opentofu
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOpenTofu
OpenTofu
Overview
概述
OpenTofu is an open-source infrastructure as code tool that uses HCL (HashiCorp Configuration Language) to declaratively manage cloud infrastructure. It is a community-driven fork of Terraform, fully compatible with existing Terraform providers and modules, with exclusive features like native state encryption. Pulumi provides an alternative IaC approach using general-purpose languages (TypeScript, Python, Go) instead of HCL.
When to use: Managing cloud infrastructure declaratively, provisioning multi-cloud resources, enforcing infrastructure consistency across environments, encrypting state at rest (OpenTofu), using familiar programming languages for IaC (Pulumi).
When NOT to use: One-off scripts better suited to CLI tools, application-level configuration management (use Ansible/Chef), container orchestration logic (use Kubernetes manifests), simple static hosting (use platform-native tools).
OpenTofu是一款开源的基础设施即代码工具,使用HCL(HashiCorp配置语言)声明式管理云基础设施。它是社区驱动的Terraform分叉版本,完全兼容现有Terraform提供商和模块,具备原生状态加密等独有特性。Pulumi则提供了另一种IaC实现思路,使用通用编程语言(TypeScript、Python、Go)而非HCL来编写配置。
适用场景: 声明式管理云基础设施、部署多云资源、保障跨环境基础设施一致性、实现静态状态加密(OpenTofu)、使用熟悉的编程语言编写IaC(Pulumi)。
不适用场景: 更适合用CLI工具实现的一次性脚本、应用层配置管理(请使用Ansible/Chef)、容器编排逻辑(请使用Kubernetes清单)、简单静态托管(请使用平台原生工具)。
Quick Reference
快速参考
| Pattern | Tool / Command | Key Points |
|---|---|---|
| Initialize project | | Downloads providers, initializes backend |
| Preview changes | | Shows diff without applying |
| Apply changes | | Provisions/updates resources |
| Destroy resources | | Tears down managed infrastructure |
| Import resource | | Brings existing resource under management |
| State encryption | | OpenTofu-exclusive, AES-GCM with key providers |
| Remote backend | | Store state in cloud storage with locking |
| Workspaces | | Isolated state per environment |
| Module usage | | Reusable infrastructure components |
| Output values | | Expose values for other configs or CI |
| Variable files | | Environment-specific variable overrides |
| Pulumi new project | | Scaffold TypeScript IaC project |
| Pulumi preview | | Shows planned changes |
| Pulumi deploy | | Provisions/updates resources |
| Pulumi config | | Stack-scoped configuration |
| Pulumi secrets | | Encrypted config values |
| Pulumi stacks | | Switch between environments |
| Automation API | | Programmatic stack management |
| 模式 | 工具 / 命令 | 核心要点 |
|---|---|---|
| 初始化项目 | | 下载提供商、初始化后端 |
| 预览变更 | | 展示变更差异,不会实际执行 |
| 应用变更 | | 部署/更新资源 |
| 销毁资源 | | 拆除受管理的基础设施 |
| 导入资源 | | 将现有资源纳入管理范围 |
| 状态加密 | | OpenTofu独有特性,采用AES-GCM加密和密钥提供商 |
| 远程后端 | | 将状态存储在带锁机制的云存储中 |
| 工作区 | | 每个环境对应独立状态 |
| 模块使用 | | 可复用的基础设施组件 |
| 输出值 | | 暴露值供其他配置或CI使用 |
| 变量文件 | | 特定环境的变量覆盖 |
| 新建Pulumi项目 | | 生成TypeScript IaC项目脚手架 |
| Pulumi预览变更 | | 展示计划执行的变更 |
| Pulumi部署 | | 部署/更新资源 |
| Pulumi配置 | | 栈范围的配置项 |
| Pulumi密钥 | | 加密的配置值 |
| Pulumi栈 | | 在不同环境之间切换 |
| 自动化API | | 编程式管理栈 |
Common Mistakes
常见错误
| Mistake | Correct Pattern |
|---|---|
| Storing state locally in team environments | Configure remote backend (S3, GCS, Azure Blob) with state locking |
| Hardcoding provider credentials in HCL | Use environment variables or provider-specific auth chains |
Using | Run |
| Editing state manually | Use |
Ignoring | Commit lock file for reproducible provider versions |
Using | Prefer |
| Sharing one workspace for all environments | Use separate workspaces or backend config per environment |
Putting secrets in | Use |
| Pulumi: creating resources outside component classes | Wrap related resources in ComponentResource for reuse |
| Pulumi: not awaiting async operations | Ensure all resource operations complete before stack export |
Skipping | Always plan and require approval before apply in pipelines |
Not using | Prefer full plans; |
| 错误 | 正确做法 |
|---|---|
| 团队环境下本地存储状态 | 配置带状态锁的远程后端(S3、GCS、Azure Blob) |
| 在HCL中硬编码提供商凭证 | 使用环境变量或提供商专属的认证链 |
未审核计划就执行 | 先运行 |
| 手动编辑状态文件 | 使用 |
忽略 | 提交锁文件以保证提供商版本可复现 |
复杂条件资源使用 | 优先使用带映射的 |
| 所有环境共用同一个工作区 | 每个环境使用独立的工作区或后端配置 |
将密钥存入 | 使用带 |
| Pulumi:在组件类外创建资源 | 将相关资源封装到ComponentResource中以便复用 |
| Pulumi:未等待异步操作完成 | 确保所有资源操作完成后再导出栈输出 |
CI/CD中跳过 | 流水线中始终先执行计划,应用变更前需要审批 |
未谨慎使用 | 优先执行全量计划; |
Delegation
任务委派
- Infrastructure pattern discovery: Use agent
Explore - IaC code review: Use agent
Task - Drift detection analysis: Use agent
Task
If theskill is available, delegate AWS resource patterns to it. If theamazon-web-servicesskill is available, delegate container infrastructure patterns to it. If thedockerskill is available, delegate CI/CD pipeline patterns to it.github-actions
- 基础设施模式探索:使用Agent
Explore - IaC代码审核:使用Agent
Task - 漂移检测分析:使用Agent
Task
若已启用技能,请将AWS资源模式相关任务委派给它。 若已启用amazon-web-services技能,请将容器基础设施模式相关任务委派给它。 若已启用docker技能,请将CI/CD流水线模式相关任务委派给它。github-actions
References
参考资料
- HCL syntax, resources, data sources, and providers
- Modules, composition, and reusable infrastructure
- State management, remote backends, and locking
- State encryption with OpenTofu-exclusive key providers
- Variables, outputs, and environment configuration
- Workspaces and multi-environment setups
- Import existing infrastructure and migration patterns
- Pulumi TypeScript and Python SDK patterns
- Pulumi stacks, config, secrets, and automation API
- CI/CD integration and drift detection
- HCL语法、资源、数据源与提供商
- 模块、组合与可复用基础设施
- 状态管理、远程后端与锁机制
- OpenTofu专属密钥提供商实现状态加密
- 变量、输出与环境配置
- 工作区与多环境部署
- 现有基础设施导入与迁移模式
- Pulumi TypeScript与Python SDK模式
- Pulumi栈、配置、密钥与自动化API
- CI/CD集成与漂移检测