IaC¶
Infrastructure as Code tools for declarative provisioning and management of cloud, on-premises, and edge infrastructure across thousands of providers.
Topics¶
| Tool | Description |
|---|---|
| OpenTofu | CNCF Sandbox community fork of Terraform 1.5.x — 100% HCL-compatible drop-in replacement with native client-side state encryption. |
| Pulumi | IaC using general-purpose languages (TypeScript, Python, Go, C#, Java) — real programming with loops, conditions, unit tests, and package management. |
| Terraform | Industry-standard IaC using HCL — largest ecosystem of 4,800+ providers and modules, now under BSL 1.1 license. |
Comparisons¶
| Comparison | Scope |
|---|---|
| IaC Tools Comparison | OpenTofu vs Pulumi vs Terraform — language model, state management, ecosystem, and licensing |
Landscape¶
The IaC landscape is defined by a fundamental tension between domain-specific languages (HCL in Terraform/OpenTofu) and general-purpose languages (TypeScript, Python, Go in Pulumi and CDKTF). HCL's declarative simplicity enables plan/apply previews with minimal programming knowledge, while GPL approaches unlock loops, conditionals, type systems, and unit testing at the cost of a steeper abstraction curve.
HashiCorp's 2023 relicense from MPL to BSL 1.1 triggered the creation of OpenTofu under the Linux Foundation, fracturing the ecosystem and forcing organizations to evaluate license risk alongside technical capability. The provider ecosystem remains the strongest moat — Terraform's 4,800+ providers on the HashiCorp Registry dwarf alternatives, though OpenTofu maintains full backward compatibility with existing providers.
Layered IaC Pattern
The emerging pattern is layered IaC: low-level Terraform/OpenTofu modules wrapped by higher-level Pulumi or Crossplane abstractions exposed to developers through internal platform APIs. This allows infrastructure teams to maintain HCL modules while offering developers a self-service SDK or API that hides provider-specific complexity.
Cloud-native IaC alternatives like AWS CDK, Azure Bicep, and Google Cloud Deployment Manager continue to offer tighter single-cloud integration but sacrifice multi-cloud portability. The runner/orchestrator layer has also matured — Atlantis, Spacelift, Env0, and Terraform Cloud compete to provide plan/apply automation, policy enforcement, cost estimation, and state management as managed services.
Key Concepts¶
State Management¶
IaC tools maintain a state file that maps declared resources to real infrastructure objects, enabling diff-based planning and resource lifecycle tracking. Terraform and OpenTofu store state as JSON — locally, in S3+DynamoDB, or in managed backends like Terraform Cloud.
State management concerns include:
- Locking: Prevents concurrent modifications (DynamoDB for S3 backend, Consul, or managed backend locking)
- Encryption: Native in OpenTofu 1.7+ (client-side, key-per-state), external for Terraform (S3 SSE, KMS)
- Splitting: Large monolithic states should be broken into smaller workspaces to reduce blast radius and plan time
- Import:
terraform importand the newerimportblock (Terraform 1.5+, OpenTofu 1.5+) bring existing resources under IaC management
Pulumi uses a similar concept but calls it a "stack" with built-in encryption of secrets within state and supports multiple backend options (Pulumi Cloud, S3, Azure Blob, local file).
Plan/Apply Workflow¶
The two-phase execution model where plan computes a diff between desired and actual state without making changes, and apply executes the computed changes.
This workflow provides a safety net — operators review the plan output before approving potentially destructive operations.
Pulumi's equivalent is preview/up.
Both approaches support policy-as-code gates that can reject plans violating organizational rules before any infrastructure is modified:
- Sentinel: HashiCorp's policy language (Terraform Cloud/Enterprise only)
- OPA/Rego: Open-source policy engine, works with Conftest for plan JSON evaluation
- Pulumi CrossGuard: Policy-as-code using the same GPL languages as the infrastructure code
Drift Detection¶
The process of identifying when live infrastructure deviates from the declared IaC state, caused by manual console changes, external automation, or API-driven modifications.
Terraform detects drift during plan by refreshing state against the cloud provider API.
Continuous drift detection requires scheduled plans (e.g., Atlantis cron, Spacelift drift checks) since Terraform does not natively poll for changes. Crossplane's reconciliation loop provides continuous drift correction similar to a Kubernetes controller — it checks the actual resource state every 60 seconds by default and applies corrections automatically.
Provider Ecosystem¶
Provider Model
Providers are plugins that translate HCL/Pulumi resource definitions into cloud API calls. Each provider manages a specific service (AWS, GCP, Kubernetes, Cloudflare, etc.) and exposes resources and data sources. The HashiCorp Registry hosts the canonical provider index, while OpenTofu maintains a compatible registry. Provider version pinning and lock files ensure reproducible infrastructure deployments.
Module Registries¶
Reusable IaC components published to shared registries — the Terraform Registry, private registries (Artifactory, S3-backed), or Git-based modules. Well-designed modules encapsulate best practices (VPC layout, EKS cluster configuration) with input variables and outputs. Pulumi's equivalent is standard language package managers (npm, PyPI, Go modules), which offer richer versioning, dependency resolution, and type checking than HCL modules.
Open Questions¶
- As OpenTofu diverges from Terraform (e.g., native state encryption,
removedblock, provider-defined functions), will the ecosystem split into incompatible forks or maintain practical interoperability? - Does Pulumi's GPL approach ultimately win for platform engineering teams that need to wrap IaC in SDKs and APIs, or does HCL's lower barrier to entry keep it dominant for infrastructure engineers?
- How should organizations handle the "state file as a liability" problem — particularly with sensitive data in state — when operating at scale across hundreds of state files and workspaces?