Update dependency opentofu/opentofu to v1.10.6

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Update	Change
opentofu/opentofu	minor	1.9.0 -> 1.10.6

---

Release Notes

opentofu/opentofu (opentofu/opentofu)

v1.10.6

Compare Source

1.10.6

UPGRADE NOTES:

• Upgrade go from 1.24.4 to 1.24.6 to fix GO-2025-3849 (3127)
• Upgrade github.com/openbao/openbao/api/v2 from 2.1.0 to 2.3.0 to fix GO-2025-3783 (3134)
  • The upgrade is necessary to silence the security scanner and does not affect the actual state encryption provided by OpenBao.

BUG FIXES:

• Variables with validation no longer interfere with the destroy process (#​3131)
• Fixed crash when processing multiple deprecated marks on a complex object (#​3105)
• When OpenTelemetry encounters errors, log it at the warning level instead of panic (#​3235)

Full Changelog: opentofu/opentofu@v1.10.5...v1.10.6

v1.10.5

Compare Source

BUG FIXES:

• Fixed issue where usage of TF_PLUGIN_CACHE_DIR could result in unexpected lock contention errors (#​3090)
  • NOTE: It is still highly recommended to have valid .terraform.lock.hcl files in projects using TF_PLUGIN_CACHE_DIR

Full Changelog: opentofu/opentofu@v1.10.4...v1.10.5

v1.10.4

Compare Source

BUG FIXES:

• Fixed crash where sensitive set values used in for_each could cause a panic. (#​3070)
• Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#​3068)
• Reduced calls to ListKeys in azure backend (for rate limiting). (#​3083)

Full Changelog: opentofu/opentofu@v1.10.3...v1.10.4

v1.10.3

Compare Source

1.10.3

BUG FIXES:

• OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#​2988)
• Ensure provider downloads into temp are cleaned up correctly on windows. (#​2843)
• Correctly handle structural typed attributes during test provider mocking. (#​2994)
• Fix erroneous detection of changes with sensitive resource attributes. (#​3024)

Full Changelog: opentofu/opentofu@v1.10.2...v1.10.3

v1.10.2

Compare Source

1.10.2

• S3 backend now correctly sends the x-amz-server-side-encryption header for the lockfile. (#​2870)
• A provider source address explicitly using the hostname registry.terraform.io will no longer cause errors related to a corresponding provider on registry.opentofu.org when executing workflow commands like plan and apply. (#​2979)

Full Changelog: opentofu/opentofu@v1.10.1...v1.10.2

v1.10.1

Compare Source

BUG FIXES:

• Fix TF_APPEND_USER_AGENT handling in the S3 remote state backend. (#​2955)

OTHER CHANGES:

• OpenTofu is now built with Go 1.24.4, which should clear some false-positive indirect security advisories.

v1.10.0

Compare Source

OpenTofu 1.10.0

We're thrilled to announce the release of OpenTofu 1.10.0, our most comprehensive update yet! This release represents months of dedicated work from our community, introducing some fantastic features that will improve how OpenTofu users manage and distribute infrastructure as code.

Highlights

This release cycle introduces major new capabilities and integrations:

OCI Registry Support

Full integration with OCI registries for both provider and module distribution, valuable for organizations with private infrastructure-as-code components, air-gapped environments, or enhanced security requirements.

##### Use OCI modules directly in your configuration (normal .tf files)
module "vpc" {
  source = "oci://example.com/modules/vpc/aws"
}

##### Configure OCI registry mirrors in your CLI configuration (e.g. .tofurc)
provider_installation {
  oci_mirror {
    repository_template = "example.com/opentofu-providers/${namespace}/${type}"
    include             = ["registry.opentofu.org/*/*"]
  }
}

For more information, refer to Module Packages in OCI Registries and Provider Mirrors in OCI Registries.

Native S3 Locking

Simplify your infrastructure by using S3's conditional writes capability for state locking, eliminating the need for a separate DynamoDB table.

terraform {
  backend "s3" {
    bucket       = "tofu-state-backend"
    key          = "statefile"
    region       = "us-east-1"
    use_lockfile = true  # Enable native S3 locking
  }
}

OpenTelemetry Tracing

Gain insights into OpenTofu operations with experimental OpenTelemetry tracing, completely local and under your control.

##### Launch a tracing backend like Jaeger
docker run -d --name jaeger \
  -p 16686:16686 -p 4317:4317 \
  jaegertracing/jaeger:2.5.0

##### Configure OpenTofu to use OpenTelemetry
export OTEL_TRACES_EXPORTER=otlp
export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
export OTEL_EXPORTER_OTLP_INSECURE=true

##### Run your operations and view traces at http://localhost:16686
tofu init

Resource Management with Target Files

Manage complex deployments more easily with the new -target-file and -exclude-file options, allowing version-controlled resource targeting patterns.

##### Create a targets.txt file
##### Critical infrastructure components
module.networking.aws_vpc.main
module.networking.aws_subnet.public[*]

##### Apply only those resources
tofu apply -target-file=targets.txt

##### Similarly, create an excludes.txt file to skip certain resources
tofu plan -exclude-file=excludes.txt

Compatibility Notes

• Linux: Requires kernel version 3.2 or later
• macOS: Requires macOS 11 Big Sur or later
• The ghcr.io/opentofu/opentofu image is no longer supported as a base image
• Windows: Symbolic links and junctions are now handled differently
• The PostgreSQL backend in OpenTofu 1.10 should not be used alongside older versions

Reference

• Full Changelog
• GitHub Comparison: v1.9.0...v1.10.0
• Blog Post

v1.9.4

Compare Source

1.9.4

BUG FIXES:

• Variables with validation no longer interfere with the destroy process (#​3131)

Full Changelog: opentofu/opentofu@v1.9.3...v1.9.4

v1.9.3

Compare Source

BUG FIXES:

• Fixed incorrect approach to mocking provider "ReadResource" calls in test. (#​3068)
• Reduced calls to ListKeys in azure backend (for rate limiting). (#​3083)

Full Changelog: opentofu/opentofu@v1.9.2...v1.9.3

v1.9.2

Compare Source

1.9.2

BUG FIXES:

• OpenTofu will no longer crash in a rare case where a dynamically-invalid expression has its error suppressed by try or can and then that expression becomes relevant for deciding whether to report a "change outside of OpenTofu" in the human-oriented plan diff. (#​2988)
• Ensure provider downloads into temp are cleaned up correctly on windows. (#​2843)
• Correctly handle structural typed attributes during test provider mocking. (#​2994)
• Fix erroneous detection of changes with sensitive resource attributes. (#​3024)

Full Changelog: opentofu/opentofu@v1.9.1...v1.9.2

v1.9.1

Compare Source

BUG FIXES:

• Provider used in import is correctly identified. (#​2336)
• plantimestamp() now returns unknown value during validation (#​2397)
• Syntax error in the required_providers block does not panic anymore, but yields "syntax error" (2344)
• Fix the error message when default value of a complex variable is containing a wrong type (2394)
• Changing Go version to 1.22.11 in order to fix CVE-2024-45336 and CVE-2024-45341 (#​2438)
• Fix the way OpenTofu downloads a module that is sourced from a GitHub branch containing slashes in the name. (2396)
• Changing Go version to 1.22.12 in order to fix CVE-2025-22866 and CVE-2024-45341 (#​2438)

Full Changelog: opentofu/opentofu@v1.9.0...v1.9.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.