Getting Started

Status: Stable Today OpenTaco focuses on state management (units, locks, HTTP/S3 backends, dependencies & status). Prerequisites:
  • Go 1.25+
  • Terraform 1.6+ (or OpenTofu)
  • AWS creds set up if you want S3 persistence
Build all components from opentaco/: 
make clean && make build
Run the service (S3 recommended): 
OPENTACO_S3_BUCKET=<bucket> \
OPENTACO_S3_REGION=<region> \
OPENTACO_S3_PREFIX=<prefix> \
./opentacosvc
Health checks: 
curl http://localhost:8080/healthz
curl http://localhost:8080/readyz
Scaffold a provider workspace and create the system unit by convention: 
./taco provider init opentaco-config --server http://localhost:8080
cd opentaco-config
terraform init
terraform apply -auto-approve
Use the created unit in your own Terraform project (example backend): 
terraform {
  backend "http" {
    address        = "http://localhost:8080/v1/backend/myapp/prod"
    lock_address   = "http://localhost:8080/v1/backend/myapp/prod"
    unlock_address = "http://localhost:8080/v1/backend/myapp/prod"
  }
}
Troubleshooting quick tips:
  • 405 on LOCK/UNLOCK → ensure service wires explicit routes for custom verbs.
  • 409 on save → service must read lock ID from header or query ?ID=.
  • 409 on Create → unit exists already; import, change id, or delete then apply.

Using the S3‑compatible backend

OpenTaco also exposes a minimal S3‑compatible endpoint at /s3 that works with Terraform’s backend "s3".
  1. Configure an AWS profile that uses the CLI to mint short‑lived creds via credential_process:
[profile opentaco-state-backend]
region = auto
credential_process = "/absolute/path/to/taco" creds --json --server http://localhost:8080
Notes:
  • Use an absolute path to the taco binary; quote it if the path contains spaces.
  • Ensure the binary is executable (chmod +x /absolute/path/to/taco).
  1. Backend block in your Terraform project:
terraform {
  backend "s3" {
    bucket  = "opentaco"
    key     = "myapp/prod/terraform.tfstate"
    endpoints = { s3 = "http://localhost:8080/s3" }
    use_path_style                 = true
    skip_credentials_validation    = true
    skip_region_validation         = true
    skip_requesting_account_id     = true
    # Terraform 1.13+ supports lockfiles; OpenTaco handles both .lock and .tflock
    use_lockfile                   = true
    profile                        = "opentaco-state-backend"
  }
}
  1. Run the flow:
./taco login --server http://localhost:8080
export AWS_SDK_LOAD_CONFIG=1
export AWS_PROFILE=opentaco-state-backend
terraform init -reconfigure
terraform plan && terraform apply -auto-approve
Troubleshooting:
  • 401 from taco creds → re‑login: ./taco login --force-login; pin a stable signing key in the server for fewer re‑logins.
  • 126 from credential_process → path not executable or not absolute; quote the path and chmod +x.
  • Init loops with frequent GETs → ensure your service is updated (empty state returns 404) and use_lockfile = true is present.

Dependencies and Status

OpenTaco tracks output-level dependencies across units using a dedicated graph workspace (__opentaco_system) and a Terraform resource (opentaco_dependency). After declaring edges in a small system workspace, apply your normal unit workspaces and use the CLI to view status: 
./taco unit status            # all units
./taco unit status --prefix org/app/
./taco unit status org/app/B  # single unit
The table shows friendly, color-coded labels:
  • up to date (green), needs re-apply (red), might need re-apply (yellow).
See examples/dependencies/ for a runnable A→B→C demo.