Many Infrastructure as Code tools are available to facilitate the provisioning of cloud-native applications across all the major cloud platforms. Terraform and Pulumi are two such tools.
Terraform was an open-source platform designed to manage infrastructure until August 10, 2023, when it switched to a BSL, while Pulumi is still an open-source platform that focuses on infrastructure management using your favorite programming languages, such as Golang or Python.
In this article, we’ll take a look at both and provide a comparison between them.
We will cover:
Cloud-native applications embrace the widely accepted practice of Infrastructure as Code (IaC). IaC applies software development practices to the management of infrastructure, i.e., networks, virtual machines, load balancers, etc.
Applying software development techniques to managing infrastructure provides several benefits, including versioning using a repository like GitHub and streamlining provisioning and maintenance by creating repeatable processes. You can also implement code reviews and audits to ensure infrastructure changes are correct and won’t introduce errors.
With IaC, you can replicate your infrastructure easily and include it in a CI/CD deployment pipeline. IaC is also scalable and helps to eliminate human errors.
Terraform, is a tool created by Hashicorp. It is probably the most well-known IaC infrastructure provisioning tool. Terraform is cloud-agnostic and allows you to simultaneously automate infrastructure stacks from multiple cloud service providers simultaneously. Terraform uses its own domain-specific language called Hashicorp Configuration Language (HCL).
Terraform uses “plans” to validate the configuration and display exactly what elements will change before the changes are applied. Check out our introduction to the Terraform plan command for a detailed look at plans.
Pulumi is an IaC tool that uses a declarative format to deploy infrastructure. It lets you use any major development language to create infrastructure template files. Pulumi, like Terraform, supports all of the major cloud providers.
Read more in our Pulumi introduction and check out our Pulumi pricing overview.
Pulumi and Terraform are both software tools that automate cloud computing infrastructure management using code and templates. They help businesses provision and configure servers, storage, databases, and networks without manual intervention or hardware controls.
Both tools store the documented configurations in version control systems that ensure consistency and reduce turnaround time. They support DevOps and NetOps practices, enabling agility, scalability, and resilience. Depending on the provider and the environment, they can be cloud-specific or cloud-agnostic.
The following table lists the key differences between Pulumi and Terraform:
Let’s take a deeper look into each of the differences listed above with examples.
1. Language support
Terraform’s HCL is JSON-compatible and is used to create the configuration files that describe the infrastructure resources in the stack. It uses proprietary syntax for common programming constructs like conditionals and loops. Terraform recently released the beta of a development kit that allows you to use programming languages that compile to HCL.
Here’s an example of typical Terraform configuration file created using HCL to provision an Azure Resource Group.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
variable "region" {
description = "Azure location for the resource group"
type = string
}
provider "azurerm" {
features { }
}
resource "azurerm_resource_group" "iac" {
name = "rg-iac-example-centralus"
location = var.region
tags = {name: "iac-test"}
}Pulumi supports familiar programming languages like TypeScript, JavaScript, Python, Go, and C#. This flexibility allows you to write your templates in the language you are most comfortable with. Pulumi will also convert HCL configurations into Pulumi templates.
This reference provides a document listing Terraform terminology and command equivalents in Pulumi.
A Pulumi template file written in C# to create the same Resource Group in Azure looks like this:
using Pulumi;
using Azure = Pulumi.Azure;
class MyStack : Stack
{
public MyStack()
{
var config = new Config();
var region = config.Require("region");
var iac = new Azure.Core.ResourceGroup("iac", new Azure.Core.ResourceGroupArgs
{
Location = region,
Tags =
{
{ "name", "iac-test" },
},
});
}
}2. IDE features
Plugins for Terraform are available for some IDEs like VS Code. IDE integration is limited to the capabilities of the plugin itself.
Pulumi’s support for common programming languages means you get the rich IDE integration that comes with your chosen language. For example, when using C#, Visual Studio provides code completion, strong data types, intellisense, etc.
3. Open source licenses
Terraform used the Mozilla Public License 2.0, until August 10, 2023. From then, it switched to a BSL, making you subject to being labeled as a competitor and breaking the license, if you don’t sign an agreement with HashiCorp. Pulumi uses the Apache License 2.0. There are other differences between each licensing model. Your use case will determine if you can use Terraform or switch to Pulumi or Terraform’s open source fork, OpenTofu.
4. Testability
Pulumi’s support for common programming languages like C# allows you to perform unit tests on your IaC templates using .Net test tools like xUnit. Pulumi also provides the ability to perform tests that mock external calls.
Terraform supports integration testing. The plan command shows the proposed infrastructure changes before they are applied, allowing you to review the changes prior to their execution. There are also commands to validate and format a configuration file.
Robust integration testing can be performed using third-party tools like Terratest, a Go library that enables you to write automated tests for infrastructure code. It provides many helper functions and patterns for common infrastructure testing tasks such as unit testing, integration testing, end-to-end testing, dependency injection, testing parallelism, retry logic, error handling, and static analysis.
5. Cloud provider support
A resource provider handles communications with a cloud service to manage the infrastructure resources defined in IaC configurations.
Both Pulumi and Terraform support all the major cloud services. Terraform has a community of developers writing custom providers for a many services. Navigating their provider registry you’ll find provider support for services like Ansible and Atlassian. New cloud services aren’t always available to deploy using Terraform on day one.
Pulumi supports over 60 of the major cloud services. They also create “Native” providers for AWS, Azure, Google, and Kubernetes, which receive same-day support with every new release. The Pulumi registry provides detailed information for each provider they support. Also of note, Pulumi can adapt Terraform providers, so you can use the custom providers created by the Terraform community in your Pulumi templates.
6. State management
IaC tools store metadata about your infrastructure to manage your cloud resources. This metadata is called _state_. Both Terraform and Pulumi offer a desired state model where the code represents the desired infrastructure state, and the tool compares this desired state with the stack’s current state to determine the resources to be created, updated, or deleted.
By default, Terraform stores the state locally in a file named terraform.tfstate. Terraform state can be stored using a centrally located file, i.e., Azure blob container. This is the recommended configuration for the state file. Keeping the state in a centrally located file provides for backup and recovery scenarios and allows larger teams to collaborate and manage infrastructure with the shared state.
In contrast, Pulumi stores its state in the Pulumi Cloud by default. Pulumi’s use of common development languages allows the state to be compared as a “diff”, like how code is compared and reviewed across versions.
7. Secrets management
Managing secrets, e.g., database credentials, API keys, etc., in code can become a security risk.
Terraform manages secrets through a separate product named Vault. Vault enables the management of secrets without requiring developers to have direct access to the secrets. Vault encrypts the values it stores. It can be deployed as a SaaS or run locally as a service. Variables marked as “secret” will be excluded from an output unless the secrets command line argument is provided.
terraform output secretsIt is important to note that Terraform state files store secrets in plain text. Because of this, you should restrict access to the state file to only those with the appropriate authorization level. A recommended best practice is to always encrypt your state file to prevent accidentally leaking sensitive information.
Learn more about Terraform secrets management and best practices.
As mentioned above, Pulumi stores secrets in the state in the Pulumi Cloud. You can also choose your own provider to store your secrets. Pulumi always manages the secrets securely. It also supports encrypting sensitive data for extra protection. You can encrypt the configuration settings via the CLI command config set with the --secret flag. Secrets can also be set during runtime.
8. Infrastructure reuse
A development best practice is to avoid duplicating code. The same practice applies to IaC. The ability to reuse configurations lowers the overall overhead involved with managing infrastructure.
Terraform provides a library of reusable modules. A Terraform module is comprised of a collection of .tf and/or .tf.json files stored in the same folder. Modules are the main way to package and reuse resource configurations with Terraform. You can reference these modules from a public online registry or your local module library.
Since Pulumi uses common programming languages, structures like classes, functions, and packages are reusable. Pulumi provides a searchable registry where you can find packages that can be installed directly into your project. You can also create your own library of reusable packages.
As in most decisions in software development, the answer is – it depends. Pulumi’s native language support is its biggest advantage. By using native languages, you can embed IaC code directly within your application, perform unit testing, and reduce the learning curve by using a familiar language. This would be most important to developers who are new to DevOps. IT administrators with little coding experience will probably prefer the simplicity of HCL.
Bottom line, if the prospect of having to learn a proprietary language like HCL scares you, or if you think you’ll need to integrate your IaC deployments within your application, choose Pulumi. Otherwise, go with Terraform.
Either way, there is no wrong choice with Terraform or Pulumi. Both are more than capable of meeting your IaC requirements.
If you are looking to manage infrastructure as code, Spacelift is the way to go. It’s a continuous integration and deployment (CI/CD) platform that supports Git workflows, policy as code, programmatic configuration, context sharing, and many more great features. It currently works with both Terraform and Pulumi, also supporting OpenTofu, AWS CloudFormation, Kubernetes, and Ansible. You can test drive it by creating a free trial account or booking a demo with one of our engineers.
You can also use Spacelift to mix and match Terraform, Pulumi, OpenTofu, and CloudFormation Stacks and have them talk to one another. For example, you can set up Terraform Stacks to provision required infrastructure (like an ECS/EKS cluster with all its dependencies) and then connect that to a CloudFormation Stack, which then transactionally deploys your services there using trigger policies, and the Spacelift provider run resources for workflow orchestration and Contexts to export Terraform outputs as CloudFormation input parameters.
In this article, we compared two of the most popular IaC tools, Terraform and Pulumi. We looked at their features and saw the differences and similarities between them. Terraform or Pulumi – which is better? This question has no definite answer, as both tools serve the same purpose. You should pick the one that is closer to meeting your IaC requirements.
The most flexible management platform for Infrastructure as Code
Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation and controls to simplify and accelerate the provisioning of cloud based infrastructures.
