Update ghcr.io/opentofu/opentofu Docker tag to v1.11.5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/opentofu/opentofu	final	minor	1.8.4-arm64 → 1.11.5-arm64
ghcr.io/opentofu/opentofu	final	minor	1.8.4-arm → 1.11.5-arm
ghcr.io/opentofu/opentofu	final	minor	1.8.4-amd64 → 1.11.5-amd64
ghcr.io/opentofu/opentofu	final	minor	1.8.4-386 → 1.11.5-386

---

Release Notes

opentofu/opentofu (ghcr.io/opentofu/opentofu)

v1.11.5

Compare Source

BUG FIXES:

• Add universe_domain option in the gcs backend to support sovereign GCP services (#​3758)
• The azurerm backend's MSI authentication method will now respect the provided client ID (#​3586)
• Using a network mirror for the providers source does not print debug logs without being asked for (#​3736)

Full Changelog: https://github.com/opentofu/opentofu/blob/67fe9db49b7dafd46470cf9ac7f437aaa95f5c40/CHANGELOG.md

v1.11.4

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could potentially take an excessive amount of time processing a maliciously-crafted .zip archive during either provider or module installation during tofu init. (#​3689)

BREAKING CHANGES:

• Modules containing local provider configurations now also reject the enabled argument, matching existing behavior for count, for_each, and depends_on. (#​3680)

  This was an oversight in the original design of the enabled feature and was missed during the review process. Although our goal is to not introduce breaking changes in patch releases, in some cases it may be warranted. Anyone who has used the enabled feature in this particular way will have unintentionally introduced a foot-gun into their infrastructure and should remedy it post-haste.

BUG FIXES:

• In JSON syntax, the state encryption method configuration now allows specifying keys using both normal expression syntax and using template interpolation syntax. Previously only the template interpolation syntax was allowed, which was inconsistent with other parts of the encryption configuration. (#​3654)
• Providers are not configured anymore with DeferralAllowed capability of OpenTofu since having that created unwanted behaviour from some providers. (#​3676)
• Resources containing write-only attributes now are rendered consistently during planning. (#​3667)

Full Changelog: opentofu/opentofu@v1.11.3...v1.11.4

v1.11.3

Compare Source

BUG FIXES:

• Fix crash when the executed configuration contains an import block that points to unexisting configuration block (#​3616)
• Fixed tofu test with mock_provider failing during cleanup when lifecycle { ignore_changes } references a block. (#​3644)
• Fixed state lock not being released when tofu apply is interrupted with Ctrl+C while using the HTTP backend. (#​3624)
• azure backend: resolve OIDC token dynamically to support ADO refresh. (#​3594)

Full Changelog: opentofu/opentofu@v1.11.2...v1.11.3

v1.11.2

Compare Source

UPGRADE NOTES:

• The change from #​2643, that was announced previously in v1.11.0, has been reverted in this release. OpenTofu will no longer directly recommend using the -exclude= option to work around problems caused by unknown values in provider configurations.

  Unfortunately there are existing providers that spuriously report that they cannot plan due to unknown values even when planning would have been successful, and so we cannot rely on providers to accurately signal when unknown values are the cause of an error. Using -exclude is still a valid workaround for these problems even though OpenTofu cannot accurately detect when it's useful to make that suggestion.

BUG FIXES:

• Fix crash in plan -generate-config-out with read-only nested attributes (#​3553)
• It's now possible again to plan changes with the hashicorp/helm and hashicorp/kubernetes providers when the provider configuration contains unknown values, as long as the configuration is carefully written to avoid the plan phase actually depending on those values. (#​3592)
• When running tofu init on Windows with an azurerm backend, the subscription_id is quoted correctly allowing successful authentication. (#​3602)
• Fix serialization error in apply when using cloud backend (#​3611)

Full Changelog: opentofu/opentofu@v1.11.1...v1.11.2

v1.11.1

Compare Source

BUG FIXES:

• Fixed regression where import validation would incorrectly flag variables used in for_each statements within import blocks (#​3564)
• Fixed lifecycle enabled serialization in plan file (#​3566)
• Fixed regression when validating import.id expressions (#​3567)

Full Changelog: opentofu/opentofu@v1.11.0...v1.11.1

v1.11.0

Compare Source

OpenTofu 1.11.0

We're proud to announce that OpenTofu 1.11.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Ephemeral Values and Write Only Attributes

Ephemeral resources allow you to work with confidential data, temporary credentials, and transient infrastructure without persisting them to your state.

ephemeral "aws_secretsmanager_random_password" "password" {

}

resource "kubernetes_secret_v1" "credentials" {
  metadata {
    name = "admin"
    namespace = "my-app"
  }
  data_wo = {
    username = "admin"
    password = ephemeral.aws_secretsmanager_random_password.password.random_password
  }

  data_wo_revision = 1
  type = "kubernetes.io/basic-auth"
}

The enabled Meta-Argument

If you want to conditionally deploy a resource, you no longer have to use count = var.create_my_resource ? 1 : 0, you can now add the new enabled meta-argument to your resource to conditionally deploy it.

resource "aws_instance" "web" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  lifecycle {
    enabled = var.create_instance  # Simple boolean condition
  }
}

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later

• Azure Backend (azurerm):

  • The endpoint and ARM_ENDPOINT configuration options are no longer supported
  • The msi_endpoint and ARM_MSI_ENDPOINT options are no longer supported
  • The environment and metadata_host arguments are now mutually exclusive

• issensitive() Function: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.

• Testing with Mocks: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.

• S3 Module Installation: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.

• TLS and SSH Security:

  • SHA-1 signatures are no longer accepted for TLS or SSH connections
  • SSH certificates must comply with the draft-miller-ssh-cert-03 specification

• -var/-var-file during tofu apply <planfile>:

  • Since ephemeral variables values cannot be saved into the plan, now we allow using -var/-var-file during tofu apply <planfile> to pass again the values for ephemeral variables during apply
  • This new functionality allows -var/-var-file to be used with non-ephemeral variables too, but it will error if the values given for this type of variables is different from the ones given during the plan creation
  • TF_VAR values should stay consistent between plan and apply <planfile> to avoid the errors mentioned above

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

v1.10.9

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• No limit on number of query string arguments in net/url's ParseQuery
  This release incorporates the upstream fixes for GO-2026-4341.

• crypto/tls handling of multiple messages that span across encryption level boundaries
  This release incorporates the upstream fixes for GO-2026-4340.

BUG FIXES:

Using a network mirror for the providers source does not print debug logs without being asked for (#​3736)

Full Changelog: https://github.com/opentofu/opentofu/blob/0de30e8050bc32dfada2c4c978e736239e0ab265/CHANGELOG.md

v1.10.8

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• Incorrect handling of excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

  This release incorporates the upstream fixes for GO-2025-4175.

• Excessive CPU usage when reporting error about crafted TLS certificate with many hostnames

  This release incorporates the upstream fixes for GO-2025-4155.

Full Changelog: opentofu/opentofu@v1.10.7...v1.10.8

v1.10.7

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• tofu init in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a direct or indirect dependency on a maliciously-crafted module package distributed as a "tar" archive.

  This would require the attacker to coerce a root module author to depend (directly or indirectly) on a module package they control, using the HTTP, Amazon S3, or Google Cloud Storage source types to refer to a tar archive.

  This release incorporates the upstream fixes for CVE-2025-58183.

• When making requests to HTTPS servers, OpenTofu v1.10.6 and earlier could potentially use unbounded memory or crash with a "panic" error if TLS verification involves an excessively-long certificate chain or a chain including DSA public keys.

  This affected all outgoing HTTPS requests made by OpenTofu itself, including requests to HTTPS-based state storage backends, module registries, and provider registries. For example, an attacker could coerce a root module author to depend (directly or indirectly) on a module they control which then refers to a module or provider from an attacker-controlled registry. That mode of attack would cause failures in tofu init, at module or provider installation time.

  Provider plugins contain their own HTTPS client code, which may have similar problems. OpenTofu v1.10.7 cannot address similar problems within provider plugins, and so we recommend checking for similar advisories and fixes in the provider plugins you use.

  This release incorporates upstream fixes for CVE-2025-58185, CVE-2025-58187, and CVE-2025-58188.

BUG FIXES:

• Fix crash in tofu test when using deprecated outputs (#​3249)
• Fix missing provider functions when parentheses are used (#​3402)
• for_each inside dynamic blocks can now call provider-defined functions. (#​3429)

Full Changelog: opentofu/opentofu@v1.10.6...v1.10.7

v1.10.6

Compare Source

1.10.6

UPGRADE NOTES:

• Upgrade go from 1.24.4 to 1.24.6 to fix GO-2025-3849 (3127)
• Upgrade github.com/openbao/openbao/api/v2 from 2.1.0 to 2.3.0 to fix GO-2025-3783 (3134)
  • The upgrade is necessary to silence the security scanner and does not affect the actual state encryption provided by OpenBao.

BUG FIXES:

• Variables with validation no longer interfere with the destroy process (#​3131)
• Fixed crash when processing multiple deprecated marks on a complex object (#​3105)
• When OpenTelemetry encounters errors, log it at the warning level instead of panic (#​3235)

Full Changelog: opentofu/opentofu@v1.10.5...v1.10.6

v1.10.5

Compare Source

BUG FIXES:

• Fixed issue where usage of TF_PLUGIN_CACHE_DIR could result in unexpected lock contention errors (#​3090)
  • NOTE: It is still highly recommended to have valid .terraform.lock.hcl files in projects using TF_PLUGIN_CACHE_DIR

Full Changelog: opentofu/opentofu@v1.10.4...v1.10.5

v1.10.4

Compare Source

BUG FIXES:

• Fixed crash where sensitive set values used in for_each could cause a panic. (#​3070)
• Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#​3068)
• Reduced calls to ListKeys in azure backend (for rate limiting). (#​3083)

Full Changelog: opentofu/opentofu@v1.10.3...v1.10.4

v1.10.3

Compare Source

1.10.3

BUG FIXES:

• OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#​2988)
• Ensure provider downloads into temp are cleaned up correctly on windows. (#​2843)
• Correctly handle structural typed attributes during test provider mocking. (#​2994)
• Fix erroneous detection of changes with sensitive resource attributes. (#​3024)

Full Changelog: opentofu/opentofu@v1.10.2...v1.10.3

v1.10.2

Compare Source

1.10.2

• S3 backend now correctly sends the x-amz-server-side-encryption header for the lockfile. (#​2870)
• A provider source address explicitly using the hostname registry.terraform.io will no longer cause errors related to a corresponding provider on registry.opentofu.org when executing workflow commands like plan and apply. (#​2979)

Full Changelog: opentofu/opentofu@v1.10.1...v1.10.2

v1.10.1

Compare Source

BUG FIXES:

• Fix TF_APPEND_USER_AGENT handling in the S3 remote state backend. (#​2955)

OTHER CHANGES:

• OpenTofu is now built with Go 1.24.4, which should clear some false-positive indirect security advisories.

v1.10.0

Compare Source

OpenTofu 1.10.0

We're thrilled to announce the release of OpenTofu 1.10.0, our most comprehensive update yet! This release represents months of dedicated work from our community, introducing some fantastic features that will improve how OpenTofu users manage and distribute infrastructure as code.

Highlights

This release cycle introduces major new capabilities and integrations:

OCI Registry Support

Full integration with OCI registries for both provider and module distribution, valuable for organizations with private infrastructure-as-code components, air-gapped environments, or enhanced security requirements.

# Use OCI modules directly in your configuration (normal .tf files)
module "vpc" {
  source = "oci://example.com/modules/vpc/aws"
}

# Configure OCI registry mirrors in your CLI configuration (e.g. .tofurc)
provider_installation {
  oci_mirror {
    repository_template = "example.com/opentofu-providers/${namespace}/${type}"
    include             = ["registry.opentofu.org/*/*"]
  }
}

For more information, refer to Module Packages in OCI Registries and Provider Mirrors in OCI Registries.

Native S3 Locking

Simplify your infrastructure by using S3's conditional writes capability for state locking, eliminating the need for a separate DynamoDB table.

terraform {
  backend "s3" {
    bucket       = "tofu-state-backend"
    key          = "statefile"
    region       = "us-east-1"
    use_lockfile = true  # Enable native S3 locking
  }
}

OpenTelemetry Tracing

Gain insights into OpenTofu operations with experimental OpenTelemetry tracing, completely local and under your control.

# Launch a tracing backend like Jaeger
docker run -d --name jaeger \
  -p 16686:16686 -p 4317:4317 \
  jaegertracing/jaeger:2.5.0

# Configure OpenTofu to use OpenTelemetry
export OTEL_TRACES_EXPORTER=otlp
export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
export OTEL_EXPORTER_OTLP_INSECURE=true

# Run your operations and view traces at http://localhost:16686
tofu init

Resource Management with Target Files

Manage complex deployments more easily with the new -target-file and -exclude-file options, allowing version-controlled resource targeting patterns.

# Create a targets.txt file
# Critical infrastructure components
module.networking.aws_vpc.main
module.networking.aws_subnet.public[*]

# Apply only those resources
tofu apply -target-file=targets.txt

# Similarly, create an excludes.txt file to skip certain resources
tofu plan -exclude-file=excludes.txt

Compatibility Notes

• Linux: Requires kernel version 3.2 or later
• macOS: Requires macOS 11 Big Sur or later
• The ghcr.io/opentofu/opentofu image is no longer supported as a base image
• Windows: Symbolic links and junctions are now handled differently
• The PostgreSQL backend in OpenTofu 1.10 should not be used alongside older versions

Reference

• Full Changelog
• GitHub Comparison: v1.9.0...v1.10.0
• Blog Post

v1.9.4

Compare Source

1.9.4

BUG FIXES:

• Variables with validation no longer interfere with the destroy process (#​3131)

Full Changelog: opentofu/opentofu@v1.9.3...v1.9.4

v1.9.3

Compare Source

BUG FIXES:

• Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#​3068)
• Reduced calls to ListKeys in azure backend (for rate limiting). (#​3083)

Full Changelog: opentofu/opentofu@v1.9.2...v1.9.3

v1.9.2

Compare Source

1.9.2

BUG FIXES:

• OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#​2988)
• Ensure provider downloads into temp are cleaned up correctly on windows. (#​2843)
• Correctly handle structural typed attributes during test provider mocking. (#​2994)
• Fix erroneous detection of changes with sensitive resource attributes. (#​3024)

Full Changelog: opentofu/opentofu@v1.9.1...v1.9.2

v1.9.1

Compare Source

BUG FIXES:

• Provider used in import is correctly identified. (#​2336)
• plantimestamp() now returns unknown value during validation (#​2397)
• Syntax error in the required_providers block does not panic anymore, but yields "syntax error" (2344)
• Fix the error message when default value of a complex variable is containing a wrong type (2394)
• Changing Go version to 1.22.11 in order to fix CVE-2024-45336 and CVE-2024-45341 (#​2438)
• Fix the way OpenTofu downloads a module that is sourced from a GitHub branch containing slashes in the name. (2396)
• Changing Go version to 1.22.12 in order to fix CVE-2025-22866 and CVE-2024-45341 (#​2438)

Full Changelog: opentofu/opentofu@v1.9.0...v1.9.1

v1.9.0

Compare Source

We're proud to announce that OpenTofu 1.9.0 is now officially out! 🎉

This release includes a lot of major and minor new features, as well as a ton of community contributions!

The highlights are:

• for_each in provider configuration blocks: An alternate (aka "aliased") provider configuration can now have multiple dynamically-chosen instances using the for_each argument:

  provider "aws" {
    alias    = "by_region"
    for_each = var.aws_regions
  
    region = each.key
  }

  Each instance of a resource can also potentially select a different instance of the associated provider configuration, making it easier to declare infrastructure that ought to be duplicated for each region.

• -exclude planning option: similar to -target, this allows operators to tell OpenTofu to work on only a subset of the objects declared in the configuration or tracked in the state.

  tofu plan -exclude=kubernetes_manifest.crds

  While -target specifies the objects to include and skips everything not needed for the selected objects, -exclude instead specifies objects to skip. OpenTofu will exclude the selected objects and everything that depends on them.

Please take the above for a spin and let us know your feedback!

For all the features, see the related blog post or the detailed changelog.

You can find the full diff here.

v1.8.11

Compare Source

BUG FIXES:

• Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#​3068)
• Reduced calls to ListKeys in azure backend (for rate limiting). (#​3083)

Full Changelog: opentofu/opentofu@v1.8.10...v1.8.11

v1.8.10

Compare Source

1.8.10

BUG FIXES:

• OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#​2988)
• Ensure provider downloads into temp are cleaned up correctly on windows. (#​2843)
• Correctly handle structural typed attributes during test provider mocking. (#​2994)
• Fix erroneous detection of changes with sensitive resource attributes. (#​3024)

Full Changelog: opentofu/opentofu@v1.8.9...v1.8.10

v1.8.9

Compare Source

BUG FIXES:

• Provider used in import is correctly identified. (#​2336)
• plantimestamp() now returns unknown value during validation (#​2397)
• Syntax error in the required_providers block does not panic anymore, but yields "syntax error" (2344)
• Fix the error message when default value of a complex variable is containing a wrong type (2394)
• Fix the way OpenTofu downloads a module that is sourced from a GitHub branch containing slashes in the name. (2396)
• Changing Go version to 1.22.11 in order to fix CVE-2024-45336 and CVE-2024-45341 (#​2438)
• Changing Go version to 1.22.12 in order to fix CVE-2025-22866 and CVE-2024-45341 (#​2438)

Full Changelog: opentofu/opentofu@v1.8.8...v1.8.9

v1.8.8

Compare Source

SECURITY:

• Upgraded golang.org/x/crypto to resolve CVE-2024-45337. (#​2287)
• Upgraded golang.org/x/net to resolve CVE-2024-45338. (#​2311)

BUG FIXES:

• tofu test now removes outputs of destroyed modules between different test runs. (#​2274)

v1.8.7

Compare Source

BUG FIXES:

• Error messages related to validation of sensitive input variables will no longer disclose the sensitive value in the UI. (#​2219)
• Changes to encryption configuration now auto-apply the migration (#​2232)
• Updated github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.1 to make security scanners happy (no vulnerability, see #​2179)
• tofu test is now setting nulls for dynamic type when generating mock values. (#​2245)
• Variables declared in test files are now taking into account type default values. (#​2244)

v1.8.6

Compare Source

ENHANCEMENTS:

• OpenTofu builds now use Go version 1.22 (#​2050)

BUG FIXES:

• Extended trace logging for HTTP backend, including request and response bodies. (#​2120)
• The tofu test command doesn't try to validate mock provider definition by its underlying provider schema now. (#​2140)
• Type validation for mocks and overrides are now less strict in tofu test. (#​2144)

v1.8.5

Compare Source

BUG FIXES:

• Provider functions will now handle partially unknown arguments per the tfplugin spec (#​2127)
• tofu init will no longer return a spurious "Backend configuration changed" error when re-initializing a working directory with existing initialization of a backend whose configuration schema has required arguments. This was a regression caused by the similar fix in the v1.8.4 release. (#​2135)

Full Changelog: opentofu/opentofu@v1.8.4...v1.8.5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.