Ghoten is a personal fork of OpenTofu that adds native support for storing Terraform/OpenTofu state in OCI registries like GitHub Container Registry (GHCR), Amazon ECR, Azure ACR, and others.
π― Goal: The ORAS backend developed here is intended to be contributed back to OpenTofu upstream.
Store your infrastructure state alongside your container images. No additional cloud storage accounts, no SaaS dependenciesβjust your existing OCI registry.
terraform {
backend "oras" {
repository = "ghcr.io/your-org/tf-state"
}
}# Install
curl -sSL https://raw.githubusercontent.com/vmvarela/ghoten/master/install.sh | sh
# Authenticate (for GHCR)
gh auth login
# Use it
ghoten init
ghoten applyβΉοΈ Ghoten installs as a separate binary and doesn't interfere with existing
tofuorterraforminstallations.
| Feature | Description |
|---|---|
| OCI Registry Storage | Store state as OCI artifacts in any compatible registry |
| Supported Registries | GHCR, Amazon ECR, Azure ACR, Google GCR, Docker Hub, Harbor |
| Reuse Existing Auth | Uses Docker credentials and registry login tokens |
| Distributed Locking | Best-effort locking to prevent concurrent modifications |
| State Versioning | Keep history of state versions with configurable retention |
| Compression | Optional gzip compression for state files |
| Encryption Compatible | Works with OpenTofu's client-side state encryption |
- Individual operators or small teams
- CI/CD pipelines with existing OCI registry access
- Open source projects
- Environments where OCI registries are already available
- Large teams with heavy concurrent access
- Strong locking or compliance requirements
- Environments that mandate managed SaaS backends
terraform {
backend "oras" {
repository = "ghcr.io/your-org/tf-state"
}
}terraform {
backend "oras" {
repository = "ghcr.io/your-org/tf-state"
compression = "gzip"
versioning {
enabled = true
max_versions = 10
}
}
encryption {
key_provider "pbkdf2" "main" {
passphrase = var.state_passphrase
}
method "aes_gcm" "main" {
key_provider = key_provider.pbkdf2.main
}
state {
method = method.aes_gcm.main
}
}
}See the ORAS Backend README for:
- All configuration parameters
- Authentication setup
- Locking behavior
- Versioning and retention
- Troubleshooting
curl -sSL https://raw.githubusercontent.com/vmvarela/ghoten/master/install.sh | shirm https://raw.githubusercontent.com/vmvarela/ghoten/master/install.ps1 | iex| Variable | Description | Default |
|---|---|---|
GHOTEN_VERSION |
Specific version to install | Latest |
GHOTEN_INSTALL_DIR |
Installation directory | /usr/local/bin |
GHOTEN_BINARY_NAME |
Binary name | ghoten |
Examples:
# Install specific version
curl -sSL https://raw.githubusercontent.com/vmvarela/ghoten/master/install.sh | GHOTEN_VERSION=v1.12.0 sh
# Install to custom directory
curl -sSL https://raw.githubusercontent.com/vmvarela/ghoten/master/install.sh | GHOTEN_INSTALL_DIR=~/.local/bin shgit clone https://github.com/vmvarela/ghoten.git
cd ghoten
make build # Creates ./ghoten binaryDownload binaries from the Releases page.
Ghoten follows OpenTofu releases:
| OpenTofu | Ghoten |
|---|---|
v1.12.0 |
v1.12.0 |
The fork syncs with upstream OpenTofu to incorporate improvements and security fixes.
Actively developed and usable. APIs and backend format may evolve based on feedback.
Click to expand original OpenTofu information
OpenTofu is an OSS tool for building, changing, and versioning infrastructure safely and efficiently. OpenTofu can manage existing and popular service providers as well as custom in-house solutions.
The key features of OpenTofu are:
- Infrastructure as Code: Infrastructure is described using a high-level configuration syntax.
- Execution Plans: OpenTofu generates an execution plan showing what will change.
- Resource Graph: Parallelizes creation of non-dependent resources.
- Change Automation: Complex changesets with minimal human interaction.