How to use OpenTofu/Terraform with Rot

Rot can integrate with OpenTofu and Terraform by wrapping the respective commands using rot run.


  • An existing Rot configuration setup with secret values
  • OpenTofu or Terraform installed (these examples will use OpenTofu, but it should apply to Terraform, too)

Using Rot for Provider and Terraform Settings

OpenTofu can be provided environment variables for accessing remote state storage and providers. These environment variables can be provided by Rot, enabling a secure and seamless way for accessing your remote state storage.

The s3 backend can use these environment variables:


We can also use these same values for the AWS provider.

You’ll have to generate these values on your own. Once you have them, you can add them to your Rot configuration:

$ rot val-add rot/tofu/AWS_DEFAULT_REGION
$ rot val-add rot/tofu/AWS_ACCESS_KEY_ID
$ rot val-add rot/tofu/AWS_SECRET_ACCESS_KEY

Our Terraform backend will look like this:

terraform {
  backend "s3" {
    bucket = "mybucket"
    key    = "my/key.tfstate"

We can now initialize our remote state by wrapping OpenTofu with Rot:

$ rot run rot/tofu opentofu init
$ rot run rot/tofu opentofu apply

rot run will decrypt and pass the values we set above (under the rot/tofu keyring/path) as environment variables automatically.

Using Rot for OpenTofu Variables

We can define variables within OpenTofu that will have data set at runtime. They look like this:

variable "secret" {
  type = string

OpenTofu will prompt us to enter this value when running opentofu apply. We can also set this variable using environemnt variables, like TF_VAR_secret=something, so Rot can set these too.

Lets add this variable to Rot:

$ rot val-add rot/tofu/TF_VAR_secret

And now we can run our apply:

$ rot run rot/tofu opentofu apply