OpenTofu Skill

Infrastructure-as-code reference for OpenTofu configurations, state management, and provider patterns.

OpenTofu is the open-source fork of Terraform, maintained by the Linux Foundation. Commands and syntax are nearly identical to Terraform.

Quick Reference

Core workflow

tofu init # Initialize, download providers tofu validate # Syntax validation tofu fmt -recursive # Format HCL files tofu plan # Preview changes tofu apply # Apply changes

Inspection

tofu state list # List resources in state tofu state show <resource> # Show resource details tofu graph | dot -Tsvg > graph.svg # Dependency graph

Debug

TF_LOG=DEBUG tofu plan 2>debug.log

Core Workflow

init → validate → fmt → plan → apply

• init: Download providers, initialize backend

• validate: Check syntax and configuration validity

• fmt: Ensure consistent formatting

• plan: Preview what will change (review carefully)

• apply: Execute changes

Terraform Migration

OpenTofu is a drop-in replacement for Terraform:

Replace terraform with tofu in commands

terraform init → tofu init terraform plan → tofu plan terraform apply → tofu apply

State files are compatible

Provider configurations work the same

Most modules work without changes

Key differences:

• Different binary name (tofu vs terraform )

• Some newer Terraform features may not be available yet

• Provider registry defaults differ (can be configured)

Reference Files

Load on-demand based on task:

Topic File When to Load

Troubleshooting troubleshooting.md Common errors, debugging

State state-management.md Backends, locking, operations

Modules module-design.md Module patterns, composition

Security security.md Secrets, state security

Migration migration.md Terraform → OpenTofu

Proxmox Gotchas proxmox/gotchas.md Critical provider issues

Proxmox Auth proxmox/authentication.md Provider config, API tokens

Proxmox VMs proxmox/vm-qemu.md proxmox_vm_qemu patterns

Validation Checklist

Before tofu apply :

• tofu init completed successfully

• tofu validate passes

• tofu fmt applied

• tofu plan reviewed (check destroy/replace operations)

• Backend configured correctly (for team environments)

• State locking enabled (if remote backend)

• Sensitive variables marked sensitive = true

• Provider versions pinned

• No secrets in version control

• Blast radius assessed (what could break?)

Variable Precedence

(highest to lowest)

• -var flag: tofu apply -var="name=value"

• -var-file flag: tofu apply -var-file=prod.tfvars

• *.auto.tfvars files (alphabetically)

• terraform.tfvars file

• TF_VAR_* environment variables

• Variable defaults in variables.tf

Provider Configuration

versions.tf

terraform { required_version = ">= 1.6.0" # OpenTofu version

required_providers { proxmox = { source = "Telmate/proxmox" version = "~> 3.0" } } }