Getting Started With OpenTofu (v1.7.0) on AWS — State Encryption.
OpenTofu is a new open source tool for Infrastructure-as-Code (IaC) management across multiple cloud providers, created by the community following the terraform licence change by HashiCorp. With the recent v1.7.0 release, OpenTofu now supports state file encryption. This guide explains how to configure OpenTofu to manage AWS resources with encrypted status files stored on a remote AWS S3 buckets backend using AWS Key Management Service (KMS). 1 — Why State Encryption: State encryption is a very important security feature for infrastructure-as- code tools such as Terraform and OpenTofu. Initially, these tools stored the entire state file, including potentially sensitive access keys, passwords and resource details, in the clear in back-end storage such as S3 buckets or local files. This meant that anyone able to access the status file could see all the confidential data, creating a significant risk if the status file was compromised. Encrypting the contents of the status file protects this sensitive information from unauthorized access. Without encryption, infrastructure credentials and provisioning secrets could be exposed, allowing malicious individuals to make unwanted changes or gain access to private systems and data. ...