Table of Contents
The move from on-prem to the cloud has enabled businesses to scale up and down on demand based on their requirements at the time. You no longer need to order hardware to scale up your operations and wait for weeks or even months for it to be delivered; cloud platforms like Google, Azure, and AWS come with their own web-browser-based infrastructure management consoles where you can manage and provision infrastructure. These consoles are convenient but can be very tedious for larger organizations, so the cloud providers also offer APIs and SDKs for provisioning and managing your infrastructure in code. However, using these solutions often requires specific training and expertise and can be challenging if you’re dealing with a multicloud setup.
Enter infrastructure-as-code (IaC) platforms, developer-friendly abstractions on top of the APIs and SDKs you can use to automate your infrastructure workflows. Using these infrastructure-as-code tools, you can store your infrastructure state in configuration files and edit those configuration files using the IaC tools when you want to change anything in your servers, networks, operating systems, middleware, or applications. This comes in handy when you are looking to manage infrastructure setups of all shapes and sizes. It reduces the chances of human error through automation, making your systems more reliable than ever before.
This article compares the three main infrastructure-as-code tools available right now: Pulumi, Terraform, and CloudFormation.
#Factors for Comparing the Tools
Many factors can be used to compare these tools, and this article focuses on the following:
- Licensing: What type of license do you need to use each IaC tool? Is the tool open source? Does it offer a managed solution too?
- User experience: How refined are the user and command line interfaces of the IaC tool? Does it have reliable IDE plugins?
- Declarative or imperative: Which of these two paradigms does the IaC tool follow?
- Language support: Which languages does the IaC tool use for creating and maintaining infrastructure? Which languages does the tool support for SDKs?
- Integration with cloud platforms: Does the IaC tool integrate with the cloud platform of your choice, or is it restricted to a particular cloud platform?
- Role-based access control: Does the IaC tool offer RBAC capabilities to ensure infrastructure provisioning and management are in the right hands?
- Testing and validation: Does the IaC tool provide any method to test and validate changes before deploying them? Does it also provide insights into remedial actions if something is wrong with the changes?
- Cloud-agnostic: Does the IaC tool support all major cloud platforms? Is it truly cloud-agnostic?
#Comparing the Three IaC Tools
Based on the factors in the previous section, let’s look at the three most popular infrastructure-as-code tools, their prominent features, and some of their limitations.
#Pulumi
With the tagline “every cloud, every language, every architecture, every builder,” Pulumi strives to be a cloud-agnostic, open source infrastructure-as-code tool that helps cloud engineers manage complex cloud infrastructures. Pulumi approaches infrastructure from a practical standpoint, concentrating on the end-to-end build, deploy, and manage lifecycle of cloud engineering. Pulumi defines itself as being “imperative, declarative, and imperative,” in that the language host is imperative, the Pulumi engine is declarative, and the providers Pulumi uses are imperative. Pulumi provides a variety of interfaces for you to interact with your infrastructure—for example, an official SDK, an automation API, integrations with CI/CD tools, and so on.
Pulumi offers native integrations with popular cloud platforms like AWS, Azure, and Google Cloud. It also offers providers for Alibaba Cloud, Databricks, DigitalOcean, Linode, Kubernetes, MongoDB Atlas, MySQL, PostgreSQL, Snowsflake, Splunk, and a lot more. It has over one hundred such integrations. If you can’t find an integration for your platform, you can develop one and contribute to Pulumi Registry. Pulumi currently exposes these integrations using a number of runtimes, including Node.js, Python, Go, .NET, Java, and Pulumi YAML. If your language isn’t officially supported, you can follow this official guideline to add support for it yourself.
Although Pulumi is open source, you can also opt for its managed solution, which has some significant perks, especially in the Enterprise edition. For instance, you only get teams with role-based access control in the Enterprise edition and above. There are many other features, like single sign-on (SSO) and system for cross-domain identity management (SCIM) integration, that are only available in the Enterprise and Business Critical plans. Small businesses don’t usually need many of these features, so they can either self-host or go for an entry-level plan with minimal features.
With Pulumi, you don’t have to worry about using additional testing and validation tools, as it provides native testing frameworks to automate testing. It currently supports three methods of testing, varying in the degree of test granularity and interdependence. You can perform unit tests, property tests, and integration tests on your Pulumi code. In conclusion, Pulumi is a strong IaC offering with a great range of features and deployment options for businesses of all shapes and sizes, irrespective of their architectures and cloud platforms.
#Terraform
Terraform is an open source infrastructure-as-code offering from HashiCorp, the creators of projects like Vagrant, Packer, Consul, Nomad, and Vault. Terraform allows you to define and manage infrastructure using human-readable configuration files in a custom configuration language called the HashiCorp Configuration Language (HCL), now known as the Terraform language. Like other IaC tools, Terraform works by accessing cloud providers and services using their APIs. Terraform offers a wide range of integrations using official, partner, and community providers on its registry. Some of the supported cloud platforms and services are AWS, Azure, Alibaba Cloud, Oracle Cloud, VMware vSphere, and so on.
Terraform’s configuration language is declarative, which means that it describes the goal instead of the steps needed to reach the goal. This is why you don’t need to define resources in Terraform in a particular order. Terraform internally determines all the implicit and explicit dependencies before determining the order of execution for infrastructure provisioning and management. Terraform provides numerous ways of testing the infrastructure code. You can run unit tests, contract tests, integration tests, and end-to-end tests using native capabilities. For cases where the native capabilities aren’t enough—for example, where there’s a lack of support for multiple environments—you can use external integrations, such as Gruntwork’s Terratest or Kitchen Terraform, to help out with testing.
You can deploy Terraform in three different ways: self-managed, Terraform-managed, and customized self-managed. These deployment options have different features for managing your infrastructure. For instance, in the Terraform-managed and cloud-based offering, you have many plans that enable you to manage teams with role-based access control, apply Sentinel policy as code, integrate SSO, and enable drift detection in your infrastructure. Some of these features can add a lot of value for larger organizations. With all these features, Terraform makes for a great general-purpose, cloud-agnostic, open source infrastructure-as-code platform.
#CloudFormation
CloudFormation is a service offered by AWS. It’s a closed source project that allows you to interact with AWS to deploy and manage AWS native services. You can also interact with third-party services if their private or public extensions have been published on the CloudFormation registry. CloudFormation uses the declarative method for provisioning and managing AWS infrastructure components, such as VPCs, VPNs, virtual machines, databases, object stores, and much more. Using CloudFormation, you can deploy and manage resources by writing templates using JSON or YAML files.
AWS provides extensive support for CloudFormation with languages such as C++, Python, Java, JavaScript, Kotlin, PHP, Go, Ruby, Rust, Swift, and more. Alternatively, you can access CloudFormation using the CloudFormation command line interface (CFN-CLI). CloudFormation’s templates and StackSets encourage infrastructure best practices by enabling code reusability. With complex infrastructure, CloudFormation can get a bit verbose and difficult to manage. This is where the AWS Cloud Development Kit (AWS CDK) comes into the picture. The AWS CDK is an abstraction on top of CloudFormation that allows developers to write infrastructure code in their favorite programming language, so they don’t need to learn the templating constructs used in CloudFormation.
You can test CloudFormation code, but many critical things, such as the actual deployment of resources and network connectivity, can only be tested at runtime. For instance, CloudFormation’s validate-template command only checks for syntax-related errors. If you want to run deployment-level tests, you might need to integrate CloudFormation with external tools like TaskCat. On the other hand, you can use the AWS CDK’s native testing framework to test your infrastructure code. CloudFormation comes with the solid backing of AWS’s expertise in infrastructure, especially when it comes to role-based access control using AWS IAM and other governance and security features. All in all, CloudFormation or its refined-SDK version CDK provide a great way of managing infrastructure on AWS. This can be especially useful for businesses that are wholly on AWS and plan to be on AWS in the future.
#Comparison Overview
The comparison of the three tools is summarized in the following table:
| Feature | Pulumi | Terraform | CloudFormation |
|---|---|---|---|
| Licensing | Open source, managed solution available | Open source, managed solution available | Managed solution only |
| Declarative or imperative | Declarative, imperative | Declarative | Declarative |
| Language support | JavaScript, TypeScript, Python, Go | HashiCorp Configuration Language (HCL) | JSON, YAML |
| Integration with cloud platforms | Supports multiple cloud platforms | Supports multiple cloud platforms | AWS with third-party providers listed on AWS registry |
| Role-based access control | Yes (with some plans) | Yes (with some plans) | Yes (with AWS IAM) |
| Testing and validation | Extensive native support for testing and validation | Native support for testing; external integrations possible | Native support for testing changes |
| Cloud-agnostic | Yes | Yes | No |
#Conclusion
This article walked you through the key features and characteristics of three popular infrastructure-as-code tools: Pulumi, Terraform, and CloudFormation. You also learned how businesses can use these tools to manage their infrastructure in a predictable and automated way, reducing the risk of errors and making it easier to build and maintain complex software systems.
These tools offer various features that allow you to manage your infrastructure easily. Which tool is best for you will depend on the feature set, limitations, or engineering expertise required. For instance, if you have a multicloud setup, you might not be able to use CloudFormation because it only supports AWS. Or, if you have a small business with limited engineering capacity, you might go for Pulumi, which is probably the easiest to learn how to use. You’ll have to consider factors specific to your business to make a choice. Each tool has its own benefits, but all provide a developer-friendly solution for managing infrastructure and streamlining workflows on-prem or in the cloud.
