Terraform & OpenTofu: Production Infrastructure-as-Code

Write, review, and architect Terraform/OpenTofu infrastructure - from individual resources to multi-account, PCI-compliant platform architectures. The goal is reproducible, drift-free, auditable infrastructure that passes both peer review and QSA assessment.

Target versions (April 2026): Terraform 1.14.9 (IBM/HashiCorp, BSL; 1.15.0-rc2 in progress), OpenTofu 1.11.6 (Linux Foundation, MPL). Helm provider v3.1+, K8s provider v3.0+, AWS provider v6.x, Azure v4.x, GCP v7.x.

This skill covers four domains depending on context:

• HCL - resource configs, variables, outputs, data sources, expressions, lifecycle rules
• Modules - structure, versioning, testing, registry patterns, reusable components
• Operations - state management, backends, workspaces, import, migration, CI/CD
• Compliance - PCI-DSS 4.0 controls, policy-as-code, audit trails, drift detection, CDE isolation

Terraform vs OpenTofu (2026)

IBM acquired HashiCorp for $6.4B (closed Feb 2025). Terraform stays BSL 1.1. The codebases have meaningfully diverged.

Choose Terraform if: already on HCP Terraform/TFE, need Stacks for multi-component orchestration, want vendor support.

Choose OpenTofu if: need client-side state encryption (Terraform never shipped this), BSL is a legal concern, want enabled meta-argument on resources, want OCI registry for providers/modules, need Linux Foundation governance.