diff --git a/examples/aws-vault/devenv.nix b/examples/aws-vault/devenv.nix
index 2484919dc..632f9f18e 100644
--- a/examples/aws-vault/devenv.nix
+++ b/examples/aws-vault/devenv.nix
@@ -1,10 +1,14 @@
-{ pkgs, ... }: {
-  languages.terraform.enable = true;
+{ pkgs, ... }:
+
+{
+  # Since Terraform adopted a non-free license (BSL 1.1) in August 2023,
+  # using terraform instead of opentofu now requires adding `allowUnfree: true` to `devenv.yaml`
+  languages.opentofu.enable = true;
 
   aws-vault = {
     enable = true;
     profile = "aws-profile";
     awscliWrapper.enable = true;
-    terraformWrapper.enable = true;
+    opentofuWrapper.enable = true;
   };
 }
diff --git a/src/modules/integrations/aws-vault.nix b/src/modules/integrations/aws-vault.nix
index 2568b3b21..feba82023 100644
--- a/src/modules/integrations/aws-vault.nix
+++ b/src/modules/integrations/aws-vault.nix
@@ -41,6 +41,26 @@ in
       description = "Attribute set of packages including awscli2";
     };
 
+    opentofuWrapper = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption ''
+            Wraps opentofu binary as `aws-vault exec <profile> -- opentofu <args>`.
+          '';
+
+          package = lib.mkOption {
+            type = lib.types.package;
+            default = pkgs.opentofu;
+            defaultText = lib.literalExpression "pkgs.opentofu";
+            description = "The opentofu package to use.";
+          };
+        };
+      };
+      defaultText = lib.literalExpression "pkgs";
+      default = { };
+      description = "Attribute set of packages including opentofu";
+    };
+
     terraformWrapper = lib.mkOption {
       type = lib.types.submodule {
         options = {
@@ -70,6 +90,11 @@ in
         '')
       ];
     })
+    (lib.mkIf (cfg.enable && cfg.opentofuWrapper.enable) {
+      languages.opentofu.package = pkgs.writeScriptBin "opentofu" ''
+        ${cfg.package}/bin/aws-vault exec ${cfg.profile} -- ${cfg.opentofuWrapper.package}/bin/tofu "$@"
+      '';
+    })
     (lib.mkIf (cfg.enable && cfg.terraformWrapper.enable) {
       languages.terraform.package = pkgs.writeScriptBin "terraform" ''
         ${cfg.package}/bin/aws-vault exec ${cfg.profile} -- ${cfg.terraformWrapper.package}/bin/terraform "$@"
diff --git a/src/modules/languages/opentofu.nix b/src/modules/languages/opentofu.nix
new file mode 100644
index 000000000..a61478f1e
--- /dev/null
+++ b/src/modules/languages/opentofu.nix
@@ -0,0 +1,23 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.languages.opentofu;
+in
+{
+  options.languages.opentofu = {
+    enable = lib.mkEnableOption "tools for OpenTofu development";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.opentofu;
+      defaultText = lib.literalExpression "pkgs.opentofu";
+      description = "The OpenTofu package to use.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    packages = with pkgs; [
+      cfg.package
+    ];
+  };
+}