winget install --id OpenTofu.TofuAbout OpenTofu
OpenTofu lets you declaratively manage your cloud infrastructure.
What's new in 1.12.0
OpenTofu 1.12.0 We're proud to announce that OpenTofu 1.12.0 is now officially available! ๐ Highlights This release cycle introduces major new capabilities and integrations: Dynamic prevent_destroy OpenTofu v1.12.0 now allows prevent_destroy to be defined dynamically in terms of other values available elsewhere in the same module. For example: variable "prevent_destroy_database" { type = bool default = true } resource "example_database" "example" { # ... lifecycle { prevent_destroy = var.prevent_destroy_database } } Provider Checksum Improvements The default provider installation behavior in OpenTofu is designed to mostly "just work" by getting the needed providers installed and making the necessary changes to the dependency lock file, but in previous versions friction appeared for any teams using many of the non-default installation settings such as the shared provider plugin cache, or local mirrors of upstream providers. For OpenTofu v1.12, OpenTofu Registry now provides a full set of official checksums in all of the checksum formats needed by other installation methods. This means that after running tofu init the dependency lock file will immediately have all of the information required to successfully use a global plugin cache directory and to verify matching packages served from a local mirror, without needing to run tofu providers lock separately. Simultaneous Human-readable and Machine-readable Output Many OpenTofu commands support both human-oriented UI output and machine-readable JSON output, but previously those commands could be run with only one or the other. Th...
Version history
| Version | Updated | Notes |
|---|---|---|
| 1.12.0 | Unknown | OpenTofu 1.12.0 We're proud to announce that OpenTofu 1.12.0 is now officially available! ๐ Highlights This release cycle introduces major new capabilities and integrations: Dynamic prevent_destroy OpenTofu v1.12.0 now a... |
| 1.11.6 | Unknown | BUG FIXES: - Running tofu apply -refresh-only with a configuration that contains ephemeral resources does not fail anymore because the refresh produced changes (#3776) - Fixed tofu init crashing when a module version use... |
| 1.11.5 | Unknown | BUG FIXES: - Add universe_domain option in the gcs backend to support sovereign GCP services (#3758) - The azurerm backend's MSI authentication method will now respect the provided client ID (#3586) - Using a network mir... |
| 1.11.4 | Unknown | SECURITY ADVISORIES: - Previous releases in the v1.11 series could potentially take an excessive amount of time processing a maliciously-crafted .zip archive during either provider or module installation during tofu init... |
| 1.11.3 | Unknown | BUG FIXES: - Fix crash when the executed configuration contains an import block that points to unexisting configuration block (#3616) - Fixed tofu test with mock_provider failing during cleanup when lifecycle { ignore_ch... |
| 1.11.2 | Unknown | UPGRADE NOTES: - The change from #2643, that was announced previously in v1.11.0, has been reverted in this release. OpenTofu will no longer directly recommend using the -exclude= option to work around problems caused by... |
| 1.11.1 | Unknown | BUG FIXES: - Fixed regression where import validation would incorrectly flag variables used in for_each statements within import blocks (#3564) - Fixed lifecycle enabled serialization in plan file (#3566) - Fixed regress... |
| 1.11.0 | Unknown | OpenTofu 1.11.0 We're proud to announce that OpenTofu 1.11.0 is now officially available! ๐ Highlights This release cycle introduces major new capabilities and integrations: Ephemeral Values and Write Only Attributes Eph... |
| 1.10.8 | Unknown | SECURITY ADVISORIES: This release contains fixes for some security advisories related to previous releases in this series. - Incorrect handling of excluded subdomain constraint in conjunction with TLS certificates contai... |
| 1.10.7 | Unknown | SECURITY ADVISORIES: This release contains fixes for some security advisories related to previous releases in this series. - tofu init in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a... |
| 1.10.6 | Unknown | 1.10.6 UPGRADE NOTES: - Upgrade go from 1.24.4 to 1.24.6 to fix GO-2025-3849 (3127) - Upgrade github.com/openbao/openbao/api/v2 from 2.1.0 to 2.3.0 to fix GO-2025-3783 (3134) - The upgrade is necessary to silence the sec... |
| 1.10.5 | Unknown | BUG FIXES: - Fixed issue where usage of TF_PLUGIN_CACHE_DIR could result in unexpected lock contention errors (#3090) - NOTE: It is still highly recommended to have valid .terraform.lock.hcl files in projects using TF_PL... |
| 1.10.4 | Unknown | BUG FIXES: - Fixed crash where sensitive set values used in for_each could cause a panic. (#3070) - Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#3068) - Reduced calls to ListKeys in azure... |
| 1.10.3 | Unknown | 1.10.3 BUG FIXES: - OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "c... |
| 1.10.1 | Unknown | What's Changed - Fix TF_APPEND_USER_AGENT handling in the S3 remote state backend in #2955 - go.mod: Upgrade to Go 1.24.4 by @apparentlymart in #2927 Full Changelog: v1.10.0...v1.10.1 |
| 1.10.0 | Unknown | OpenTofu 1.10.0 We're thrilled to announce the release of OpenTofu 1.10.0, our most comprehensive update yet! This release represents months of dedicated work from our community, introducing some fantastic features that... |
| 1.9.1 | Unknown | BUG FIXES: - Provider used in import is correctly identified. (#2336) - plantimestamp() now returns unknown value during validation (#2397) - Syntax error in the required_providers block does not panic anymore, but yield... |
| 1.9.0 | Unknown | We're proud to announce that OpenTofu 1.9.0 is now officially out! ๐This release includes a lot of major and minor new features, as well as a ton of community contributions!The highlights are: - for_each in provider conf... |
| 1.8.8 | Unknown | SECURITY: - Upgraded golang.org/x/crypto to resolve CVE-2024-45337. (#2287) - Upgraded golang.org/x/net to resolve CVE-2024-45338. (#2311) BUG FIXES: - tofu test now removes outputs of destroyed modules between different... |
| 1.8.7 | Unknown | BUG FIXES: - Error messages related to validation of sensitive input variables will no longer disclose the sensitive value in the UI. (#2219) - Changes to encryption configuration now auto-apply the migration (#2232) - U... |