu, as the syntax is the same, the migration is simple and quick, and it is able to cooperate with Terragrunt (Terraform’s wrapper) and handle Terraform modules.
OpenTofu disadvantages
Every technology has it’s own pros and cons, and OpenTofu is not an exception of course. As it was forked from Terraform 1.6, it means it has also inherited some inconveniences.
We might find ourselves in a difficult situation when we would like to implement more complex logic into our code. Terraform was not designed to be a full value programming language, it was more like a description of the desired infrastructure. It means that for example if we need to implement for loops, nested for loops of conditions, it is not impossible but will take experimenting and some endurance.
OpenTofu is under active development by the community, so hopefully these inherited issues will be eliminated in the future.
How to use
Using OpenTofu is pretty straightforward after Terraform. Although this is not a tutorial, through a simple AWS example I will show you how similar it is to Terraform.
Install OpenTofu The first thing you need to do is to install OpenTofu on your system. Depending on your configuration you can find the instructions on the following link: https://opentofu.org/docs/intro/install/
Install AWS CLI and configure credentials For OpenTofu to be able to access an AWS account, you must have the credentials configured on your machine. You can alternatively put the required credentials directly into the .tf file, but it is really not recommended.
Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Configure credentials: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
- Create an OpenTofu project Create an empty folder for your project and put a ‘main.tf’ file in that folder with the following content:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_vpc" "tofu-vpc" {
cidr_block = "10.0.0.0/16"
instance_tenancy = "default"
tags = {
Name = "main"
}
}
resource "aws_subnet" "tofu-subnet" {
vpc_id = aws_vpc.tofu-vpc.id
cidr_block = "10.0.1.0/24"
}
- Initialize and run code When ready, you can use the good old Terraform commands to apply your configuration:
tofu init # Initializes an OpenTofu working directory
tofu validate # Checks if your syntax and configuration is correct
tofu plan # shows what actions OpenTofu would take to apply the current configuration
tofu apply # applies your current configuration
tofu destroy # removes the previously generated resources
Conclusion
My experience shows that most companies ranging from smaller newcomers to the IT industry to huge multinational corporate giants choose to operate their infrastructure fully or partially from the cloud. This tendency causes the appearance of numerous IaC tools within a brief time period, and OpenTofu has managed to make a head start. It satisfies the need for such a tool while using well-known and reliable technology bases which is under constant development and with the dedication to staying open-source. Although having it’s weaknesses, if we are dealing with cloud infrastructure then we can’t really avoid to use a dedicated tool for it, and OpenTofu is definitely one of the best choice.