The future of cloud computing is evolving remarkably with the rapid and continued adoption of AI. According to a Gartner report, the cloud computing industry total is forecasted to grow to $675.4 billion this year, 20% more than in 2023. With the widespread adoption of the cloud among organizations, their developers must choose from Infrastructure-as-Code (IaC) tools, such as Terraform, Pulumi, CloudFormation, OpenTofu, and many more, which one they would use to automate their infrastructure provisioning. They can compare multiple IaC tools before deciding which will best suit their needs and pick one for more for their use case.

In this blog, we will learn about some widely used IaC tools - Terraform, Pulumi, CloudFormation, and the Terraform open source alternative, OpenTofu. We will deep dive into the key features, use cases, pros, and cons with some hands-on experience, which will help you decide which one of these tools will help you effectively manage your cloud infrastructure.

Why Use Infrastructure as Code Tools?

The main purpose of IaC tools is to automate the process of provisioning your infrastructure rather than manually using AWS CLI or console, which takes a lot of time and can result in misconfigurations and inconsistency. 

With IaC, you can:

  • Save time when deploying your cloud infrastructure on AWS, Azure, or GCP. 
  • Avoid resource misconfigurations and deployment errors. 
  • Efficiently test, version control, govern, recover, and secure your infrastructure (by using code)
  • Create configuration files with the best practices in place to help in deploying duplicate, error-free, and consistent environments. 

Some of the most in-demand IaC (Infrastructure-as-Code) tools are Terraform, OpenTofu, Pulumi, CloudFormation, AWS CDK, Ansible, and Azure Resource Manager. 

To grasp a better understanding of some of these tools, let’s dig deeper.

Pulumi

Pulumi is an open source IaC tool with multi-language support. It means that a backend/frontend/full-stack developer can simply write the desired infrastructure in a general-purpose language, such as Python, Java, Go, and TypeScript, or markup language like YAML to build, deploy, and manage their cloud infrastructure. It does not require them to learn an additional language, such as HCL, which might be an overhead to deploy an infrastructure quickly.

Key Features of Pulumi

As of today, Pulumi is serving 150k+ users and 2000 customers. Let’s take a look at what Pulumi offers its customers.

Multi-Language Support 

Pulumi allows developers to use their existing programming skills to code their infrastructure using languages such as Go, C#, Java, Python, or YAML. It helps the team save upskilling time with seamless infrastructure integration in the workflows and focus more on the platform development. For example, a backend developer with experience in Python can deploy its infrastructure using the Python language.

Rich Abstraction and Reusability 

Since Pulumi uses general-purpose language, its users can build complex logic with loops, conditions, functions, classes, and objects. With its capability to create reusable components and write high-level abstractions, you can enhance code maintainability and reduce code duplication. For example, you can use modules or classes to define VPCs, attached security groups, and routing rules following the DRY (Don’t Repeat Yourself) principle in your code. Using them, you can deploy multiple VPCs across multiple environments.

Testing and Automation

You can perform unit, property, and integration testing on your IaC code with Pulumi. It supports familiar testing frameworks associated with your chosen programming language. For example, as a developer, you can mock API calls for unit testing, assert data flow across resource dependencies while on the deployed infrastructure to perform property testing, and run some tests against the whole infrastructure environment.

Cloud Compatibility

Pulumi provides an integration with Terraform providers, which means it supports a wider range of providers than Terraform. With its dynamic provider support, Pulumi can generate provider credentials and quickly support new resources and features. 

Open Source Licensing

Pulumi supports Apache License 2.0 licensing. It is an open source tool, which means it is driven and used by the community. 

Pulumi: Pros and Cons 

First, let’s look at some advantages of using Pulumi for your project.

  • You can store secrets and stack variables in your Pulumi configuration files.
  • Pulumi automatically encrypts anything secrets interact with, including state files, logs, and outputs. Also, it encrypts your files in transit and at rest.
  • State management in Pulumi is done by Pulumi Cloud, or you can choose one of the self-managed options.

However, some of the reasons why you might not want to choose Pulumi for your infrastructure are:

  • While using Pulumi, it can be difficult to get started if you come from a non-coding background.
  • As the project grows, your directory structure becomes much more complicated and requires some package or directory management.
  • Pulumi, as an IaC tool, is still new and needs a lot more documentation on its implementation so that developers can make the most of its capabilities.

Use Case: When to Use Pulumi

In case your infrastructure is much more complex with dynamic setups, logic, and multi-cloud setups with some shared modules. Pulumi would be the better choice since it is well-versed in handling such complex requirements and dependencies.

Let’s walk through how you can deploy an EC2 instance using Pulumi. This example demonstrates how easy it is to use familiar programming languages, such as Python, to set up your cloud infrastructure.

Firstly, make sure that you have Pulumi installed on your machine. You'll also need to have your AWS credentials configured on your terminal using AWS CLI. This will allow Pulumi to communicate with your AWS account.

Below is a simple Python script that sets up an EC2 instance. The script defines a security group to allow SSH and HTTP access and then attaches it to the EC2 instance.

import pulumi import pulumi_aws as aws security_group = aws.ec2.SecurityGroup("i-security-group", description="Enable SSH and HTTP access", ingress=[ {"protocol": "tcp", "from_port": 22, "to_port": 22, "cidr_blocks": ["0.0.0.0/0"]}, {"protocol": "tcp", "from_port": 80, "to_port": 80, "cidr_blocks": ["0.0.0.0/0"]}, ], egress=[ {"protocol": "-1", "from_port": 0, "to_port": 0, "cidr_blocks": ["0.0.0.0/0"]}, ]) instance = aws.ec2.Instance("i-instance", instance_type="t2.micro", ami="ami-0866a3c8686eaeeba", vpc_security_group_ids=[security_group.id], subnet_id="subnet-02efa144df0a77c13", tags={ "Name": "instance", }) pulumi.export("instance_public_ip", instance.public_ip)

To deploy the infrastructure, run the pulumi up command in your terminal:

This command will show you a preview of what resources will be provisioned in your AWS account. If everything looks good, confirm the deployment.

Once you feel that you do not need your infrastructure anymore, you can remove the resources created by running pulumi destroy command:

This example shows how Pulumi makes it easy to set up cloud infrastructure. Developers can write code in the programming languages they already know and efficiently spend more time building their applications instead of worrying about managing the infrastructure.

Terraform

Terraform by Hashicorp is an IaC tool with an estimated market share of 32.8%, leading infrastructure management worldwide. It is very simple to deploy your Infrastructure with Terraform. All you need to do is write a bunch of configuration files with .tf extension. These configuration files are used to define the resources you want to deploy in your cloud providers, such as AWS, Azure, or GCP. After defining these configurations, you need to run the Terraform commands using CLI or workflows to deploy your infrastructure and manage your infrastructure state using the Terraform state files.

Key Features of Terraform

Terraform, the world’s widely accepted IaC tool, has been adopted by over 25k customers to create, manage, and destroy their infrastructure. Let’s explore some of the reasons why.

Declarative Language Support 

Terraform configuration files are written in HCL (Hashicorp Configuration Language). HCL follows a declarative approach to deploying your infrastructure, meaning you only need to focus on what you want to deploy and not how. This helps developers focus on the business requirements rather than dive deeper into intricate details of how.  Due to its simplicity, developers have a sharp learning curve working on Terraform.

Multi-Cloud Support 

Terraform is cloud agnostic, which means that it supports several cloud providers and is not restricted to one or a few of them. As a developer, you can learn to declare your infrastructure in the HCL language and use Terraform providers to deploy resources in multiple clouds. For example, if your project wants to use an AWS S3 bucket and Azure storage blob, you can simply add providers to your code and write resource blocks for them. Once the configuration is done, run Terraform init and apply commands to provision the storage.

State Management

Terraform uses state files to manage your infrastructure. The state file represents the desired state of your infrastructure, which is deployed using the Terraform automation. If someone goes ahead and makes any changes in your current infrastructure using console or CLI, it is easily detected using these state files. This is known as drift. Ensure that your state file is backed up and saved in some remote storage since it is like a history of the changes you have made to your infrastructure. You can easily roll back any unwanted or breaking changes. State management plays a vital role in managing your infrastructure, focusing on versioning and disaster recovery. For example, store your state files in an S3 bucket by defining the backend block in your Terraform configuration file.

Code Reusability

You can incorporate complex logic and use reusable pieces of code in your Terraform configuration files. With Terraform modules, you can follow the DRY principle and save yourself from extra lines of code and time. Loops and workspaces are other ways to leverage the code reusability feature in Terraform. For example, you can use the same VPC module to deploy VPC configurations across multiple environments by passing the configurable variables, which would change the VPC configuration for each one on the go.

Terraform: Pros and Cons

Let’s learn some of the reasons why so many people are using Terraform to manage their infrastructure.

  • Terraform promotes code reusability through modules, loops, and workspaces. This helps users save time and avoid duplicate code. For example, using Terraform workspaces, you can quickly spin up multiple environments with the same configuration code. 
  • Multi-cloud support with a wide range of provider support has made Terraform popular among the developers community. It supports more than 3k providers maintained by Hashicrop or third-party providers, allowing you to spin up your infrastructure quickly using the Terraform code. 
  • Terraform uses HCL, a simpler configuration language to read and write than the core programming language. This makes it easier to get started with Terraform.
  • Due to its popularity, there is a mature community network, support, docs, and articles based on Terraform. For example, simply search Terraform functions to build complex logic in your code. There are thousands of resources just to help with syntax and examples on this topic.

Each IaC tool comes with its shortcomings, however, and Terraform is no exception. 

  • Terraform has very limited testing support. Mostly, you would have to rely on third-party tools such as Terratest to test your configuration code.
  • Terraform is no longer an open source tool. It will be moved to a BSL (Business Source License) model. This means that the source code is publicly available but cannot be used on a commercial level.
  • You need to manage the state and concurrency using the Terraform state files.
  • Terraform does not have built-in secret management. Your state file can store unencrypted secret values. 

Use Case: When to Use Terraform

With the evolving world of cloud computing, deployments in multiple cloud environments might be required. This requirement may rise due to growing infrastructure, bringing the best of multiple clouds, or easily modernizing the cloud infrastructure with multi-cloud support. Such requirements can be met by Terraform, which uses simple HCL declarative language to deploy, manage, or destroy your infrastructure. This provides a unified IaC tool for all the resources from various cloud providers. For example, you can deploy AWS S3 buckets for audit trails in the AWS infrastructure and Azure Storage Blob to track the changes done in the Azure resources.

Let’s take a look at how you can deploy resources using Terraform. Before starting with the hands-on, ensure you have Terraform installed on your machine. Then, write your Terraform code in the main.tf file to deploy AWS networking architecture using the AWS provider.

provider "aws" { region = "us-east-1" } resource "aws_vpc" "my_vpc" { cidr_block = "10.0.0.0/16" enable_dns_support = true enable_dns_hostnames = true } resource "aws_subnet" "public_subnet" { vpc_id = aws_vpc.my_vpc.id cidr_block = "10.0.1.0/24" availability_zone = "us-east-1a" map_public_ip_on_launch = true } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.my_vpc.id } resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.my_vpc.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw.id } } resource "aws_route_table_association" "public_subnet_association" { subnet_id = aws_subnet.public_subnet.id route_table_id = aws_route_table.public_route_table.id } }

Now, open your terminal, and in your current working directory, run the terraform init command to initialize your Terraform configuration and download the necessary provider plugins.

‍

Next, before applying your configuration, review the infrastructure changes with the terraform plan command

This command shows you the execution plan, detailing which resources will be created, VPC, and others. Once you have validated the plan, run terraform apply command to deploy your infrastructure. It will give you an output like so:

Terraform has revolutionized infrastructure management over the years, and now, with the increasing demand for multi-cloud architectures, it continues to grow in demand among organizations. Verify your use case and choose.

CloudFormation

CloudFormation is an AWS specific IaC tool that is used to manage, configure, and provision AWS resources. It only serves a single provider, AWS, and is not an open source tool, meaning it is maintained by AWS. When you want to deploy your infrastructure using the CloudFormation IaC tool, you must define it in the YAML or JSON format. This file is picked up and executed to provision the desired infrastructure. 

Working with CloudFormation provides an easy and deep integration with the AWS ecosystem. Additionally, the state file is stored in the AWS account itself without requiring any external cloud storage. 

Key Features of CloudFormation

Since its launch in 2011, CloudFormation has let DevOps engineers deploy and configure their resources and dependencies as a stack using templates. Let’s take a look at some of its features.

Simple and Readable Language Support 

AWS CloudFormation supports JSON or YAML file formats. Both of them are easy for developers to read and understand. For example, as a developer, you can easily write the JSON to deploy an EC2 instance since it is similar to a programming language. On the other hand, if you want to easily declare which EC2 instance with what config, use the YAML file to provide the code in a structured format.

Native Support for AWS Resources Only

Since CloudFormation is specific to deploying or provisioning the AWS resources, it is important to highlight the fact that it can be easily embedded in the AWS ecosystem. For example, deploys resources such as AWS VPCs, IAM roles, or others without configuring any provider information.

Proprietary License

To use CloudFormation, you do not need a separate license since it is a native AWS service. It is completely owned, managed, and maintained by AWS (Amazon Web Services) without any additional cost associated with it. What you pay for are the AWS resources deployed as part of your infrastructure without any standalone cost associated with it.

CloudFormation: Pros and Cons

Want to dive even deeper? Let’s learn the reasons to use CloudFormation for your next infrastructure project.

  • You can integrate seamlessly with the AWS ecosystem since CloudFormation is specific to AWS.
  • State management is done directly by CloudFormation, allowing you to easily track or roll back changes.
  • CloudFormation has an extensive set of examples and common uses throughout the AWS ecosystem. 

On the flip side, here are the major reasons why CloudFormation might not be your ideal choice of IaC tool:

  • CloudFormation only supports AWS resources. For example, if you want to deploy Azure resources, CloudFormation does not have multi-cloud support so you might want to choose some other IaC tool.
  • With a complex growing infrastructure, the YAML or JSON files become longer, which makes them hard to read and frequent schema or syntax errors. For example, you might run into deployment delays with the invalid schema due to multiple nesting while deploying EKS and its add-ons.
  • There are limited features for code reusability, modularity, testing frameworks, and no built-in secret manager support. 

Use Case: When to Use CloudFormation

Now that we understand that the CloudFormation IaC tool is exclusively for AWS.  You should use it when you want a close integration with the AWS provider and have an infrastructure heavily dependent on AWS resources. For example, if you’re deploying serverless applications like AWS Lambda functions, CloudFormation offers native support with features like AWS SAM (Serverless Application Model) for Lambda, simplifying serverless application management.

Let’s see how you can deploy resources using the CloudFormation templates. Create a new file for your CloudFormation template. You can use YAML or JSON format. Let’s deploy an EC2 instance using a YAML file named ec2-instance-template.yaml:

AWSTemplateFormatVersion: '2010-09-09' Description: Sample template to create an EC2 instance Resources: MyEC2Instance: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro # Choose the instance type ImageId: ami-0c55b159cbfafe1f0 # Replace with your preferred AMI ID KeyName: my-key-pair # Replace with your key pair name SecurityGroupIds: - !Ref EC2SecurityGroup EC2SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable SSH and HTTP access SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0

Run the following command in your current working directory to create a CloudFormation stack:

aws cloudformation create-stack --stack-name MyEC2InstanceStack --template-body file://ec2-instance-template.yaml --capabilities CAPABILITY_IAM

Let’s break down the above command:

  • --stack-name: This is the name you want to give to your stack.
  • --template-body: This points to your CloudFormation template file.
  • --capabilities: This is used to specify that your stack might create IAM resources.

‍

Once you have run the command, wait for the stack to be created. Meanwhile, you can check the status of your stack with the following command:

aws cloudformation describe-stacks --stack-name MyEC2InstanceStack

This showcases how to manage infrastructure-as-code effectively using CloudFormation, allowing for streamlined resource provisioning and management within the AWS ecosystem.

A Comparison: Pulumi vs. Terraform vs. CloudFormation

After taking a look at various aspects of Pulumi, Terraform and CloudFormation, it’s time for a comprehensive comparison. Next, we’ll highlight the similarities and differences among these IaC tools based on the language supported, integration capabilities, licensing, state management and much more.

The Terraform Open Source Alternative: OpenTofu

With the news of Hashicorp Terraform's change in licensing (adoption of BSL license) and Hashicorp being acquired by IBM, the community of developers forked the Terraform repository and gave birth to the OpenTofu manifesto. 

OpenTofu is an open source alternative to Terraform, which primarily focuses on providing free licensing and being compatible with the Terraform workflows. For the people who have worked with Terraform, OpenTofu is easy to get started on and can deploy complex infrastructure.

The main difference between Terraform and OpenTofu is the licensing. Terraform has adopted BSL licensing, which restricts certain uses of the tool. Meanwhile, OpenTofu is a free-to-use open source tool that does not have any limitations using Apache 2.0 license. 

Use Case: When to Use OpenTofu

If you are working in an organization that prioritizes the use of open source software and tools that do not have any license limitation, you should leverage OpenTofu as your choice of IaC tool. You can also easily migrate existing Terraform infrastructure to OpenTofu with state migration. 

The infrastructure configuration files for OpenTofu are the same as those for Terraform. You need to run the OpenTofu commands while deploying your infrastructure and the state of your infrastructure will be maintained by OpenTofu.

In your terminal, run the tofu init command to initialize your OpenTofu configuration. This command downloads the necessary provider plugins.

Run tofu plan and tofu apply commands to review and deploy your resources:

‍

When you run the apply command output will display the number of resources created in your infrastructure, which is 2 here, one EC2 instance, and an attached security group.

Now that we have seen some of the most popular IaC tools available in the market, we have a better understanding of what they offer, key features, pros and cons. Remember, each tool has its own advantages and disadvantages and the best fit for any IaC tool depends on which scenario or use case you want to use them for. Different projects have different requirements. And it’s important for developers to explore new tools, gain new skill sets, and work on their learning curve.

However, if you are an organization in which various IaC tools are used, you might face difficulty in ensuring that the same consistent best practices are followed by IaC for provisioning their infrastructure. As part of the security and cloud operations team, you would also like to track the state of your cloud infrastructure and ensure that security measures are followed. The real difficulty arises: how do teams do it efficiently? 

This problem has introduced a need for a centralized platform, like Firefly, for IaC management tools.

Why Firefly?

As cloud environments get more complex and teams use different IaC tools, managing multiple infrastructures with different deployment tools and resources in them becomes challenging.

 Firefly helps make this easier by supporting multiple IaC tools like Terraform, CloudFormation, and Pulumi, all from one centralized Dashboard. 

Now, you can dig deeper into these IaC tools with Firefly’s IaC Explorer feature. Here, you can find the information on the modules present in them, detecting if there is any drift in the infrastructure, providers used in your IaC code, the versions of Terraform used, and any critical misconfiguration in the infrastructure code.

Additionally, Firefly offers a single view of all your cloud resources, no matter which IaC tool was used to create them. 

This means you can see the status of your resources from Terraform, CloudFormation, or Pulumi in one place. It displays the total number of resources, cost saving opportunities, if your resources are managed by IaC code, the resources deleted from the IaC state, and the percentage of codified resources via Firefly.

Since Firefly has built-in monitoring that keeps an eye on the health and performance of your resources. You can set alerts to notify you about important issues. This helps you respond quickly if something goes wrong, reducing downtime for your applications.

🔗 Request a demo to learn how Firefly provides comprehensive insights into the status of your infrastructure, no matter what IaC tools you use.