In the past, setting up the infrastructure for an application required system admins, storage admins, backup admins, a group of field engineers, and a team of application engineers. Since the infrastructure provisioning was manual, it had some shortcomings like high set-up and maintenance costs, little-to-no automation, slow deployment, human errors, and inefficient utilization of resources when traffic was low. These issues compelled companies to find a better approach to infrastructure management, which gave birth to the use of fully managed, cloud-based infrastructure. This cloud-based management allowed users to manage the whole infrastructure with as few clicks as possible. But reducing human error and enhancing the speed of infrastructure provisioning could still be improved.
That introduced a new paradigm: Infrastructure as Code (IaC). But the myriad of IaCÂ tools available today is causing uncertainty among DevOps teams looking to make the most of Infrastructure as Code today. Some are gaining popularity, while others are losing users (according to data from our 2024 State of Infrastructure as Code Report).
This blog post will serve as a guide to help choose between the ever-popular Terraform and Pulumi.
Infrastructure as Code: How It Started and How It's Going
Infrastructure as Code allows developers to define their infrastructure stack as human-readable code without manual efforts, sometimes referred to as âClickOpsâ. This helps in introducing automation into the process and increases the consistency and scalability of infrastructure. This leads to lower human error and reduced costs while reinforcing best practices for cloud management.
Currently, there are a lot of solutions available out there that provide you with IaC functionality. For the purposes of this blog post, we're going to focus on Terraform and Pulumi.
A Look at Terraform
Terraform is an open-source IaC tool that is considered to be the industry leader for provisioning and maintaining cloud infrastructure due to its maturity and widespread use. It's a declarative tool where you need to declare the desired state of the infrastructure and the deployment engines, compare this desired state with the state of the current infrastructure, and create, update, and delete the resources based on that.
Terraform uses HashiCorp's Configuration Language (HCL) as its domain-specific language (DSL). Any infrastructure that you want to manage can only be managed with the help of HCL. Its declarative nature avoids the creation of blocks of code, control flows, and classes, which makes it easy to start with.
Let's check out some pros and cons of the Terraform IaC tool.
The Pros of Terraform
- Your team can work together on infrastructure thanks to the version control in the Terraform registry. Additionally, it keeps encrypted copies of local variables like passwords and cloud tokens in its registry.
- As infrastructure is allocated with code scripts, you can easily check the state of the current deployment by checking the script.
- Terraform is integrated with common DevOps tools like GitLab, enabling you to manage application code and infrastructure code with the same Git repo and CI/CD process.
- Not only can Terraform manage cloud infrastructure, but also Infrastructure that accompanies Software-as-a-Service like Okta, DataDog, etc..Â
The Cons of Terraform
- In Terraform, It is possible to destroy the deployment (terraform destroy), however doing so would completely wipe out any changes. If not used properly, Terraform destroy may have unintended consequences, such as affecting other systems or resources that depend on the deleted resources.
- It doesn't handle errors. Terraform does not handle errors in a comprehensive or automated way, which can lead to longer downtime and increased manual effort when errors occur during the deployment process.
- There are some import prohibitions. Terraform does not have built-in support for importing existing resources into its state file, which can make it difficult to manage resources that were created outside of Terraform.
- Even though HCL is more universal, it has a steep learning curve.
Understanding Pulumi
Pulumi is a new IaC tool that can configure, deploy, and maintain resources on cloud infrastructure. It's also considered a declarative tool, but for this tool, you don't need to learn any domain-specific language. Instead, you can create, deploy, and manage cloud resources in your preferred native programming language. It supports plenty of popular programming languages like Python, TypeScript, JavaScript, Go, .NET, Java, etc. For example, if you want to use the Python language, you can work with Pulumi as a Python package, and you can write control flow, build code blocks, create classes, and do much more general-purpose development. It's often preferred by developers and is growing very rapidly due to its ease of use.
Let's check out some pros and cons of the Pulumi IaC tool.
The Pros of Pulumi
- Pulumi allows you to work in your native language for infrastructure management.
- As you can choose from a list of general-purpose languages, you can build reusable infrastructure and infrastructure platforms quickly and easily.
- Pulumi enables high collaboration among developers, security teams, and infrastructure teams with the help of version control, role-based access control and multiple languages support.
- Similar to Terraform, automation in Pulumi reduces required effort and overall management costs.
The Cons of Pulumi
- One major problem of Pulumi is its lack of documentation and small community, as the tool is considerably new.
- Duplication (creating IaC for the same cloud resources in different languages) is a common occurrence, as a result of allowing many programming languages to use the tool.
- It is not universally applicable. Currently, Pulumi does not include support for some other popular programming languages such as Ruby, PHP, or Swift.
Terraform vs. Pulumi: A Head-to-Head Comparison
Terraform and Pulumi are both good choices for IaC. To understand which one is a better choice for you, let's compare both of them on some of the key factors.
1. Language Support
To work with Terraform, you need to learn its custom DSL, called the HashiCorp Configuration Language (HCL). Getting started with HCL is considered easy, but it can be difficult to scale unless all of your developers are fluent in it. Whereas in the case of Pulumi, you can use languages like Python, Go, JavaScript, TypeScript, C#, and Java so it can scale alongside application development by using the same engineers. Due to the familiar features of these languages, you can use constructs like conditionals, loops, functions, and classes. Pulumi also provides a way to convert the Terraform HCL code into Pulumi through tf2pulumi. On the other hand, HashiCorp has introduced Terraform CDK (Cloud Development Kit), which allows developers to use familiar programming languages to define cloud infrastructure provisioning. As far as language support is concerned, Pulumi is preferred by developers for its multi-language support.
2. Functionality
While the functionality of both tools enables you to define, deploy, and manage the cloud infrastructure via IaC, both of them work differently to achieve this. Pulumi is simpler for developers to incorporate other extensions and libraries into their Pulumi projects. On the other hand, Terraform HCL comes with more guidelines and restrictions. Terraform also doesn't have any built-in testing functionality, but better tools for diagnosing a corrupt state are available via the Terraform CLI. The open-source nature of both tools is what makes them popular as IaC.
3. Learning Curve
When it comes to quickly learning and using technology, Pulumi is easier to pick up because you don't need to learn any specific DSL for Pulumi. For example, if you want to create an AWS S3 bucket, you can do so with Pulumi and Python, as follows:
import pulumi
from pulumi_aws import s3
â
# create an s3 bucket
bucket = s3.bucket('bucket-name')
# export the name of the bucket
pulumi.bucket('bucket_name', bucket.id)
As you can see, the above syntax is regular Python syntax, and you're using Pulumi for infrastructure management (S3 bucket) as a Python library. Although to really deploy your infrastructure, youâll need to become comfortable with numerous Pulumi CLI commands.
Terraform, on the other hand, requires you to learn HCL. Although this is an extra step, it's rather good to have a useful skill for a tool that has been so widely adopted. HCL is very easy to start with due to its intuitive and simple syntax. For example, if you want to create an S3 bucket using HCL, you can do it as follows:
resource = "aws_s3_bucket" "bucket_name" {
bucket = "test-bucket"
ac1 = "private"
tags = {
Name = "My Bucket"
Environment = "Dev"
}
}
As you can see, the syntax of HCL is not that complex. Also, to deploy the infrastructure you need to be familiar with various Terraform CLI commands.
Although Pulumi seems quite developer-friendly, it's not necessarily true that it's always a good choice for infrastructure management. What if you have a team of developers where each works in a different language? For example, if the code is written in Python, but other developers are familiar with Go, then they'll have to learn Python to proceed with infrastructure management. Whereas in the case of Terraform, developers need to learn only HCL, which then enables them to understand any infrastructure code written in HCL. It can be worthwhile for everyone in your organization to stick with a single DSL, even though Terraform may have a steeper learning curve at first.
4. Compatibility
Both of these tools work with common cloud platforms like AWS, Azure, Google Cloud, Kubernetes, and OpenStack, and they are compatible with most operating systems (Windows, macOS, and Linux). Terraform and Pulumi are also compatible with most IDEs (Integrated Development Environments). Pulumi provides the most common IDE benefits like code completion and automatic syntax correction. But for Terraform, you would need to use external plugins to use these features.
5. Testing Support
Testing is a very important part of any software product, and it's also important for infrastructure management. Most of the languages that can be used for Pulumi support unit testing, except Go, which supports integration testing. On the other hand, there's no official testing support in Terraform, but you can use Terratest and Kitchen-Terraform to test the Terraform IaC environment. An increasingly common approach is to rely on testing within the DevOps CI/CD workflow to test infrastructure code just as application code is tested. This GitOps approach may negate the relevance of dedicated IaC testing.
6. Code Versatility
Both of these tools are declarative. But with Terraform, you can't implement conditional situations. Pulumi, on the other hand, uses general-purpose languages and provides you with several methods to reach conditional parameters. The use of conditional statements in Pulumi provides greater control and flexibility in how infrastructure resources are managed and deployed.
Terraform vs. Pulumi: Which One is Better for You?
Everything that we have discussed so far boils down to only one thing: Which tool is better for you, Terraform or Pulumi? Terraform and Pulumi are both excellent choices as IaC tools, but they have different approaches to handling the same things.
Although both of these tools are developer-focused, developers maytend to choose Pulumi due to its familiar multi-language support, while people with operations or platform backgrounds often choose Terraform. If an organization wants to provision its infrastructure with one of its already-familiar languages, and itâs fairly homogenous, Pulumi may be the right choice. But when organizations have heterogeneous environments, it maybe worth their time to invest in learning a universal DSL like Terraformâs HCL.
To sum up, choosing an IaC tool like Terraform or Pulumi depends on the skills of those using it and the landscape of the cloud applications it must support.
What tool you choose for your infrastructure management truly depends on your organization's needs.
Regardless of which tool you choose, itâs important to leverage the benefits of using IaC to continuously manage the actual cloud configuration relative to its desired state. A difference, called âdriftâ, can occur when new cloud assets are added without accompanying IaC or when changes are made to the cloud configuration directly at the cloud console. A Cloud Asset Manager can help you identify and remediate this drift and also keep your cloud aligned to best practices, compliant with security and cost policies, and improve its reliability and efficiency.Â
Reaching full IaC coverage can be time consuming and can compete with other engineering priorities. Firefly, a cloud asset management platform, can automatically create both Terraform and Pulumi and help you continuously manage drift, best practices, and policies across IaC frameworks and across multiple cloud providers. Their recently released open source tool, AIAC uses ChatGPT artificial intelligence (AI) to create IaC code for additional languages too.
â
This post was written by Gourav Bais. Gourav is an applied machine learning engineer skilled in computer vision/deep learning pipeline development, creating machine learning models, retraining systems, and transforming data science prototypes to production-grade solutions.