deps: update dependency opentofu/opentofu to v1.11.1

[renovate]

This PR contains the following updates:

Package	Update	Change
opentofu/opentofu	minor	v1.10.7 -> v1.11.1

---

Release Notes

opentofu/opentofu (opentofu/opentofu)

v1.11.1

Compare Source

BUG FIXES:

• Fixed regression where import validation would incorrectly flag variables used in for_each statements within import blocks (#​3564)
• Fixed lifecycle enabled serialization in plan file (#​3566)
• Fixed regression when validating import.id expressions (#​3567)

Full Changelog: opentofu/opentofu@v1.11.0...v1.11.1

v1.11.0

Compare Source

OpenTofu 1.11.0

We're proud to announce that OpenTofu 1.11.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Ephemeral Values and Write Only Attributes

Ephemeral resources allow you to work with confidential data, temporary credentials, and transient infrastructure without persisting them to your state.

ephemeral "aws_secretsmanager_random_password" "password" {

}

resource "kubernetes_secret_v1" "credentials" {
  metadata {
    name = "admin"
    namespace = "my-app"
  }
  data_wo = {
    username = "admin"
    password = ephemeral.aws_secretsmanager_random_password.password.random_password
  }

  data_wo_revision = 1
  type = "kubernetes.io/basic-auth"
}

The enabled Meta-Argument

If you want to conditionally deploy a resource, you no longer have to use count = var.create_my_resource ? 1 : 0, you can now add the new enabled meta-argument to your resource to conditionally deploy it.

resource "aws_instance" "web" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  lifecycle {
    enabled = var.create_instance  # Simple boolean condition
  }
}

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later

• Azure Backend (azurerm):

  • The endpoint and ARM_ENDPOINT configuration options are no longer supported
  • The msi_endpoint and ARM_MSI_ENDPOINT options are no longer supported
  • The environment and metadata_host arguments are now mutually exclusive

• issensitive() Function: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.

• Testing with Mocks: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.

• S3 Module Installation: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.

• TLS and SSH Security:

  • SHA-1 signatures are no longer accepted for TLS or SSH connections
  • SSH certificates must comply with the draft-miller-ssh-cert-03 specification

• -var/-var-file during tofu apply <planfile>:

  • Since ephemeral variables values cannot be saved into the plan, now we allow using -var/-var-file during tofu apply <planfile> to pass again the values for ephemeral variables during apply
  • This new functionality allows -var/-var-file to be used with non-ephemeral variables too, but it will error if the values given for this type of variables is different from the ones given during the plan creation
  • TF_VAR values should stay consistent between plan and apply <planfile> to avoid the errors mentioned above

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

v1.10.8

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

• Incorrect handling of excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

  This release incorporates the upstream fixes for GO-2025-4175.

• Excessive CPU usage when reporting error about crafted TLS certificate with many hostnames

  This release incorporates the upstream fixes for GO-2025-4155.

Full Changelog: opentofu/opentofu@v1.10.7...v1.10.8

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.