Infrastructure as Code (IaC) has become the backbone of modern infrastructure management. But when your organization needs full control over the tooling — no cloud licensing, no vendor lock-in, no telemetry — the landscape narrows quickly. This guide covers the three leading self-hosted IaC platforms in 2026: OpenTofu, Terraform, and Pulumi.
Why Self-Host Your IaC Tooling
Running IaC tools entirely on your own infrastructure gives you several advantages that cloud-hosted alternatives simply cannot match:
- No licensing surprises — OpenTofu is fully open-source under the MPL 2.0 license. There are no enterprise-only features hidden behind paywalls for core functionality.
- Zero telemetry — When you self-host, no usage data leaves your network. Your infrastructure topology, resource counts, and deployment patterns stay private.
- Full state control — State files contain sensitive data about your entire infrastructure. Self-hosting means you decide where state is stored, how it is encrypted, and who can access it.
- Air-gapped environments — Many organizations operate in isolated networks. Self-hosted IaC tools can run without any outbound internet connectivity.
- Custom provider development — When you control the toolchain, you can build and distribute custom providers tailored to your internal APIs and hardware.
- Compliance and auditability — Every binary is built from source. Every deployment is reproducible. Auditors can trace exactly what code runs in your environment.
For teams managing hundreds of servers, kubernetes clusters, or hybrid cloud environments, these factors make self-hosted IaC not just a preference — a requirement.
OpenTofu: The Open-Source Terraform Fork
OpenTofu emerged in 2023 as a community-driven fork of Terraform, created after HashiCorp changed Terraform’s license from the open-source MPL 2.0 to the Business Source License (BSL). It maintains full backward compatibility with existing Terraform configurations and modules, making it the lowest-friction migration path for teams leaving Terraform.
Key Features
- Drop-in replacement for Terraform 1.5.x with identical HCL syntax
- Built-in state encryption and remote state backend support
- No telemetry or license checks
- Active Linux Foundation backing with transparent governance
- Growing provider ecosystem with 3,000+ community providers
Installing OpenTofu
The simplest way to install OpenTofu on a self-hosted workstation or CI runner:
| |
For air-gapped environments, download the binary directly:
| |
Running OpenTofu with docker
For reproducible builds in CI/CD pipelines, containerize your IaC workflow:
| |
Build and use:
| |
Terraform: The Industry Standard Under BSL
Terraform remains the most widely adopted IaC tool. The BSL license change means it is no longer open source, but the CLI binary is still free to download and use. The restriction applies to building competing products using Terraform’s source code, not to end users provisioning infrastructure.
Key Considerations for Self-Hosting
- The CLI remains free for infrastructure provisioning
- Terraform Cloud/Enterprise features require a separate license
- State management must be self-hosted (S3 + DynamoDB, Consul, or PostgreSQL)
- Provider registry is still accessible for standard providers
Self-Hosted State Backend with MinIO and PostgreSQL
A production-grade self-hosted state backend pairs object storage with locking:
| |
Set up the PostgreSQL backend:
| |
Dockerized Terraform Environment
| |
Pulumi: Infrastructure as Real Code
Pulumi takes a fundamentally different approach. Instead of HCL configuration files, you write infrastructure definitions in general-purpose programming languages — Python, TypeScript, Go, C#, Java, or YAML.
Key Features
- Write infrastructure in Python, TypeScript, Go, Java, C#, or YAML
- Native Kubernetes support with first-class Kubernetes resource classes
- Component abstractions for reusable infrastructure patterns
- Built-in secrets encryption with multiple backend options
- Policy as Code with CrossGuard for governance enforcement
Installing Pulumi Self-Hosted
| |
Self-Hosted Backend (Community Edition)
Pulumi offers a self-hosted backend that stores state locally or in any object storage, without requiring Pulumi Cloud:
| |
Python Example: Provisioning a Complete Stack
| |
Deploy:
| |
Head-to-Head Comparison
| Feature | OpenTofu | Terraform | Pulumi |
|---|---|---|---|
| License | MPL 2.0 (fully open) | BSL (source available) | Apache 2.0 |
| Language | HCL | HCL | Python, TS, Go, Java, C#, YAML |
| State Backend | S3, GCS, Azurerm, HTTP, Consul, PG | S3, GCS, Azurerm, HTTP, Consul | Local, S3, GCS, Azurerm, HTTP, PG |
| State Encryption | Built-in (age encryption) | Cloud-only feature | Built-in (multiple KMS options) |
| Self-Hosted CI | Full support | Full support | Full support |
| Air-Gapped | Yes (full offline) | Yes (with mirror) | Partial (needs registry) |
| Module Registry | OpenTofu Registry | Private Registry (paid) | pulumi/packages (open) |
| Policy as Code | OPA/Sentinel via plugins | Sentinel (Cloud-only) | CrossGuard (built-in) |
| Kubernetes Native | Via provider | Via provider | First-class SDK support |
| Telemetry | None | Opt-out required | Opt-out required |
| Community Size | Growing fast | Largest | Medium, language-focused |
| Learning Curve | Low (HCL) | Low (HCL) | Medium (requires programming) |
| Migration from TF | Drop-in (1:1) | N/A | Manual rewrite |
| Cost | Free | Free CLI, paid Cloud | Free OSS, paid Cloud |
| Governance | Linux Foundation | HashiCorp | Pulumi Corp |
Migrating from Terraform to OpenTofu
If you are already using Terraform and want to move to a fully open-source toolchain, the migration is straightforward:
| |
For teams using Terraform modules from the public registry, you may need to mirror modules locally:
| |
CI/CD Pipeline Integration
GitHub Actions with Self-Hosted Runner
| |
GitLab CI with OpenTofu
| |
Security Best Practices for Self-Hosted IaC
Managing IaC tools on your own infrastructure requires disciplined security practices:
1. Encrypt State at Rest
State files contain sensitive data including passwords, certificates, and resource identifiers. Always encrypt:
| |
2. Isolate Credentials
Never store cloud provider credentials in your IaC repository. Use environment variables or a secrets manager:
| |
3. Implement State File Locking
Prevent concurrent modifications that corrupt state:
| |
4. Pin Provider Versions
Always pin provider versions to ensure reproducible builds:
| |
Which Tool Should You Choose?
The decision comes down to your team’s existing skills and organizational requirements:
Choose OpenTofu if:
- You already have Terraform configurations and want a drop-in replacement
- You need a truly open-source license with no restrictions
- You want built-in state encryption without paying for cloud features
- Your team values community governance over corporate control
Choose Terraform if:
- Your organization has existing HashiCorp Enterprise subscriptions
- You rely on Terraform Cloud’s remote run features
- Your team is already trained and certified on Terraform
- You need Sentinel policy enforcement at enterprise scale
Choose Pulumi if:
- Your team prefers writing infrastructure in general-purpose languages
- You need complex logic, loops, and conditionals in your infrastructure code
- You want first-class Kubernetes SDK support
- You are building reusable infrastructure libraries with testing frameworks
For most organizations looking for a self-hosted, open-source IaC solution in 2026, OpenTofu offers the smoothest transition from Terraform with the strongest open-source guarantees. Teams starting fresh with infrastructure automation and comfortable in Python or TypeScript should seriously consider Pulumi for its expressive programming model.
Getting Started Today
Here is the fastest path to running your first self-hosted IaC deployment:
| |
The infrastructure you manage should be under your control — including the tools that define it. Self-hosted IaC gives you that control, and in 2026, the options have never been stronger.
Frequently Asked Questions (FAQ)
Which one should I choose in 2026?
The best choice depends on your specific requirements:
- For beginners: Start with the simplest option that covers your core use case
- For production: Choose the solution with the most active community and documentation
- For teams: Look for collaboration features and user management
- For privacy: Prefer fully open-source, self-hosted options with no telemetry
Refer to the comparison table above for detailed feature breakdowns.
Can I migrate between these tools?
Most tools support data import/export. Always:
- Backup your current data
- Test the migration on a staging environment
- Check official migration guides in the documentation
Are there free versions available?
All tools in this guide offer free, open-source editions. Some also provide paid plans with additional features, priority support, or managed hosting.
How do I get started?
- Review the comparison table to identify your requirements
- Visit the official documentation (links provided above)
- Start with a Docker Compose setup for easy testing
- Join the community forums for troubleshooting