Join our mailing list Subscribe Us

Create Resource using OpenTofu on OCI



I will explain how to install OpenTofu and how to use it to deploy on OCI. I will also mention what are the required changes be able to use my previous Terraform deployment files.

As an example, let’s use the modules to deploy WordPress with MySQL HeatWave Database Service: oci-wordpress-mds.

Installing OpenTofu

If like me you are using a RPM based Linux distro, you can find the necessary information to create the yum repository on OpenTofu’s website:

$ sudo su -
# cat >/etc/yum.repos.d/opentofu.repo <<EOF
[opentofu]
name=opentofu
baseurl=https://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/\$basearch
repo_gpgcheck=0
gpgcheck=1
enabled=1
gpgkey=https://get.opentofu.org/opentofu.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[opentofu-source]
name=opentofu-source
baseurl=https://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/SRPMS
repo_gpgcheck=0
gpgcheck=1
enabled=1
gpgkey=https://get.opentofu.org/opentofu.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
EOF

When the repo is created, you just need to use yum (or dnf) like this:

$ sudo dnf install -y tofu

You can verify that OpenTofu is installed correctly by running the following command that returns the installed version:

$ tofu version
OpenTofu v1.6.0-rc1
on linux_amd64

Terraform code

To test, we download the code from GitHub (v1.9.2):

$ git clone https://github.com/lefred/oci-wordpress-mds.git
cd oci-wordpress-mds

We need to first copy the file terraform.tfvars.template to terraform.tvars and edit the content with our OCI information (tenancy, ocids, keys, …).

When ready, we can start with the initialization of the environment:

$ tofu init

Initializing the backend...
Initializing modules...
- mds-instance in modules/mds-instance
- wordpress in modules/wordpress

Initializing provider plugins...
- Finding latest version of hashicorp/template...
- Finding latest version of hashicorp/oci...
- Finding latest version of hashicorp/tls...
- Installing hashicorp/template v2.2.0...
- Installed hashicorp/template v2.2.0 (signed, key ID 0C0AF313E5FD9F80)
- Installing hashicorp/tls v4.0.5...
- Installed hashicorp/tls v4.0.5 (signed, key ID 0C0AF313E5FD9F80)

Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider hashicorp/oci: provider registry
│ registry.opentofu.org does not have a provider named registry.opentofu.org/hashicorp/oci
│ 
│ All modules should specify their required_providers so that external consumers will get the correct
│ providers when using a module. To see which modules are currently depending on hashicorp/oci, run the
│ following command:
│     tofu providers
│ 
│ If you believe this provider is missing from the registry, please submit a issue on the OpenTofu
│ Registry https://github.com/opentofu/registry/issues/
╵

With Terraform, the same code will work but will return the following warning:

│ Warning: Additional provider information from registry
│ 
│ The remote registry returned warnings for registry.terraform.io/hashicorp/oci:
│ - For users on Terraform 0.13 or greater, this provider has moved to oracle/oci. Please update your
│ source in required_providers.
╵

Provider

Step 1 is to fix the provider and use Oracle’s OCI. We edit provider.tf and we add the following lines:

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
    }
  }
}

We can run again the init command:

$ tofu init

Initializing the backend...
Initializing modules...

Initializing provider plugins...
- Finding latest version of hashicorp/template...
- Finding latest version of hashicorp/oci...
- Finding latest version of oracle/oci...
- Finding latest version of hashicorp/tls...
- Installing hashicorp/template v2.2.0...
- Installed hashicorp/template v2.2.0 (signed, key ID 0C0AF313E5FD9F80)
- Installing oracle/oci v5.23.0...
- Installed oracle/oci v5.23.0 (signed, key ID 1533A49284137CEB)
- Installing hashicorp/tls v4.0.5...
- Installed hashicorp/tls v4.0.5 (signed, key ID 0C0AF313E5FD9F80)

Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider hashicorp/oci: provider registry
│ registry.opentofu.org does not have a provider named registry.opentofu.org/hashicorp/oci
│ 
│ Did you intend to use oracle/oci? If so, you must specify that source address in each module which
│ requires that provider. To see which modules are currently depending on hashicorp/oci, run the
│ following command:
│     tofu providers
│ 
│ If you believe this provider is missing from the registry, please submit a issue on the OpenTofu
│ Registry https://github.com/opentofu/registry/issues/

We can see that the oracle/oci v5.23.0 provider plugin was installed, but it still fails. Let’s run the recommended tofu providers command:

$ tofu providers

Providers required by configuration:
.
├── provider[registry.opentofu.org/hashicorp/tls]
├── provider[registry.opentofu.org/hashicorp/template]
├── provider[registry.opentofu.org/oracle/oci]
├── module.wordpress
│   ├── provider[registry.opentofu.org/hashicorp/oci]
│   └── provider[registry.opentofu.org/hashicorp/template]
└── module.mds-instance
    └── provider[registry.opentofu.org/hashicorp/oci]

We can observe that the oracle/oci provider plugin is indeed used for the root (.) but we can also see that for the 2 modules (wordpress and mds-instance), hashicorp/oci is still used (and not found).

Let’s add a provider.tf file containing the following lines in both modules:

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
    }
  }
}

If we check again the providers, we can see now that they all use the correct one:

$ tofu providers

Providers required by configuration:
.
├── provider[registry.opentofu.org/oracle/oci]
├── provider[registry.opentofu.org/hashicorp/tls]
├── provider[registry.opentofu.org/hashicorp/template]
├── module.mds-instance
│   └── provider[registry.opentofu.org/oracle/oci]
└── module.wordpress
    ├── provider[registry.opentofu.org/oracle/oci]
    └── provider[registry.opentofu.org/hashicorp/template]

We can run init again:

$ tofu init

Initializing the backend...
Initializing modules...

Initializing provider plugins...
- Finding latest version of oracle/oci...
- Finding latest version of hashicorp/tls...
- Finding latest version of hashicorp/template...
- Installing oracle/oci v5.23.0...
- Installed oracle/oci v5.23.0 (signed, key ID 1533A49284137CEB)
- Installing hashicorp/tls v4.0.5...
- Installed hashicorp/tls v4.0.5 (signed, key ID 0C0AF313E5FD9F80)
- Installing hashicorp/template v2.2.0...
- Installed hashicorp/template v2.2.0 (signed, key ID 0C0AF313E5FD9F80)

Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/

OpenTofu has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that OpenTofu can guarantee to make the same selections by default when
you run "tofu init" in the future.

OpenTofu has been successfully initialized!

You may now begin working with OpenTofu. Try running "tofu plan" to see
any changes that are required for your infrastructure. All OpenTofu commands
should now work.

If you ever set or change modules or backend configuration for OpenTofu,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Perfect ! Note that with Terraform the warnings will also be gone.

OpenTofu Plan & Apply

We can now plan and if no error, we can easily apply:

$ tofu plan
[...]
Plan: 14 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + mds_instance_ip       = (known after apply)
  + ssh_private_key       = "/home/fred/.ssh/id_rsa_oci"
  + wordpress_db_password = "MyWPpassw0rd!"
  + wordpress_db_user     = "wp"
  + wordpress_public_ip   = (known after apply)
  + wordpress_schema      = "wordpress"

$ tofu apply

And it’s deployed !