diff --git a/databases/azure-cosmos-db/scripts/azure/do_tofu b/databases/azure-cosmos-db/scripts/azure/do_tofu
index 6c2651c..c6e9bc3 100755
--- a/databases/azure-cosmos-db/scripts/azure/do_tofu
+++ b/databases/azure-cosmos-db/scripts/azure/do_tofu
@@ -4,6 +4,31 @@ set -eoux pipefail
 
 env | grep -E '^(AZURE|ARM)' || true
 
+# Ensure tofu is available. On agents where tofu is not pre-installed, download
+# and cache the binary in /tmp/np-tofu-bin so it is only fetched once per pod
+# lifetime (the directory survives across actions but is cleared on pod restart).
+if ! command -v tofu &>/dev/null; then
+  TOFU_VERSION="1.9.0"
+  TOFU_BIN_DIR="/tmp/np-tofu-bin"
+  TOFU_BIN="$TOFU_BIN_DIR/tofu"
+
+  if [ ! -f "$TOFU_BIN" ]; then
+    echo "tofu not found in PATH, installing v${TOFU_VERSION} to ${TOFU_BIN_DIR}..."
+    mkdir -p "$TOFU_BIN_DIR"
+    curl -fsSL \
+      "https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" \
+      -o /tmp/tofu.zip
+    unzip -qo /tmp/tofu.zip tofu -d "$TOFU_BIN_DIR"
+    chmod +x "$TOFU_BIN"
+    rm -f /tmp/tofu.zip
+    echo "tofu installed: $("$TOFU_BIN" version | head -1)"
+  else
+    echo "Using cached tofu at ${TOFU_BIN}"
+  fi
+
+  export PATH="$TOFU_BIN_DIR:$PATH"
+fi
+
 TOFU_VAR_FILE="$OUTPUT_DIR/terraform.tfvars.json"
 
 echo "$TOFU_VARIABLES" > "$TOFU_VAR_FILE"