Store OpenTofu state in OCI registries (such as GitHub Container Registry) using ORAS. No SaaS. No cloud storage accounts. Just OCI.
curl -sSL https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.sh | sh
gh auth login
tofu-oras init
tofu-oras applyThis will initialize an ORAS backend configured in your Terraform files and store the state in your OCI registry (for example, GHCR).
βΉοΈ This installs a separate binary called
tofu-oras, so it does not interfere with an existing OpenTofu (tofu) installation.
This project adds an ORAS backend that allows you to store OpenTofu state in any OCI-compatible container registry:
- GitHub Container Registry (GHCR)
- Amazon ECR
- Azure ACR
- Google GCR
- Docker Hub
- Harbor
- Any OCI-compliant registry
| Feature | Description |
|---|---|
| OCI Registry Storage | Store state as OCI artifacts in your existing container registry |
| Reuse Existing Auth | Uses Docker credentials and tofu login tokens |
| Distributed Locking | Best-effort locking to reduce concurrent modifications |
| State Versioning | Keep history of state versions with configurable retention |
| Compression | Optional gzip compression for state files |
| Encryption Compatible | Works with OpenTofu's client-side state encryption |
- Individual operators or small teams
- CI/CD pipelines
- OSS projects
- Environments where OCI registries are already available
- Large teams with heavy concurrent access
- Strong locking or compliance requirements
- Environments that mandate managed SaaS backends
terraform {
backend "oras" {
repository = "ghcr.io/your-org/tf-state"
}
}terraform {
backend "oras" {
repository = "ghcr.io/your-org/tf-state"
compression = "gzip"
versioning {
enabled = true
max_versions = 10
}
}
encryption {
key_provider "pbkdf2" "main" {
passphrase = var.state_passphrase
}
method "aes_gcm" "main" {
key_provider = key_provider.pbkdf2.main
}
state {
method = method.aes_gcm.main
}
}
}See the ORAS Backend README for complete documentation including:
- All configuration parameters
- Authentication setup
- Locking behavior
- Versioning and retention
- Troubleshooting
Actively developed and usable today. APIs and backend format may evolve based on feedback.
This fork follows OpenTofu releases with an -oras suffix:
| OpenTofu Release | This Fork |
|---|---|
v1.11.2 |
v1.11.2-oras |
This allows you to choose which OpenTofu version you want with ORAS support.
curl -sSL https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.sh | shirm https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.ps1 | iexThis installs the binary as tofu-oras to avoid conflicts with the official tofu installation.
Linux/macOS:
# Install specific version
TOFU_ORAS_VERSION=v1.12.0-oras curl -sSL https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.sh | sh
# Install to custom directory
TOFU_ORAS_INSTALL_DIR=~/.local/bin curl -sSL https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.sh | sh
# Install with custom binary name
TOFU_ORAS_BINARY_NAME=tofu curl -sSL https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.sh | shWindows PowerShell:
# Install specific version
$env:TOFU_ORAS_VERSION = "v1.12.0-oras"
irm https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.ps1 | iex
# Install to custom directory
$env:TOFU_ORAS_INSTALL_DIR = "$env:USERPROFILE\.local\bin"
irm https://raw.githubusercontent.com/vmvarela/opentofu/develop/install.ps1 | iexDownload the binary for your platform from the Releases page.
git clone https://github.com/vmvarela/opentofu.git
cd opentofu
go build -o tofu-oras ./cmd/tofuπ Original OpenTofu README
The following is the original OpenTofu README.
OpenTofu is an OSS tool for building, changing, and versioning infrastructure safely and efficiently. OpenTofu can manage existing and popular service providers as well as custom in-house solutions.
The key features of OpenTofu are:
-
Infrastructure as Code: Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and treated as you would any other code. Additionally, infrastructure can be shared and re-used.
-
Execution Plans: OpenTofu has a "planning" step where it generates an execution plan. The execution plan shows what OpenTofu will do when you call apply. This lets you avoid any surprises when OpenTofu manipulates infrastructure.
-
Resource Graph: OpenTofu builds a graph of all your resources, and parallelizes the creation and modification of any non-dependent resources. Because of this, OpenTofu builds infrastructure as efficiently as possible, and operators get insight into dependencies in their infrastructure.
-
Change Automation: Complex changesets can be applied to your infrastructure with minimal human interaction. With the previously mentioned execution plan and resource graph, you know exactly what OpenTofu will change and in what order, avoiding many possible human errors.
- Have a question?
- Post it in GitHub Discussions
- Open a GitHub issue
- Join the OpenTofu Slack!
- Want to contribute?
- Please read the Contribution Guide.
- Recurring Events
- Community Meetings on Wednesdays at 12:30 UTC at this link: https://meet.google.com/xfm-cgms-has (π calendar link)
- Technical Steering Committee Meetings every other Tuesday at 4pm UTC at this link: https://meet.google.com/cry-houa-qbk (π calendar link)
[!TIP] For more OpenTofu events, subscribe to the OpenTofu Events Calendar!
If you've found a vulnerability or a potential vulnerability in OpenTofu please follow Security Policy. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.
If you believe you have found any possible copyright or intellectual property issues, please contact [email protected]. We'll send a confirmation email to acknowledge your report.
In an effort to comply with applicable sanctions, we block access from specific countries of origin.