Overview

AI, Data Science & Cloud Certificates from Google, IBM & Meta — 50% Off

One plan covers every Professional Certificate on Coursera. 50% off Coursera Plus Annual for 10 days only — price increases June 17.

Unlock All Certificates

You learn IAC fundamentals — plan, apply, saved plans, JSON plans, resource lifecycle, refactoring, drift detection, policy gates, cross-config sharing, testing, and state security — by walking ten OpenTofu features next to their forjar equivalents. Forjar is a single Rust binary with state in Git as BLAKE3-hashed YAML, 17 crate dependencies, and ten falsifiable C1-C10 contracts asserted on every apply. Each module compares one OpenTofu feature (`terraform plan -out`, `terraform show -json`, `lifecycle`, `moved`, `-target`, `refresh-only`, `check`, `terraform_remote_state`, `.tftest.hcl`, `state_encryption`) against the forjar approach so you finish knowing the industry default and a concrete second tool.

Syllabus

Why IAC, Why Forjar

Imperative bash scripts drift the moment a sysadmin SSHs into a host and types a one-off `apt install`. Declarative IAC says "here is the end state" and the tool figures out the diff. The same config converges from any starting point. Plan-then-apply is the universal IAC contract: every tool from Terraform to forjar shows you what will change before it changes anything. forjar is a single Rust binary, and state lives in Git as BLAKE3-hashed YAML.

State and Plan

Terraform's remote state is a JSON file in an S3 bucket plus a Consul or DynamoDB lock; forjar writes state as a BLAKE3-hashed YAML file next to your config and commits it to Git. The operational consequence: Terraform needs a state-recovery runbook for the day someone deletes the S3 bucket; forjar's recovery is `git checkout`. OpenTofu's `terraform plan -out=plan.tfplan` writes a binary file that `terraform apply plan.tfplan` later consumes, and forjar's BLAKE3 lock file IS the saved plan. In this module you'll inspect where state lives, see saved plans in action, and read JSON plan output to understand what changes IAC will make before applying.

Lifecycle and Refactoring

Terraform 1.12 ships `lifecycle.ignore_changes` for fields the API mutates, `moved` blocks for refactor-without-destroy, and `removed` blocks for legitimate deletions. Forjar implements the same three primitives with one syntactic twist: it requires you to declare the destination resource exists in your config before a `moved` block resolves, which catches the move-to-a-rename-you-forgot bug at plan time. OpenTofu 1.8 added early evaluation of `for_each` keys so a `moved` block can target a dynamic key without hitting the partial-state error Terraform 1.5 throws. In this module you'll learn how lifecycle blocks rename, ignore, and remove resources without destroying them.

Drift and Convergence

Drift is what separates the diagram you drew from the cluster you have. This module contrasts Terraform's slow, expensive plan -refresh-only — which polls every cloud API for every resource — with forjar's local BLAKE3 hash compare against the lock file that catches drift in milliseconds with zero network calls. You will also see how OpenTofu 1.5 check blocks add post-apply health checks that warn (but do not block), while forjar's C1-C10 contracts are property tests asserted on every apply. The final piece is cross-stack imports: terraform_remote_state silently consumes whatever the upstream produced, but forjar pins the imported hash and refuses to apply on mismatch.

Testing, Security, and a Capstone Fleet

This capstone module ties testing, state encryption, and a live canary fleet into one production-grade picture. You will see Terraform's .tftest.hcl testing DSL with run blocks and assert conditions on plan/apply outputs as the unit-test layer for infrastructure configs, and how forjar's plan-test mode resolves the DAG and renders the YAML diff with zero apply and zero destroy. You will then contrast OpenTofu 1.7's state_encryption (AES-GCM at rest via AWS KMS) against forjar's BLAKE3-signed manifest where any mutation along plan-to-apply invalidates the signature and aborts. The capstone canary-fleet demo edits a managed greeting, runs apply, watches forjar restore content, and proves all 10 C1-C10 claims hold against a live primary-plus-canary fleet.