Install MCPG with OpenTofu
Run the MCPG module suite and native provider on OpenTofu, with native client-side state and plan encryption plus OCI-registry distribution for air-gapped sites.
OpenTofu (Linux Foundation, MPL-2.0) runs the same terraform-mcpg module
suite and native provider as Terraform — nothing is forked. Start from the
Terraform guide; this page covers only the
OpenTofu-specific capabilities you gain, and the floors they need.
Why OpenTofu? If procurement requires an OSI-approved IaC tool, OpenTofu is the recommended choice — with full Terraform support retained, so the decision stays yours.
Everything from Terraform, unchanged
Every module, example, and command in the
Terraform guide works under tofu at the documented
floor (OpenTofu ≥ 1.7). Replace terraform with tofu. The same prerequisites
apply — including cert-manager (the operator module defaults webhook TLS on)
and the beta note that the operator chart is not yet published to a registry
(source it from a local path for now); see the
Terraform prerequisites:
cd examples/single-gateway
tofu init && tofu apply -var kubeconfig=~/.kube/config
The Nx targets expose a tofu configuration directly:
nx run terraform-mcpg:validate:tofu
nx run terraform-mcpg:test:tofu
State and plan encryption (OpenTofu ≥ 1.7)
OpenTofu encrypts state and plan files client-side — at rest in the backend,
in transit, and on disk in CI. MCPG ships this as a .tofu overlay (loaded by
tofu, ignored by terraform), so it activates only under OpenTofu:
# encryption.tofu (beside the .tf baseline)
terraform {
encryption {
key_provider "aws_kms" "fleet" {
kms_key_id = var.state_kms_key_arn
region = var.region
key_spec = "AES_256"
}
method "aes_gcm" "fleet" { keys = key_provider.aws_kms.fleet }
state { method = method.aes_gcm.fleet }
plan { method = method.aes_gcm.fleet }
}
}
Key providers: PBKDF2 (passphrase), AWS KMS, GCP KMS, OpenBao, or
an external command. This is defence-in-depth on top of MCPG's
no-secret-in-state invariant (the modules still reference Secrets by name).
examples/single-gateway ships a PBKDF2 overlay you can swap for KMS.
OCI-native distribution and air-gap (OpenTofu ≥ 1.10)
OpenTofu can pull modules and providers from an OCI registry — so an air-gapped site mirrors the IaC artefacts in the same in-cluster OCI registry that already mirrors plugin images (one mirror, one trust root).
Modules via oci:// sources:
module "operator" {
source = "oci://registry.internal/mcpg/tofu-modules/operator?tag=0.3.1"
}
Providers via a CLI-config mirror (~/.tofurc or $TF_CLI_CONFIG_FILE):
provider_installation {
oci_mirror {
repository_template = "registry.internal/mcpg/tofu-providers/${type}"
include = ["registry.opentofu.org/*/*"]
}
}
Combine with the airgap module (an in-cluster MCPGPluginMirror + digest-pinned
plugins) for a fully offline install with zero public-registry references.
Multi-cluster fleets (provider for_each)
OpenTofu's provider for_each lets you iterate provider configurations — one
kubernetes/helm provider per cluster — and drive the tenant/gateway
modules across a fleet from a single root, which is awkward on Terraform today.
Licensing and floors
| Capability | OpenTofu floor |
|---|---|
| Baseline (all modules + provider) | ≥ 1.7 (tracks the Terraform floor) |
| State and plan encryption | ≥ 1.7 |
| OCI-native module/provider distribution | ≥ 1.10 |
OpenTofu is MPL-2.0; Terraform is BUSL-1.1. MCPG publishes the module and provider to both the Terraform Registry and the OpenTofu Registry.
How it's kept compatible
Compatibility is engineered, not assumed: MCPG's CI runs the full module-test and
acceptance matrix under both terraform and tofu at their floors, plus a
scheduled "divergence-watch" lane against the latest releases of each. A failure
on either CLI fails the build.
See also
- Install MCPG with Terraform — the shared module suite
- Terraform provider — typed resources, plan-time validation
- Pulumi — the same capabilities in a general-purpose language
- Operator CRD reference — the 8
mcpg.devCRDs