OpenTofu 1.12 Ships the Dynamic Destroy Protection Terraform Refused to Build for a Decade

Overview

OpenTofu v1.12.0, released on May 14, 2026, delivers several improvements that the community has requested for years — most notably the ability to use variables inside lifecycle blocks, a pattern that Terraform’s own issue tracker has logged as unsupported since December 2016. The release, announced on the official OpenTofu blog, also ships a new destroy = false lifecycle option and a split output mode for infrastructure tooling pipelines.

Dynamic prevent_destroy

The headline addition in 1.12 is dynamic prevent_destroy. Previously, teams writing shared Terraform-compatible modules had to hardcode whether a resource could be destroyed, making it impossible to enforce strict lifecycle policies in production while permitting teardown in development from the same module.

As described in the OpenTofu release post, “The prevent_destroy argument in a resource’s lifecycle block can now refer to other symbols within the same module, such as input variables.” The practical effect: a single module can now protect a production database by default while a development environment sets prevent_destroy_database = false in the module block to disable that constraint.

The feature closes a gap that has been widely documented. According to InfoQ’s coverage of the release, “Requests to wire prevent_destroy to a variable date back to Terraform 0.7 in 2016,” with the original GitHub issue titled “Unable to use var for ignore_changes or prevent_destroy” opened on December 14, 2016. Teams attempting the pattern in Terraform encountered the error “Variables may not be used here” — an error that remained in place, as InfoQ notes, “roughly a decade after the first request landed in the Terraform issue tracker.”

HashiCorp never implemented the feature; OpenTofu has now shipped it.

New destroy = false Lifecycle Option

A related addition is the destroy = false lifecycle meta-argument. The release notes describe it as removing objects from state without destroying remote infrastructure — a capability useful when teams need to decommission their OpenTofu management of a resource without actually deleting the underlying cloud object.

As the OpenTofu blog explains, “The new destroy = false lifecycle option for managed resources allows removing an object from the state without first destroying the remote object.” Previously, achieving this required manual state manipulation commands.

Provider Checksum and Output Improvements

Two workflow friction points are also addressed in 1.12. On provider initialization, the OpenTofu Registry now returns a complete set of checksums in both zh: and h1: hash formats during tofu init. The official blog states that “tofu init now automatically includes a full set of checksums for all platforms using both zh: and h1: hashes, reducing the need for manually running tofu providers lock.” Users sharing dependency lock files across teams or using global plugin caches will no longer need a separate lock command to populate the required hash entries.

The release also introduces -json-into=FILENAME. Before this option, using the -json flag for machine-readable output replaced the human-readable terminal output completely. With the new flag, as described in InfoQ’s coverage, the option “sends the JSON stream to a file (or named pipe, or /dev/fd/N for concurrent consumption) while leaving the normal terminal output intact.” The official blog adds that the flag also supports streaming IPC output methods, making it easier to build internal platform tooling on top of OpenTofu without sacrificing console readability.

Provider installation also benefits from concurrent download requests in 1.12, according to the release post: “Provider installation now performs concurrent requests for faster tofu init completion when many providers are needed.”

Deprecations

Two deprecations were announced alongside the release.

WinRM provisioner support is deprecated in v1.12, with removal planned for v1.13. The OpenTofu blog states that “Some of the Go libraries that OpenTofu uses for WinRM connection support in provisioners have become unmaintained over time,” and recommends migrating to OpenSSH for Windows. Users with type = "winrm" connection blocks will see deprecation warnings but no functional change in this release.

32-bit architecture builds (386 and arm) are also being phased out. The release announcement notes that “Support for 64-bit architectures (amd64 and arm64) is unaffected,” and that v1.13 will introduce warnings before packages are eventually dropped in a later release series.

Context

OpenTofu emerged in 2023 as a community fork of Terraform after HashiCorp changed Terraform’s license from the Mozilla Public License to the Business Source License (BSL), restricting certain commercial uses. The fork is now hosted by the Cloud Native Computing Foundation (CNCF). As previously reported, IBM’s 2025 acquisition of HashiCorp has continued to accelerate the IaC ecosystem shift toward alternatives, with OpenTofu among the primary beneficiaries.

The v1.12.x release series is supported until February 1, 2027, per the project’s changelog.

What We Don’t Know

OpenTofu has not published adoption statistics specific to the 1.12 release — contribution count, download metrics, or enterprise adoption figures for this version are not yet available. It is also not yet clear which downstream tooling ecosystems (Terragrunt, Atlantis, Spacelift, and others) have shipped compatibility updates for 1.12’s new lifecycle semantics. The timeline for full GA of the concurrent provider installation performance improvements has not been quantified in the release materials.