Add Dockerized OpenTofu runner

.dockerignore

@@ -0,0 +1,8 @@
+.git
+.terraform
+**/.terraform
+terraform.tfstate
+terraform.tfstate.*
+*.tfplan
+*.zip
+.env

README.md

@@ -89,6 +89,48 @@ Destroy:
 tofu destroy
 ```
 
+## Docker Usage
+
+You can run OpenTofu from a Docker container instead of installing it on the host.
+
+Build the runner image:
+
+```bash
+docker compose build tofu
+```
+
+Run `init` for the default `dev` environment:
+
+```bash
+docker compose run --rm tofu init
+```
+
+Run `plan`:
+
+```bash
+docker compose run --rm tofu plan
+```
+
+Run `apply`:
+
+```bash
+docker compose run --rm tofu apply
+```
+
+Select another environment with `QUANTUM_ENV`:
+
+```bash
+QUANTUM_ENV=stg docker compose run --rm tofu plan
+QUANTUM_ENV=prd docker compose run --rm tofu plan
+```
+
+On PowerShell:
+
+```powershell
+$env:QUANTUM_ENV="stg"
+docker compose run --rm tofu plan
+```
+
 ## Quick Tests
 
 List buckets:

docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  tofu:
+    build:
+      context: .
+      dockerfile: docker/opentofu/Dockerfile
+      args:
+        OPENTOFU_VERSION: ${OPENTOFU_VERSION:-1.10}
+    image: quantum-opentofu:${OPENTOFU_VERSION:-1.10}
+    working_dir: /workspace/environments/${QUANTUM_ENV:-dev}
+    environment:
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-test}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-test}
+      AWS_DEFAULT_REGION: ${AWS_DEFAULT_REGION:-us-east-1}
+    volumes:
+      - .:/workspace

docker/opentofu/Dockerfile

@@ -0,0 +1,18 @@
+ARG OPENTOFU_VERSION=1.10
+
+FROM ghcr.io/opentofu/opentofu:${OPENTOFU_VERSION}-minimal AS opentofu
+
+FROM alpine:3.22
+
+RUN apk add --no-cache \
+    bash \
+    ca-certificates \
+    curl \
+    git \
+    openssh-client
+
+COPY --from=opentofu /usr/local/bin/tofu /usr/local/bin/tofu
+
+WORKDIR /workspace
+
+ENTRYPOINT ["tofu"]