OpenTofu, an open-source infrastructure-as-code tool for defining, provisioning, and managing cloud and on-prem resources declaratively, maintained as a community-driven fork of Terraform, has released version 1.11 with two main new additions.
The first one is support for ephemeral resources and write-only attributes. Ephemeral values exist only in memory during a single OpenTofu operation and are never written to plans or state snapshots. This allows temporary data—such as time-limited credentials, SSH tunnels, or transient configuration inputs—to be generated and consumed securely without appearing in stored files.
The second are the new write-only attributes, which complement this approach by allowing sensitive arguments, such as initial passwords or private keys, to be passed to resources without OpenTofu retaining a copy.
On top of that, version 1.11 introduces the new enabled meta-argument, designed to make resource and module behavior clearer. While practitioners have traditionally relied on the count argument to toggle whether zero or one instance should be created, enabled provides an explicit and more readable mechanism.
When set to true, a resource or module is created; when set to false, it is skipped entirely. This improvement applies uniformly to both resources and modules, reducing complexity in larger configurations.
Beyond these headline changes, the release includes a wide range of incremental improvements across the language and runtime. Users can refer to the “What’s New” documentation and the OpenTofu 1.11 full changelog for a detailed overview of all changes and fixes. Here’s the official announcement.
