TerraformvsOpenTofu
A practical 2026 comparison of Terraform and OpenTofu: licensing, governance, state encryption, the migration path, and which IaC tool fits your team.
Terraform
The original IaC tool by HashiCorp, now part of IBM. Uses HCL to provision infrastructure across cloud providers and has the largest provider ecosystem and managed platform in the space.
Visit websiteOpenTofu
An open-source fork of Terraform created after the 2023 license change, now a CNCF project under the Linux Foundation. Drop-in compatible with Terraform's HCL and state format, with extra features the Terraform CLI does not have.
Visit websiteFor two years the question of Terraform versus OpenTofu had the same honest answer: wait and see. The fork was young, the feature gap was small, and nobody wanted to bet production state files on a project that might fade. In 2026 the picture is clearer, and the decision is worth making on purpose.
Terraform, first released in 2014, introduced HCL as a declarative language for infrastructure. In August 2023 HashiCorp moved it from the Mozilla Public License (MPL) 2.0 to the Business Source License (BSL) 1.1, which is source-available rather than open source. The community forked the last MPL release as OpenTofu, and in early 2025 IBM completed its acquisition of HashiCorp, so Terraform is now an IBM product. OpenTofu joined the CNCF in April 2025 and is governed by a steering committee under the Linux Foundation, so no single company controls its license or direction.
The two tools still share the same HCL syntax and the same .tfstate format, which is why moving between them is easier than most teams expect. Where they differ is governance, licensing, and a set of features OpenTofu has shipped that Terraform's open-source CLI does not have: native state encryption, provider for_each, the -exclude flag, and early variable evaluation. Terraform, in turn, keeps the larger ecosystem, the HCP Terraform managed platform, and the deeper hiring pool.
This comparison breaks the decision down across licensing, state handling, features, ecosystem, and operations, then gives you a use-case guide and a clear verdict. If you want the full step-by-step migration walkthrough and a deeper look at where the lock-in actually hides, we cover that in our dedicated OpenTofu migration guide.
Feature Comparison
| Feature | Terraform | OpenTofu |
|---|---|---|
| Language & Compatibility | ||
| Configuration Language | HCL (declarative, purpose-built for infrastructure) | HCL, syntax-compatible with Terraform |
| State & Backend | ||
| State File Format | .tfstate JSON | .tfstate JSON, identical and interchangeable |
| Native State Encryption | Backend-level only; secrets are plaintext in state | Built-in client-side state and plan encryption (KMS, Vault, passphrase) since 1.7 |
| Language & Features | ||
| Provider for_each | Not supported in the open-source CLI | Supported since 1.9 for multi-region and multi-account setups |
| Early Variable Evaluation | Variables not allowed in backend or module source blocks | Early evaluation allows variables in backend and module source (1.8) |
| Operations | ||
| Exclude Flag | Only -target is available | Adds -exclude, the inverse of -target, since 1.9 |
| Managed SaaS & Collaboration | HCP Terraform: managed state, Sentinel, Stacks, run tasks | No first-party SaaS; use Spacelift, env0, Scalr, or self-managed backends |
| Ecosystem | ||
| Provider & Module Registry | Terraform Registry, the largest with 4,000+ providers | registry.opentofu.org mirrors providers and modules; near-complete coverage |
| Licensing & Governance | ||
| License | BSL 1.1 (source-available, competitive-use restrictions) | MPL 2.0 (open source) |
| Governance | Single vendor (IBM / HashiCorp) | Linux Foundation and CNCF, multi-company steering committee |
| Support & Ecosystem | ||
| Commercial Support | Paid support and SLAs via IBM and HashiCorp | Community support plus third-party vendors (Spacelift, Scalr, Gruntwork) |
| Community & Hiring Pool | Largest community, most tutorials, biggest hiring pool | Growing; Terraform skills transfer directly but fewer dedicated resources |
Language & Compatibility
State & Backend
Language & Features
Operations
Ecosystem
Licensing & Governance
Support & Ecosystem
Pros and Cons
Strengths
- Largest provider and module ecosystem via the Terraform Registry (4,000+ providers)
- HCP Terraform (formerly Terraform Cloud) offers managed state, Sentinel policy as code, Stacks, and run tasks
- Biggest hiring pool and the deepest library of tutorials, modules, and Stack Overflow answers
- Commercial support with SLAs backed by IBM and HashiCorp
- Mature third-party tooling: Atlantis, Spacelift, env0, Terragrunt, tflint, Checkov
- Predictable plan output that is easy to review in pull requests
Weaknesses
- BSL 1.1 license is source-available and restricts building competing products
- Single-vendor governance under IBM, with no community veto over license or roadmap
- No native state encryption: secrets sit in plaintext in state, protected only at the backend level
- The open-source CLI lacks provider for_each, the -exclude flag, and early variable evaluation
- More of the newer workflow features land first inside the paid HCP Terraform platform
Strengths
- MPL 2.0 open-source license with no competitive-use restrictions
- Vendor-neutral governance under the Linux Foundation and CNCF with a multi-company steering committee
- Native client-side state and plan encryption (AWS KMS, GCP KMS, Vault, or passphrase) since 1.7
- Provider for_each (1.9), the -exclude flag (1.9), and early variable evaluation (1.8)
- Reads and writes the same .tfstate, so existing state and most providers and modules work unchanged
- Free, with no features held back behind a paid tier, and a steady release cadence (v1.12 in May 2026)
Weaknesses
- Registry coverage trails Terraform for some niche or private providers
- No first-party managed SaaS; you rely on Spacelift, env0, Scalr, or self-managed backends
- Smaller community and hiring pool, although Terraform skills transfer one to one
- No equivalent to HCP Terraform-specific features such as Stacks, Sentinel, and no-code modules
- Some enterprises still want a single vendor with a formal support contract
Decision Matrix
Pick this if...
You build a product or internal platform on top of the IaC engine
You need secrets in state encrypted at rest without an external wrapper
You depend on HCP Terraform features (Stacks, Sentinel, run tasks)
You want a vendor-neutral, foundation-governed project
You need a commercial support contract with an SLA
You want the largest hiring pool and the most third-party examples
You want provider for_each, -exclude, or early variable evaluation today
You are happy on Terraform and the BSL license does not affect you
Use Cases
Security or compliance team that needs secrets in state encrypted at rest, not just at the backend
OpenTofu encrypts state and plan files client-side with a key provider you control (KMS, Vault, or a passphrase). Even if the backend is exposed, the files are unreadable without the key. Terraform's open-source CLI has no equivalent, so sensitive values stay in plaintext in state.
A company building a commercial product or internal platform on top of the IaC engine
The BSL restricts using Terraform to build a competing product and adds legal review overhead. OpenTofu's MPL license and foundation governance remove that risk, which matters most for vendors and platform teams shipping tooling around the engine.
Enterprise standardized on HCP Terraform with Sentinel policies, Stacks, and a support contract
Sentinel, Stacks, and run tasks are first-party HashiCorp features that OpenTofu does not replicate. If your workflows and compliance gates already run on HCP Terraform, staying avoids a re-tooling project for little gain.
Small team running internal infrastructure, happy on Terraform, with no licensing concern
Both tools work well here. The migration is easy and reversible while you stay on shared features, so there is no penalty for waiting. Switch when you want a specific OpenTofu feature or care about the license, not before.
Team managing many near-identical regions or accounts that wants provider for_each and -exclude in daily runs
Provider for_each removes the copy-paste of one provider block per region or account, and -exclude lets you apply everything except a resource you are handling separately. Both features exist only in OpenTofu's CLI today.
Organization that prioritizes the largest hiring pool and the deepest library of tutorials and modules
Terraform's ecosystem and community are still bigger, so onboarding and finding answers is easier. OpenTofu skills transfer one to one, but there are fewer OpenTofu-specific guides and registry modules to lean on.
Verdict
The migration between the two is easy and reversible, which takes most of the risk out of the decision. OpenTofu leads on open governance, an MPL license, and features Terraform's open-source CLI does not have, most notably native state encryption, provider for_each, and the -exclude flag. Terraform leads on ecosystem size, the HCP Terraform managed platform, commercial support, and the hiring pool. Neither is objectively better; the right call depends on whether you value open governance and those features or the depth of the HashiCorp ecosystem.
Our Recommendation
Choose OpenTofu if you want open governance, an MPL license, or built-in state encryption and the newer CLI features. Choose Terraform if you rely on HCP Terraform, need commercial support, or want the largest ecosystem and hiring pool. Either way, test on a staging workspace and run plan before you apply.
Frequently Asked Questions
Related Comparisons
Found an issue?