chore(deps): update dependency opentofu to v1.11.1

[renovate]

This PR contains the following updates:

Package	Update	Change
OPENTOFU	minor	v1.10.6 -> v1.11.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

opentofu/opentofu (OPENTOFU)

v1.11.1

Compare Source

BUG FIXES:

• Fixed regression where import validation would incorrectly flag variables used in for_each statements within import blocks (#​3564)
• Fixed lifecycle enabled serialization in plan file (#​3566)
• Fixed regression when validating import.id expressions (#​3567)

Full Changelog: opentofu/opentofu@v1.11.0...v1.11.1

v1.11.0

Compare Source

OpenTofu 1.11.0

We're proud to announce that OpenTofu 1.11.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Ephemeral Values and Write Only Attributes

Ephemeral resources allow you to work with confidential data, temporary credentials, and transient infrastructure without persisting them to your state.

ephemeral "aws_secretsmanager_random_password" "password" {

}

resource "kubernetes_secret_v1" "credentials" {
  metadata {
    name = "admin"
    namespace = "my-app"
  }
  data_wo = {
    username = "admin"
    password = ephemeral.aws_secretsmanager_random_password.password.random_password
  }

  data_wo_revision = 1
  type = "kubernetes.io/basic-auth"
}

The enabled Meta-Argument

If you want to conditionally deploy a resource, you no longer have to use count = var.create_my_resource ? 1 : 0, you can now add the new enabled meta-argument to your resource to conditionally deploy it.

resource "aws_instance" "web" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  lifecycle {
    enabled = var.create_instance  # Simple boolean condition
  }
}

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later

• Azure Backend (azurerm):

  • The endpoint and ARM_ENDPOINT configuration options are no longer supported
  • The msi_endpoint and ARM_MSI_ENDPOINT options are no longer supported
  • The environment and metadata_host arguments are now mutually exclusive

• issensitive() Function: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.

• Testing with Mocks: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.

• S3 Module Installation: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.

• TLS and SSH Security:

  • SHA-1 signatures are no longer accepted for TLS or SSH connections
  • SSH certificates must comply with the draft-miller-ssh-cert-03 specification

• -var/-var-file during tofu apply <planfile>:

  • Since ephemeral variables values cannot be saved into the plan, now we allow using -var/-var-file during tofu apply <planfile> to pass again the values for ephemeral variables during apply
  • This new functionality allows -var/-var-file to be used with non-ephemeral variables too, but it will error if the values given for this type of variables is different from the ones given during the plan creation
  • TF_VAR values should stay consistent between plan and apply <planfile> to avoid the errors mentioned above

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

v1.10.8

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• Incorrect handling of excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

  This release incorporates the upstream fixes for GO-2025-4175.

• Excessive CPU usage when reporting error about crafted TLS certificate with many hostnames

  This release incorporates the upstream fixes for GO-2025-4155.

Full Changelog: opentofu/opentofu@v1.10.7...v1.10.8

v1.10.7

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• tofu init in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a direct or indirect dependency on a maliciously-crafted module package distributed as a "tar" archive.

  This would require the attacker to coerce a root module author to depend (directly or indirectly) on a module package they control, using the HTTP, Amazon S3, or Google Cloud Storage source types to refer to a tar archive.

  This release incorporates the upstream fixes for CVE-2025-58183.

• When making requests to HTTPS servers, OpenTofu v1.10.6 and earlier could potentially use unbounded memory or crash with a "panic" error if TLS verification involves an excessively-long certificate chain or a chain including DSA public keys.

  This affected all outgoing HTTPS requests made by OpenTofu itself, including requests to HTTPS-based state storage backends, module registries, and provider registries. For example, an attacker could coerce a root module author to depend (directly or indirectly) on a module they control which then refers to a module or provider from an attacker-controlled registry. That mode of attack would cause failures in tofu init, at module or provider installation time.

  Provider plugins contain their own HTTPS client code, which may have similar problems. OpenTofu v1.10.7 cannot address similar problems within provider plugins, and so we recommend checking for similar advisories and fixes in the provider plugins you use.

  This release incorporates upstream fixes for CVE-2025-58185, CVE-2025-58187, and CVE-2025-58188.

BUG FIXES:

• Fix crash in tofu test when using deprecated outputs (#​3249)
• Fix missing provider functions when parentheses are used (#​3402)
• for_each inside dynamic blocks can now call provider-defined functions. (#​3429)

Full Changelog: opentofu/opentofu@v1.10.6...v1.10.7

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.