Replace Terraform with OpenTofu in docs or comments

.gitignore

@@ -27,7 +27,7 @@ go.work.sum
 # Project IDX
 .idx/
 
-# Terraform
+# Terraform/OpenTofu
 
 ## Local .terraform directories
 **/.terraform/*
@@ -36,7 +36,7 @@ go.work.sum
 *.tfstate
 *.tfstate.*
 
-## Ignore transient lock info files created by terraform apply
+## Ignore transient lock info files created by terraform/tofu apply
 .terraform.tfstate.lock.info
 
 # Terragrunt

cmd/experimental/migrate/gcp/main.go

@@ -87,7 +87,7 @@ func main() {
 	opts := tessera.NewMigrationOptions().WithCTLayout()
 	// Configure antispam storage, if necessary
 	var antispam tessera.Antispam
-	// Persistent antispam is currently experimental, so there's no terraform or documentation yet!
+	// Persistent antispam is currently experimental, so there's no OpenTofu or documentation yet!
 	if *persistentAntispam {
 		as_opts := gcp_as.AntispamOpts{
 			// 1500 appears to be give good performance for migrating logs, but you may need to lower it if you have

deployment/README.md

@@ -1,6 +1,6 @@
 # :gear: Deployment
 
-This directory contains Terraform [modules](./modules/) to deploy TesseraCT on
+This directory contains OpenTofu [modules](./modules/) to deploy TesseraCT on
 GCP and AWS with various setups, and the [instantiations](./live/) we use for
 our deployments.
 

deployment/live/aws/conformance/ci/README.md

@@ -36,6 +36,6 @@ export TESSERACT_PREFIX_NAME={VALUE}
 Resources will be named using a `${TESSERACT_PREFIX_NAME}-${TESSERACT_BASE_NAME}`
 convention.
 
-Terraforming the project can be done by:
+Deploy the Terraform config with OpenTofu:
   1. `cd` to the relevant directory for the environment to deploy/change (e.g. `ci`)
   2. Run `terragrunt apply`

deployment/live/aws/conformance/ci/terragrunt.hcl

@@ -12,7 +12,7 @@ inputs = merge(
   {
     # This hack makes it so that the antispam tables are created in the main
     # tessera DB. We strongly recommend that the antispam DB is separate, but
-    # creating a second DB from Terraform is too difficult without a large
+    # creating a second DB from OpenTofu is too difficult without a large
     # rewrite. For CI purposes, testing antispam, even if in the same DB, is
     # preferred compared to not testing antispam at all.
     antispam_database_name = "tesseract"

deployment/live/aws/test/README.md

@@ -74,7 +74,7 @@ export AWS_REGION={VALUE} # e.g: us-east-1
 export AWS_PROFILE=AdministratorAccess-<REDACTED>
 ```
 
-Terraforming the account can be done by:
+OpenTofuing the account can be done by:
 
   1. `cd` to [/deployment/live/aws/test/](/deployment/live/aws/test/) to deploy/change.
   1. Run `terragrunt apply`. If this fails to create the antispam database,
@@ -253,6 +253,6 @@ The easiest way to do this, is to [close the account](https://docs.aws.amazon.co
 
 If you prefer to delete the resources with `terragrunt destroy`, bear in mind
 that this command might not destroy all the resources that were created (like
-the S3 bucket or DynamoDB instance Terraform created to store its state for
+the S3 bucket or DynamoDB instance OpenTofu created to store its state for
 instance). If `terragrunt destroy` shows no output, run
 `terragrunt destroy --terragrunt-log-level debug --terragrunt-debug`.

deployment/live/gcp/static-ct-staging/cloudbuild/tesseract/README.md

@@ -12,7 +12,7 @@ logs'](/deployment/live/gcp/static-ct-staging/logs/) Cloud Run service with the
 latest Docker image.
 1. Updating [staging
 logs'](/deployment/live/gcp/static-ct-staging/logs/) infrastructure with the
-latest Terraform config.
+latest OpenTofu config.
 
 ## Initial setup
 

deployment/live/gcp/static-ct-staging/logs/arche2025h1/README.md

@@ -30,7 +30,7 @@ awk \
 ### Automatic Deployment
 
 This GCP TesseraCT preloaded staging environment is designed to be deployed by
-the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/),
+the Cloud Build ([OpenTofu module](/deployment/modules/gcp/cloudbuild/tesseract/),
 [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/tesseract/)).
 
 ### Manual Deployment
@@ -57,7 +57,7 @@ You need an Artifact Registry repository to store container images; adapt the
 configs and commands below to use your registry of choice. The rest of these
 instructions assume that the repository is hosted on GCP, and called
 `${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging`. For
-reference, here's a [terraform
+reference, here's a [OpenTofu
 module](/deployment/modules/gcp/artifactregistry/) you can use to set up such a
 registry.
 
@@ -71,7 +71,7 @@ docker tag tesseract-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT
 docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp
 ```
 
-Terraforming the project can be done by:
+Deploy the Terraform config with OpenTofu:
 
 1. `cd` to
 [/deployment/live/gcp/static-ct-staging/logs/arche2025h1/](/deployment/live/gcp/static-ct-staging/logs/arche2025h1/).

deployment/live/gcp/static-ct-staging/logs/arche2025h2/README.md

@@ -30,7 +30,7 @@ awk \
 ### Automatic Deployment
 
 This GCP TesseraCT preloaded staging environment is designed to be deployed by
-the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/),
+the Cloud Build ([OpenTofu module](/deployment/modules/gcp/cloudbuild/tesseract/),
 [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/tesseract/)).
 
 ### Manual Deployment
@@ -57,7 +57,7 @@ You need an Artifact Registry repository to store container images; adapt the
 configs and commands below to use your registry of choice. The rest of these
 instructions assume that the repository is hosted on GCP, and called
 `${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging`. For
-reference, here's a [terraform
+reference, here's a [OpenTofu
 module](/deployment/modules/gcp/artifactregistry/) you can use to set up such a
 registry.
 
@@ -71,7 +71,7 @@ docker tag tesseract-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT
 docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp
 ```
 
-Terraforming the project can be done by:
+Deploy the Terraform config with OpenTofu:
 
 1. `cd` to
 [/deployment/live/gcp/static-ct-staging/logs/arche2025h2/](/deployment/live/gcp/static-ct-staging/logs/arche2025h2/).

deployment/live/gcp/static-ct-staging/logs/arche2026h1/README.md

@@ -30,7 +30,7 @@ awk \
 ### Automatic Deployment
 
 This GCP TesseraCT preloaded staging environment is designed to be deployed by
-the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/),
+the Cloud Build ([OpenTofu module](/deployment/modules/gcp/cloudbuild/tesseract/),
 [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/tesseract/)).
 
 ### Manual Deployment
@@ -57,7 +57,7 @@ You need an Artifact Registry repository to store container images; adapt the
 configs and commands below to use your registry of choice. The rest of these
 instructions assume that the repository is hosted on GCP, and called
 `${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging`. For
-reference, here's a [terraform
+reference, here's a [OpenTofu
 module](/deployment/modules/gcp/artifactregistry/) you can use to set up such a
 registry.
 
@@ -71,7 +71,7 @@ docker tag tesseract-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT
 docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp
 ```
 
-Terraforming the project can be done by:
+Deploy the Terraform config with OpenTofu:
 
 1. `cd` to
 [/deployment/live/gcp/static-ct-staging/logs/arche2026h1/](/deployment/live/gcp/static-ct-staging/logs/arche2026h1/).

deployment/live/gcp/static-ct/logs/ci/README.md

@@ -18,7 +18,7 @@ At a high level, this environment consists of:
 ### Automatic Deployment
 
 This GCP TesseraCT conformance CI environment is designed to be deployed by the
-Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/conformance/),
+Cloud Build ([OpenTofu module](/deployment/modules/gcp/cloudbuild/conformance/),
 [Terragrunt configuration](/deployment/live/gcp/static-ct/cloudbuild/prod/)).
 
 ### Manual Deployment
@@ -42,7 +42,7 @@ You need an Artifact Registry repository to store container images; adapt the
 configs and commands below to use your registry of choice. The rest of these
 instructions assume that the repository is hosted on GCP, and called
 `${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-ci`. For reference,
-here's a [terraform module](/deployment/modules/gcp/artifactregistry/) you can
+here's a [OpenTofu module](/deployment/modules/gcp/artifactregistry/) you can
 use to set up such a registry.
 
 Build and push the Docker image to Artifact Registry repository:
@@ -55,7 +55,7 @@ docker tag conformance-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJE
 docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-ci/conformance-gcp
 ```
 
-Terraforming the project can be done by:
+Deploy the Terraform config with OpenTofu:
 
   1. `cd` to
   [/deployment/live/gcp/static-ct/logs/ci/](/deployment/live/gcp/static-ct/logs/ci/).

deployment/modules/aws/insecuretlskey/README.md

@@ -1,5 +1,5 @@
 # WARNING - PLEASE READ
 
 > [WARNING]
-> This module will store unencrypted private keys in the Terraform state file.
+> This module will store unencrypted private keys in the OpenTofu state file.
 > DO NOT use this for production logs.

deployment/modules/aws/insecuretlskey/main.tf

@@ -11,10 +11,11 @@ terraform {
 #
 # Security Notice
 # The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
+# Terraform/OpenTofu state file. Use of this resource for production deployments is not 
 # recommended.
 #
 # See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+# See https://search.opentofu.org/provider/hashicorp/tls/latest/docs/resources/private_key#tls_private_key-resource.
 resource "tls_private_key" "ecdsa_p256" {
   algorithm   = "ECDSA"
   ecdsa_curve = "P256"

deployment/modules/aws/storage/main.tf

@@ -57,9 +57,9 @@ data "aws_secretsmanager_secret_version" "db_credentials" {
 
 # Configure the MySQL provider based on the outcome of
 # creating the aws_db_instance.
-# This requires that the machine running terraform has access
+# This requires that the machine running OpenTofu has access
 # to the DB instance created above. This is _NOT_ the case when
-# GitHub actions are applying the terraform.
+# GitHub actions are applying the OpenTofu.
 provider "mysql" {
   endpoint = aws_rds_cluster_instance.cluster_instances[0].endpoint
   username = aws_rds_cluster.log_rds_cluster.master_username

deployment/modules/aws/tesseract/conformance/main.tf

@@ -33,7 +33,7 @@ module "secretsmanager" {
 }
 
 # [WARNING]
-# This module will store unencrypted private keys in the Terraform state file.
+# This module will store unencrypted private keys in the OpenTofu state file.
 # DO NOT use this for production logs.
 module "insecuretlskey" {
   source = "../../insecuretlskey"

deployment/modules/aws/tesseract/test/main.tf

@@ -22,7 +22,7 @@ module "secretsmanager" {
 }
 
 # [WARNING]
-# This module will store unencrypted private keys in the Terraform state file.
+# This module will store unencrypted private keys in the OpenTofu state file.
 # DO NOT use this for production logs.
 module "insecuretlskey" {
   source = "../../insecuretlskey"

deployment/modules/gcp/storage/main.tf

@@ -7,7 +7,7 @@ terraform {
   }
 }
 
-# TODO(phboneff): import tessera terraform directly
+# TODO(phboneff): import tessera OpenTofu directly
 # Services
 resource "google_project_service" "serviceusage_googleapis_com" {
   service            = "serviceusage.googleapis.com"