Canonical comparison of the three dominant Infrastructure as Code tools.
Quick Reference
| Dimension |
Terraform |
OpenTofu |
Pulumi |
| Latest Version |
v1.15.0-rc1 (Apr 2026) |
v1.12.0-beta1 (Apr 2026) |
CLI v3.230.0 (Apr 2026) |
| License |
⚠️ BSL 1.1 |
✅ MPL 2.0 |
✅ Apache 2.0 (engine) |
| Language |
HCL (declarative DSL) |
HCL (same as TF) |
TypeScript, Python, Go, C#, Java |
| Governance |
HashiCorp (IBM) |
CNCF Sandbox |
Pulumi Corp |
| Compatibility |
Industry standard |
100% TF compatible |
Bridges TF providers |
| State Encryption |
❌ |
✅ Native (AES-GCM) |
✅ (Pulumi Cloud) |
| Providers |
4,800+ |
Same as TF |
~200 native + TF bridge |
The License Question
flowchart TD
Q1{"Need truly\nopen-source?"}
Q1 -->|"Yes"| Q2{"Want HCL\nor real code?"}
Q1 -->|"No, BSL is fine"| TF["Terraform\n(largest ecosystem)"]
Q2 -->|"HCL"| OT["OpenTofu\n(drop-in TF replacement)"]
Q2 -->|"Real languages"| PU["Pulumi\n(TypeScript, Python, Go)"]
style TF fill:#7b42bc,color:#fff
style OT fill:#ffcb2d,color:#000
style PU fill:#8b5cf6,color:#fff
Feature Matrix
| Feature |
Terraform |
OpenTofu |
Pulumi |
| Plan / Preview |
✅ terraform plan |
✅ tofu plan |
✅ pulumi preview |
| State management |
S3, GCS, TFC, Consul |
S3, GCS, Azure, Consul |
Pulumi Cloud, S3, GCS, local |
| State encryption |
❌ |
✅ AES-GCM (AWS/GCP KMS, OpenBao) |
✅ (via backend) |
| Test framework |
terraform test |
tofu test |
Native unit tests (Jest, pytest, etc.) |
| Import |
✅ |
✅ |
✅ |
| Modules / Components |
HCL modules (registry) |
Same as TF |
Language packages (npm, PyPI, NuGet) |
| IDE support |
HCL extension |
Same as TF |
Full IDE (autocomplete, types, refactoring) |
| CI/CD integration |
TFC, Atlantis, Spacelift |
Atlantis, Spacelift, env0 |
Pulumi Cloud, GitHub Actions |
| Policy as Code |
Sentinel (paid) |
OPA |
✅ pulumi policy (CrossGuard) |
| AI assistance |
❌ |
❌ |
✅ Pulumi Neo |
| Automation API |
❌ |
❌ |
✅ (programmatic infra management) |
Migration Compatibility
| From → To |
Terraform → OpenTofu |
Terraform → Pulumi |
OpenTofu → Pulumi |
| Config migration |
Zero — exact same HCL |
pulumi convert (partial) |
pulumi convert (partial) |
| State migration |
Zero — same state format |
pulumi import |
pulumi import |
| Provider compatibility |
100% |
Via Terraform bridge |
Via Terraform bridge |
| Effort |
Minutes |
Hours–Days |
Hours–Days |
Decision Guide
| Scenario |
Recommendation |
| Existing Terraform, no license concern |
Terraform — stay put, largest ecosystem |
| Existing Terraform, need OSS license |
OpenTofu — zero-effort migration |
| New project, developer-centric team |
Pulumi — real languages, testing, IDE |
| Regulated environment (state security) |
OpenTofu — native state encryption |
| Complex infrastructure logic |
Pulumi — loops, conditionals, classes |
| Maximum provider coverage |
Terraform or OpenTofu — 4,800+ providers |
| CNCF-aligned stack |
OpenTofu — CNCF Sandbox |
Sources
- Cross-validated via official docs and engineering blogs (April 2026)