Pulumi vs. Terraform: Choosing your IaC Tool
Similarities and differences
--
Selecting the appropriate cloud engineering platform is crucial. Although there are numerous solutions available that implement IaC, this article will concentrate on two remarkable IaC tools: Pulumi and Terraform. Evaluating these tools in terms of features, ease of use, and community support is essential in determining which IaC tool is best suited to meet your requirements.
Pulumi and Terraform are both Infrastructure as Code (IaC) tools. Terraform, popular but older tool with vast platform support and documentation, is developed by Hashicorp. And Pulumi, newer, developer-friendly tool that’s also fast-growing, is developed by a startup of the same name.
If you have coding experience but are new to infrastructure as code tools you might find Pulumi easier or more interesting to get started with since it supports Python, TypeScript, JavaScript, Go, C#, F#, Java and YAML. On the contrary, Terraform supports HashiCorp Configuration Language (HCL) and JSON, but it is highly recommended to use HCL as it’s explicitly designed for Terraform. One of the benefits of HCL is that it’s human readable and easy to learn if you’re not familiar with other programming languages but, since HCL is not widely used it’s more difficult to find community support.
Both tools create , deploy and manage infrastructure as code on any cloud provider including AWS , Google Cloud and Azure. They are both open-source and free to use. They offer the desired state with the stack’s current state and determine what resources need to be created, updated or deleted.
Pulumi and Terraform are declarative. With Pulumi, you write code in an imperative language and its engine converts it into a declarative graph for execution. This ensures that every time you run a Pulumi program, the outcome and effects are always the same. This is similar to Terraform, although the way you write the code is different.
Example of creating an AWS IAM Role with Pulumi vs. Terraform:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const stack = pulumi.getStack()
const testRole = new aws.iam.Role("testRole", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Sid: "",
Principal: {
Service: "ec2.amazonaws.com",
},
}],
}),
tags: {
"tag-key": "tag-value",
},
});terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.16"
}
}
}
provider "aws" {
region = var.region
access_key = var.access_key
secret_key = var.secret_access_key
}
resource "aws_iam_role" "test_role" {
name = "test_role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
tags = {
tag-key = "tag-value"
}
}Key differentiators
- The encryption of secrets. Terraform stores all secrets in plain text in the state file, making them visible to anyone who can access the file. Pulumi, on the other hand, encrypts all secrets both during transmission and while stored, so that they are not viewable in plain text and can only be accessed with the encryption key.
- The support for native providers. Pulumi generates native providers directly from a cloud provider’s API, resulting in quick access to new features or resources added by the provider. In contrast, Terraform’s support for cloud provider APIs is often provided by the community, which may take some time to become available. Both Pulumi and Terraform support importing infrastructure, but Pulumi sets itself apart by also generating the code to match the imported resource.
- Community support. Terraform is a mature and established tool with a large community of users and developers. Pulumi, while rapidly growing, has a smaller community at present.
- Flexibility. Pulumi provides the flexibility to use a familiar language and existing libraries, as well as the ability to extend and reuse existing code. Terraform has its own domain-specific language and requires a unique syntax and approach.
- Debugging and Testing. Pulumi provides a more conventional programming environment, which makes it easier to debug, test and integrate with other systems. Terraform can be more complex to debug and test, as it uses its own proprietary language.
Is it possible to use Pulumi and Terraform side-by-side?
Yes. With Pulumi, it is possible to consume both local and remote Terraform state, which can be useful if you are transitioning to Pulumi or if different teams within your organization have different tool preferences. By using the state reference support, for instance, you can create higher-level infrastructure in Pulumi that utilizes the VPC information provided by Terraform, such as the VPC ID and Subnet IDs, making the integration between Pulumi and Terraform effortless.
Which tool to choose?
Terraform is still considered the leading IaC tool in the industry, but Pulumi is rapidly gaining popularity. Both Terraform and Pulumi have their unique strengths and weaknesses. Terraform is a more established tool and offers a broader range of resources, but Pulumi is easier to use and is constantly improving due to its expanding community.
Ultimately, the ideal tool for you will depend on your specific needs. If stability and a rich resource and knowledge base are important to you, Terraform may be the better choice. However, if efficiency and the ability to use a familiar language are top priorities, Pulumi may be the ideal solution. Regardless of which tool you choose, both can help you effectively manage your infrastructure code.
As extra information, both tools can be used with GitHub Actions to automate the process of managing your insfrastructure. If you want to know more about how to do this, I wrote an article about CI/CD with GitHub Actions that you might find interesting.
