diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml
new file mode 100644
index 00000000..8d02a8ad
--- /dev/null
+++ b/.github/workflows/test-early-eval.yaml
@@ -0,0 +1,27 @@
+name: Test OpenTofu early eval
+
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  plan:
+    runs-on: ubuntu-24.04
+    name: Plan with early eval
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: terraform plan
+        uses: ./tofu-plan
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        with:
+          path: tests/workflows/test-plan/early-eval/tofu
+          variables: |
+            passphrase = "tofuqwertyuiopasdfgh"
diff --git a/image/actions.sh b/image/actions.sh
index 35624948..c4e3ee10 100644
--- a/image/actions.sh
+++ b/image/actions.sh
@@ -217,6 +217,14 @@ function set-init-args() {
         done
     fi
 
+    if [[ -v OPENTOFU && $TERRAFORM_VER_MINOR -ge 8 ]]; then
+        debug "Preparing variables for early evaluation"
+        set-variable-args
+        INIT_ARGS="$INIT_ARGS $VARIABLE_ARGS"
+    else
+        VARIABLE_ARGS=""
+    fi
+
     export INIT_ARGS
 }
 
@@ -299,9 +307,9 @@ function init-backend-default-workspace() {
 function select-workspace() {
     local WORKSPACE_EXIT
 
-    debug_log $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE"
+    debug_log $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE"  # don't expand VARIABLE_ARGS
     set +e
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME workspace select "$VARIABLE_ARGS" "$INPUT_WORKSPACE") >"$STEP_TMP_DIR/workspace_select" 2>&1
     WORKSPACE_EXIT=$?
     set -e
 
@@ -360,6 +368,8 @@ function set-common-plan-args() {
 }
 
 function set-variable-args() {
+    VARIABLE_ARGS=""
+
     if [[ -n "$INPUT_VAR_FILE" ]]; then
         for file in $(echo "$INPUT_VAR_FILE" | tr ',' '\n'); do
 
@@ -368,13 +378,13 @@ function set-variable-args() {
                 exit 1
             fi
 
-            PLAN_ARGS="$PLAN_ARGS -var-file=$(relative_to "$INPUT_PATH" "$file")"
+            VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$(relative_to "$INPUT_PATH" "$file")"
         done
     fi
 
     if [[ -n "$INPUT_VARIABLES" ]]; then
         echo "$INPUT_VARIABLES" >"$STEP_TMP_DIR/variables.tfvars"
-        PLAN_ARGS="$PLAN_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars"
+        VARIABLE_ARGS="$VARIABLE_ARGS -var-file=$STEP_TMP_DIR/variables.tfvars"
     fi
 }
 
@@ -388,6 +398,7 @@ function set-plan-args() {
     fi
 
     set-variable-args
+    PLAN_ARGS="$PLAN_ARGS $VARIABLE_ARGS"
 
     export PLAN_ARGS
 }
diff --git a/image/entrypoints/test.sh b/image/entrypoints/test.sh
index 1a58a8e3..d21cc55a 100755
--- a/image/entrypoints/test.sh
+++ b/image/entrypoints/test.sh
@@ -30,11 +30,11 @@ function set-test-args() {
 
 function test() {
 
-    debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS '$PLAN_ARGS'  # don't expand PLAN_ARGS
+    debug_log $TOOL_COMMAND_NAME test -no-color $TEST_ARGS '$VARIABLE_ARGS'  # don't expand VARIABLE_ARGS
 
     set +e
     # shellcheck disable=SC2086
-    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $PLAN_ARGS) \
+    (cd "$INPUT_PATH" && $TOOL_COMMAND_NAME test -no-color $TEST_ARGS $VARIABLE_ARGS) \
         2>"$STEP_TMP_DIR/terraform_test.stderr" \
         | tee /dev/fd/3 \
             >"$STEP_TMP_DIR/terraform_test.stdout"
@@ -59,7 +59,6 @@ function test() {
 }
 
 set-test-args
-PLAN_ARGS=""
 set-variable-args
 
 test
diff --git a/tests/workflows/test-plan/early-eval/tofu/main.tf b/tests/workflows/test-plan/early-eval/tofu/main.tf
new file mode 100644
index 00000000..6d0105b4
--- /dev/null
+++ b/tests/workflows/test-plan/early-eval/tofu/main.tf
@@ -0,0 +1,42 @@
+terraform {
+  backend "s3" {
+    bucket = var.state_bucket
+    key    = "test-plan-early-eval"
+    region = "eu-west-2"
+  }
+}
+
+variable "state_bucket" {
+  type = string
+}
+
+variable "acm_certificate_version" {
+  type = string
+  default = "4.3.0"
+}
+
+variable "passphrase" {
+  type = string
+  sensitive = true
+}
+
+module "s3-bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = var.acm_certificate_version
+}
+
+terraform {
+  encryption {
+    key_provider "pbkdf2" "my_passphrase" {
+      passphrase = var.passphrase
+    }
+
+    method "aes_gcm" "my_method" {
+      keys = key_provider.pbkdf2.my_passphrase
+    }
+
+    state {
+      method = method.aes_gcm.my_method
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars
new file mode 100644
index 00000000..7f3ce5bc
--- /dev/null
+++ b/tests/workflows/test-plan/early-eval/tofu/terraform.tfvars
@@ -0,0 +1 @@
+state_bucket = "terraform-github-actions"
\ No newline at end of file