OpenTofu
Infrastructure integration · 3 node(s).
00Overview
Every field below is exactly what you see in the Flomation editor. Fields marked ● live picker let you choose from a list pulled live from your account — no IDs to look up.
01Connecting OpenTofu
Add your credentials as a Flomation environment secret, then pick them in each node. The connection fields are:
| Field | Type | Details | |
|---|---|---|---|
| Backend Authentication | string | None / use credentials above, AWS (S3 / DynamoDB), Azure (azurerm), Google Cloud (gcs), GitLab (http) | |
| AWS Access Key ID | secret | ||
| AWS Secret Access Key | secret | ||
| AWS Session Token (optional) | secret | ||
| Azure Client ID | secret | ||
| Azure Client Secret | secret | ||
| Azure Tenant ID | secret | ||
| Azure Subscription ID | secret | ||
| Azure Storage Access Key (optional) | secret | ||
| GCP Service Account JSON | secret | ||
| GitLab Token | secret | ||
| Allow Local State (unsafe) | boolean | No, Ye |
${secrets.your_secret}.02Apply
OpenTofu Apply
opentofu/apply · Action
Apply an OpenTofu (Terraform-compatible) configuration, optionally pausing for human approval after showing the planned changes.
| Field | Type | Details | |
|---|---|---|---|
| Working Directory | string | Required | /path/to/terraform/config |
| Require Approval | boolean | choices: Yes, No | |
| Variables | key_value_array | Exported as TF_VAR_<name> | |
| Backend Config | key_value_array | Passed to `tofu init -backend-config` (use a remote backend) | |
| Environment Credentials | key_value_array | Extra provider/backend env vars, e.g. AWS_ACCESS_KEY_ID → ${secrets.aws_key} | |
| Backend Authentication | string | choices: None / use credentials above, AWS (S3 / DynamoDB), Azure (azurerm), Google Cloud (gcs), GitLab (http) | |
| AWS Access Key ID | secret | ||
| AWS Secret Access Key | secret | ||
| AWS Session Token (optional) | secret | ||
| AWS Region | string | eu-west-2 | |
| Azure Client ID | secret | ||
| Azure Client Secret | secret | ||
| Azure Tenant ID | secret | ||
| Azure Subscription ID | secret | ||
| Azure Storage Access Key (optional) | secret | ||
| GCP Service Account JSON | secret | ||
| GitLab Username | string | ||
| GitLab Token | secret | ||
| GitLab State Address | string | https://gitlab.com/api/v4/projects/<id>/terraform/state/<name> | |
| OpenTofu Version | string | 1.9.1 (pinned default) | |
| Binary Path (optional) | string | Use a host-installed tofu instead of downloading | |
| Allow Local State (unsafe) | boolean | choices: No, Yes | |
| Timeout (seconds) | integer | 1800 |
Returns: tool_result, status, stdout, stderr, outputs_json, exit_code, success
03Destroy
OpenTofu Destroy
opentofu/destroy · Action
Destroy the resources managed by an OpenTofu (Terraform-compatible) configuration, optionally pausing for human approval first.
| Field | Type | Details | |
|---|---|---|---|
| Working Directory | string | Required | /path/to/terraform/config |
| Require Approval | boolean | choices: Yes, No | |
| Variables | key_value_array | Exported as TF_VAR_<name> | |
| Backend Config | key_value_array | Passed to `tofu init -backend-config` (use a remote backend) | |
| Environment Credentials | key_value_array | Extra provider/backend env vars, e.g. AWS_ACCESS_KEY_ID → ${secrets.aws_key} | |
| Backend Authentication | string | choices: None / use credentials above, AWS (S3 / DynamoDB), Azure (azurerm), Google Cloud (gcs), GitLab (http) | |
| AWS Access Key ID | secret | ||
| AWS Secret Access Key | secret | ||
| AWS Session Token (optional) | secret | ||
| AWS Region | string | eu-west-2 | |
| Azure Client ID | secret | ||
| Azure Client Secret | secret | ||
| Azure Tenant ID | secret | ||
| Azure Subscription ID | secret | ||
| Azure Storage Access Key (optional) | secret | ||
| GCP Service Account JSON | secret | ||
| GitLab Username | string | ||
| GitLab Token | secret | ||
| GitLab State Address | string | https://gitlab.com/api/v4/projects/<id>/terraform/state/<name> | |
| OpenTofu Version | string | 1.9.1 (pinned default) | |
| Binary Path (optional) | string | Use a host-installed tofu instead of downloading | |
| Allow Local State (unsafe) | boolean | choices: No, Yes | |
| Timeout (seconds) | integer | 1800 |
Returns: tool_result, status, stdout, stderr, destroy, exit_code, success
04Plan
OpenTofu Plan
opentofu/plan · Action
Initialise a working directory and produce an OpenTofu (Terraform-compatible) plan, reporting the changes that would be applied.
| Field | Type | Details | |
|---|---|---|---|
| Working Directory | string | Required | /path/to/terraform/config |
| Variables | key_value_array | Exported as TF_VAR_<name> | |
| Backend Config | key_value_array | Passed to `tofu init -backend-config` (use a remote backend) | |
| Environment Credentials | key_value_array | Extra provider/backend env vars, e.g. AWS_ACCESS_KEY_ID → ${secrets.aws_key} | |
| Backend Authentication | string | choices: None / use credentials above, AWS (S3 / DynamoDB), Azure (azurerm), Google Cloud (gcs), GitLab (http) | |
| AWS Access Key ID | secret | ||
| AWS Secret Access Key | secret | ||
| AWS Session Token (optional) | secret | ||
| AWS Region | string | eu-west-2 | |
| Azure Client ID | secret | ||
| Azure Client Secret | secret | ||
| Azure Tenant ID | secret | ||
| Azure Subscription ID | secret | ||
| Azure Storage Access Key (optional) | secret | ||
| GCP Service Account JSON | secret | ||
| GitLab Username | string | ||
| GitLab Token | secret | ||
| GitLab State Address | string | https://gitlab.com/api/v4/projects/<id>/terraform/state/<name> | |
| OpenTofu Version | string | 1.9.1 (pinned default) | |
| Binary Path (optional) | string | Use a host-installed tofu instead of downloading | |
| Allow Local State (unsafe) | boolean | choices: No, Yes | |
| Timeout (seconds) | integer | 600 |
Returns: tool_result, stdout, stderr, changes_present, add, change, destroy, exit_code, success
05Notes & Limitations
Behaviours and constraints worth knowing before you build with these nodes.
- Destroy permanently removes the real infrastructure that the configuration manages and cannot be undone, so reserve it for resources you genuinely want torn down.
- Apply and Destroy only pause for human approval when you enable that option; left off, the planned changes are carried out automatically without a review step.
- Plan initialises the working directory on each run, downloading the required providers and modules, so the first run against a new configuration can take noticeably longer than later ones.
- A plan reflects the infrastructure at the moment it was produced, and if anything changes before you apply it the actual result can differ from what the plan reported.
- Running Apply or Destroy against the same configuration from more than one flow at once can conflict over shared state, so sequence these actions rather than triggering them in parallel.