OpenTofu Integration
IaC apply events and plan diff correlation with operational metric changes. Know instantly when an OpenTofu infrastructure change is responsible for a production regression.
How It Works
Install the TigerOps OpenTofu Provider
Add the tigerops provider to your OpenTofu root module. The provider creates a tigerops_change_event resource that fires a change event to TigerOps whenever tofu apply modifies infrastructure resources.
Wrap Your CI Pipeline Apply Step
Use the tigerops-tofu CLI wrapper in your CI pipeline. It runs tofu plan, captures the resource diff, sends it to TigerOps before apply, then sends the apply result — success or failure — when complete.
Tag Workspaces with Environment Metadata
Set tigerops_environment, tigerops_service, and tigerops_team variables in your OpenTofu workspace or CI environment. TigerOps uses these to scope change events to the correct service metrics for correlation.
Correlate Plan Diffs with Metric Changes
TigerOps stores the plan diff resource summary alongside the apply timestamp. Its AI correlation engine compares metric time series before and after each apply and flags anomalies causally linked to the infrastructure change.
What You Get Out of the Box
Apply Event Change Tracking
Every tofu apply is recorded as a change event with the resource add, change, and destroy counts, workspace name, module source, and the Git SHA of the configuration that was applied.
Plan Diff Correlation
TigerOps stores the resource type and action summary from tofu plan output and correlates it with downstream metric anomalies — so you know not just that infrastructure changed but which resource types caused the regression.
Apply Duration Monitoring
Track tofu apply duration trends per workspace and module. TigerOps alerts when apply times regress significantly, which can indicate growing state file size, provider API throttling, or resource dependency chain growth.
Drift Detection via Scheduled Plans
Run scheduled tofu plan operations via TigerOps-managed cron jobs. When plan output shows non-empty diffs on an environment that should be stable, TigerOps fires a drift alert with the affected resource list.
Workspace & Module Dependency Mapping
TigerOps builds a dependency graph of your OpenTofu workspaces using output and data source relationships. When a root module changes, TigerOps identifies which downstream workspaces may be impacted.
Provider API Error Tracking
Capture OpenTofu provider errors and API throttling events during plan and apply operations. TigerOps tracks error rates per provider and resource type to identify flaky provider API interactions.
OpenTofu Provider & CI Pipeline Wrapper
Add the TigerOps provider to your OpenTofu root module and wrap your CI apply step.
# main.tf — TigerOps provider configuration
# Set TIGEROPS_API_KEY environment variable in your CI environment
terraform {
required_providers {
tigerops = {
source = "atatus/tigerops"
version = "~> 1.0"
}
}
}
provider "tigerops" {
api_key = var.tigerops_api_key # or use TIGEROPS_API_KEY env var
service = "my-platform"
environment = var.environment # e.g. "production", "staging"
}
# This resource fires a change event after a successful apply
resource "tigerops_change_event" "apply" {
summary = "OpenTofu apply: ${var.environment}"
team = "platform-eng"
tags = {
workspace = terraform.workspace
git_sha = var.git_sha
}
}
# ─── CI pipeline wrapper (GitHub Actions example) ─────────────────
# - name: OpenTofu Apply with TigerOps
# env:
# TIGEROPS_API_KEY: ${{ secrets.TIGEROPS_API_KEY }}
# TIGEROPS_SERVICE: my-platform
# TIGEROPS_ENVIRONMENT: production
# run: |
# tigerops-tofu apply -auto-approve
# # tigerops-tofu is a drop-in wrapper around the tofu CLI
# # that captures plan diffs and apply results automaticallyCommon Questions
Is the TigerOps integration compatible with both OpenTofu and Terraform?
Yes. The tigerops provider is compatible with both OpenTofu (the open-source fork) and HashiCorp Terraform. It uses the standard Terraform Plugin Framework and works with any tool that supports the Terraform provider protocol, including Terragrunt.
How does TigerOps receive OpenTofu plan diffs?
The tigerops-tofu CLI wrapper runs tofu plan -json and parses the machine-readable plan output to extract resource changes. It sends the resource type, action (create/update/delete), and count to TigerOps before the apply begins — not the full plan, which may contain sensitive values.
Can TigerOps work with OpenTofu Cloud or Spacelift for remote state?
Yes. For OpenTofu Cloud and Spacelift, configure a run notification webhook to forward apply events to TigerOps. The tigerops-tofu wrapper is used for local and CI-based applies. Both approaches produce equivalent change events in TigerOps.
How does TigerOps handle apply failures — does it still record a change event?
Yes. TigerOps records both plan-start and apply-result events. For failed applies, the change event is marked with status "failed" and includes the error message. This is important for correlation because partial applies can still cause infrastructure changes.
What is the security model for the plan diff data TigerOps receives?
The tigerops-tofu wrapper only sends resource type names, action types, and counts — never resource attribute values, variable values, or state data. Sensitive values in your OpenTofu configuration are never transmitted. The event payload is similar to the summary line of tofu plan output.
Close the Gap Between Infrastructure Changes and Production Incidents
Plan diff correlation, drift detection, and apply duration tracking for OpenTofu. Integrate in under 5 minutes.