opentofu

Infrastructure as code with OpenTofu (open-source Terraform fork) and Pulumi. Covers OpenTofu HCL syntax, providers, resources, data sources, modules, state management with remote backends, workspaces, importing existing infrastructure, plan/apply workflow, variable management, output values, provisioners, and state encryption (OpenTofu-exclusive). Includes Pulumi TypeScript/Python SDKs, stack management, component resources, config/secrets, state backends, policy as code, and automation API. Common patterns for multi-environment setups, module composition, CI/CD integration, drift detection, and secret management. Use when writing or reviewing HCL configurations, managing cloud infrastructure state, migrating from Terraform to OpenTofu, building Pulumi programs in TypeScript or Python, setting up multi-environment IaC pipelines, or implementing state encryption.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "opentofu" with this command: npx skills add oakoss/agent-skills/oakoss-agent-skills-opentofu

OpenTofu

Overview

OpenTofu is an open-source infrastructure as code tool that uses HCL (HashiCorp Configuration Language) to declaratively manage cloud infrastructure. It is a community-driven fork of Terraform, fully compatible with existing Terraform providers and modules, with exclusive features like native state encryption. Pulumi provides an alternative IaC approach using general-purpose languages (TypeScript, Python, Go) instead of HCL.

When to use: Managing cloud infrastructure declaratively, provisioning multi-cloud resources, enforcing infrastructure consistency across environments, encrypting state at rest (OpenTofu), using familiar programming languages for IaC (Pulumi).

When NOT to use: One-off scripts better suited to CLI tools, application-level configuration management (use Ansible/Chef), container orchestration logic (use Kubernetes manifests), simple static hosting (use platform-native tools).

Quick Reference

PatternTool / CommandKey Points
Initialize projecttofu initDownloads providers, initializes backend
Preview changestofu planShows diff without applying
Apply changestofu applyProvisions/updates resources
Destroy resourcestofu destroyTears down managed infrastructure
Import resourcetofu import <addr> <id>Brings existing resource under management
State encryptionterraform.encryption blockOpenTofu-exclusive, AES-GCM with key providers
Remote backendbackend "s3" / backend "gcs"Store state in cloud storage with locking
Workspacestofu workspace new <name>Isolated state per environment
Module usagemodule "name" { source = "..." }Reusable infrastructure components
Output valuesoutput "name" { value = ... }Expose values for other configs or CI
Variable filesterraform.tfvars / -var-fileEnvironment-specific variable overrides
Pulumi new projectpulumi new typescriptScaffold TypeScript IaC project
Pulumi previewpulumi previewShows planned changes
Pulumi deploypulumi upProvisions/updates resources
Pulumi configpulumi config set key valueStack-scoped configuration
Pulumi secretspulumi config set --secret key valEncrypted config values
Pulumi stackspulumi stack select <name>Switch between environments
Automation APILocalWorkspace.createOrSelectStack()Programmatic stack management

Common Mistakes

MistakeCorrect Pattern
Storing state locally in team environmentsConfigure remote backend (S3, GCS, Azure Blob) with state locking
Hardcoding provider credentials in HCLUse environment variables or provider-specific auth chains
Using tofu apply without reviewing planRun tofu plan -out=plan.tfplan then tofu apply plan.tfplan
Editing state manuallyUse tofu state mv, tofu state rm, or tofu import
Ignoring .terraform.lock.hclCommit lock file for reproducible provider versions
Using count for complex conditional resourcesPrefer for_each with maps for stable resource addressing
Sharing one workspace for all environmentsUse separate workspaces or backend config per environment
Putting secrets in terraform.tfvarsUse sensitive = true variables, vault, or environment variables
Pulumi: creating resources outside component classesWrap related resources in ComponentResource for reuse
Pulumi: not awaiting async operationsEnsure all resource operations complete before stack export
Skipping tofu plan in CI/CDAlways plan and require approval before apply in pipelines
Not using -target carefullyPrefer full plans; -target can leave state inconsistent

Delegation

  • Infrastructure pattern discovery: Use Explore agent
  • IaC code review: Use Task agent
  • Drift detection analysis: Use Task agent

If the amazon-web-services skill is available, delegate AWS resource patterns to it. If the docker skill is available, delegate container infrastructure patterns to it. If the github-actions skill is available, delegate CI/CD pipeline patterns to it.

References

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

github-cli

No summary provided by upstream source.

Repository SourceNeeds Review
33-oakoss
Coding

tanstack-cli

No summary provided by upstream source.

Repository SourceNeeds Review
26-oakoss
Coding

typescript-patterns

No summary provided by upstream source.

Repository SourceNeeds Review
25-oakoss
Coding

tanstack-devtools

No summary provided by upstream source.

Repository SourceNeeds Review
24-oakoss