opentofu-quickstart

Last updated on Apr 2, 2026

---

OpenTofu is an open-source infrastructure-as-code tool, and Harness Infrastructure as Code Management (IaCM) runs your OpenTofu workspaces and pipelines with Git-backed configuration, connectors, and optional cost estimation.

This guide walks you from connectors and workspace creation through a standard provision pipeline (init, plan, apply) and an optional approval between plan and apply.

What will you learn?

• Connectors and workspace: Create cloud and Git connectors, then create an OpenTofu workspace wired to your repository and OpenTofu version.
• Provision pipeline: Generate or author a pipeline that runs init, plan, and apply for your workspace.
• Approvals: Optionally gate apply behind an approval step.

Prerequisites

Before you use this guide, ensure you have the following:

• Harness account with IaCM enabled: You need Infrastructure as Code Management under Infrastructure in Harness when it is entitled on your account. For how to access or create a Harness account, see Getting started with Harness Platform.

  Contact Harness support:

  If IaCM does not appear, see Get started with IaCM or contact your account administrator or Harness Support.

• Pipeline permissions: You need View, Create/Edit, and Execute for Pipelines. An administrator must assign you a role that includes them. See RBAC in Harness and Manage roles.

• Git repository: Access to a Git provider with your OpenTofu project.

• Cloud provider: Access to a cloud provider such as AWS or Google Cloud Platform for the infrastructure you manage.

• Harness organization and project: An organization and project set up on the Harness Platform.

Sample OpenTofu

The following example OpenTofu (.tf) file declares:

• Provider Configuration: Specifies the AWS provider and sets the region to "us-east-1". Go to AWS Regions & Availability Zones for a complete region list.
• Resource Definition: Creates an EC2 instance with the identifier my_first_ec2_instance.
• AMI: Utilizes ami-123abc321cba18, go to AWS EC2 User Guide to find your AMI image ID.
• Instance Type: Configures the instance to use a t2.micro. Go to the AWS t2 instances list.
  Tags: To facilitate easy identification and management within AWS resources, a tag name with the value my_first_ec2_instance is applied.

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "my_first_ec2_instance" {
  ami = "ami-123abc321cba18"
  instance_type = "t2.micro" # Got to https://aws.amazon.com/ec2/instance-types/t2/ for a full T2 instance type list.

  tags = {
    Name = "my_first_ec2_instance"
  }
}

Go to OpenTofu Documentation for more information on currently supported workspace types.

---

Set up your workspace

A workspace is a named environment for storing your OpenTofu configurations and resources. Connect your cloud provider and code repository through Connectors to manage infrastructure changes and updates with Harness IaCM pipelines.

info

Harness recommends configuring your connector before creating your workspace, however, you can also add new connectors during the Create Workspace flow.

Step 1: Create a connector

Use Harness AI to create and configure your cloud provider and code repository connectors before you create a Workspace:

Create a connector

Step-by-step

When adding any connector, start by:

1. Signing in to app.harness.io.
2. In the module pane, select Infrastructure.
3. Select Project Setup, and then select Connectors.
4. Select New Connector (AI).
5. Select an option, e.g. "Create a GitHub connector", or type your request to create a connector for you chosen cloud provider or code repository.

Harness will create a YAML file for you connector, once you select Create, Harness will create your connector and add it to your project.

edit connector

Edit your connector by updating the AI generated YAML file, or by selecting Edit Details in the connectors panel.

Go to Connect your Cloud Provider and Connect your Code Repository for more information regarding connecting your cloud provider and code repository.

OIDC Connectors

For easier access and token management, use the OIDC (OpenID Connect) option in the Credentials panel. This allows your connector to assume roles with permissions set in your Cloud Provider, updated only by authorized users. For more details, visit the Use OIDC tab.

---

Step 2: Create your workspace

Once you have configured your connectors, you can create a Workspace and select them in the New Workspace panel:

migrate existing projects

For first-time use, use our migration tool to create new workspaces and import your existing Terraform projects into the Harness Platform.

Interactive guide

Step-by-step

1. In the module pane, select Infrastructure.
2. Select an existing project or create a new project.
3. Select Workspaces, and then select New Workspace.
4. Select Create new Workspace, then select Start from scratch and complete the following fields in the new workspace wizard:

About Workspace

• Name - Type a unique name to identify the Workspace.
• Description (optional): Type an optional description to help identify the Workspace.
• Tags (optional): Add a unique tag to identify the Workspace.

Configure Repository Details

• Select your Git provider, either Harness Code Repository or Third-party Git provider for other providers like GitHub or GitLab.
• Git Connector: Select the Git connector you created in the previous step.
• Git Fetch Type: Select the Git fetch type, either Latest from branch, Git tag or Commit SHA.
• Git Branch: Specify the branch you want to use for the workspace.

branch with jexl

you can configure the workspace branch to be a JEXL expressions that references a pipeline variable, and then set the pipeline variable as a run time input.

Set you branch variable as a runtime input in the pipeline:

variables:
 - name: iacm_branch
   type: String
   description: ""
   required: true
   value: <+input>.default(main)

• Folder Path: Specify the folder path to the OpenTofu configuration files in the repository.

Advanced options allow you to include submodules if your code repository includes modules and submodules. Go to Module Registry for more information.

Provisioner

• Connector: Select the cloud provider connector you created in the previous step.
• Cloud Cost Estimation: Toggle the Enable Cost Estimation switch to enable cloud cost estimation. This will allow you to estimate the cost of your infrastructure changes before you apply them.
• Workspace Type: Select OpenTofu as the workspace type you want to use for the workspace.
• OpenTofu Version: Select the OpenTofu version you want to use for the workspace
  Loading...

Add Variable Set (Optional)

If you have configured variable sets for reuse, select the variable set you want to use for the workspace.

5. Select Create.

---

Step 3: Add a provision pipeline

A pipeline structures workflows to manage tasks like planning infrastructure changes, enforcing policies, and approvals. Learn more about Harness Pipelines. You can also add pipelines through the Harness Platform or use a code-first approach with YAML.

Harness AI pipeline generation

Interactive guide

Step-by-step

Start by adding the pipeline:

1. Select the Infrastructure module.
2. Select Pipelines, then select Create a Pipeline.
3. Select an option from Harness AI chat or type a request to generate one, for example:
   • "Create a pipeline to Provision an OpenTofu files with an init, plan and apply step."
4. Review the generated YAML and Harness AI chat summary, and make any changes if necessary.
5. Select Accept.

The Provision operation adds three Terraform plugin steps: init, plan, and apply. Go to Tofu/Terraform Plugins for more information about supported OpenTofu/Terraform commands.

---

Step 4: Add an Approval step (optional)

You can add the Approval step to prompt a review of the previous pipeline before proceeding to the next. The most common use case would be to add the Approval step between the plan and apply steps to ensure you are happy with the infrastructure changes and estimated costs (if cost estimation is enabled on your Workspace) that come with them before applying them.

Approval steps hold resources

When using an Approval step, the underlying machine running the pipeline remains active until the approval is resolved. This means it will continue consuming compute resources.

Interactive guide

Step-by-step

1. From the Pipeline > Execution tab, click on + between plan and apply.

2. Click Add Step.
3. Under IACM, select IACM Approval.
4. Name the approval step and click Apply Changes.
5. Select Save, then Run your pipeline.