DevOps

Pulumi and CDK: IaC with real programming languages

2021. A team at Snowflake: 3000 lines of Terraform HCL, zero tests. A wrong count in a for_each - 47 production databases deleted. Recovery: 14 hours. That is what happens without type safety and tests in IaC. Pulumi and CDK are not just syntactic sugar. The compiler is the last line of defense.

  • Lemonade Insurance migrated from Terraform to Pulumi: type safety caught 23 classes of errors that would have reached production under Terraform. CI time dropped from 45 minutes to 8
  • AWS CDK is used by Lyft, iRobot, and Duolingo - L3 Constructs let a team of 3 manage infrastructure across 500+ services
  • HashiCorp changed Terraform's license to BSL in 2023 -> OpenTofu appeared within 3 months, already at 100K+ stars, accepted by the Linux Foundation

Real languages instead of a DSL

Terraform HCL is a declarative DSL. Convenient for simple cases, limited for complex ones: no proper loops, no abstractions, no tests. Pulumi and AWS CDK take a different approach: TypeScript, Python, Go, Java. Full-featured languages with IDE support, hot reload, and debuggers.

AWS CDK (Cloud Development Kit, 2019): TypeScript/Python, compiles to CloudFormation. Pulumi (2017): TypeScript/Python/Go/Java/C#, calls provider APIs directly. The key difference: CDK -> CloudFormation (AWS only, 200+ services). Pulumi -> 120+ providers (AWS, GCP, Azure, Kubernetes, Datadog, Cloudflare).

Pulumi State: where infrastructure state is stored. Pulumi Cloud (managed, free for 1 user) or self-hosted (S3 + DynamoDB backend). Terraform State: S3 + DynamoDB or Terraform Cloud. Both solve the same problem: concurrent apply, state locking, and history.

0

1

Sign In

Crosswalk for AWS (Pulumi): higher-level abstractions over raw AWS APIs. `awsx.ecs.FargateService` instead of 12 resources defined manually. CDK L3 Constructs do the same. The pattern: L1 (raw CloudFormation), L2 (sensible defaults), L3 (reusable patterns). That is how abstraction works in IaC.

What is the main architectural difference between CDK and Terraform?

Type Safety in IaC: the compiler as a reviewer

HCL in Terraform: a typo in a parameter name produces a runtime error during `terraform apply`. Pulumi/CDK TypeScript: a typo produces a compile error before any deployment happens. This is not a minor convenience - runtime errors in IaC can corrupt production state.

Pulumi Output<T> system: `bucket.id` returns `Output<string>`, not `string`. It is a promise-like wrapper that resolves after the resource is created. An unresolved Output cannot accidentally be used as a string - TypeScript will not compile it. Dependency tracking is automatic: if A uses B.output, A depends on B.

ComponentResource in Pulumi is an abstraction for reusable patterns - the equivalent of a CDK Construct. Example: VPC + Subnets + NAT + Route Tables = VpcComponent. Published to npm and consumed as a regular package. The Pulumi Registry is the catalog of community components. CDK Construct Hub is the equivalent for CDK.

Why is Pulumi Output<T> important for IaC safety?

Testing IaC: unit, integration, policy

IaC without tests is `terraform apply` to production without a review. Pulumi and CDK support three levels of testing: unit (mock resources, verify configuration), integration (deploy to an isolated account, verify real state), and policy (OPA/Sentinel - block resources without tags or encryption).

Pulumi CrossGuard - policy as code. A Policy Pack is a set of TypeScript/Python rules applied on every `pulumi up`. Example: no S3 bucket without encryption. No EC2 instance in a public subnet without a security group review. Integrated into CI/CD: a policy violation fails the pipeline.

Testing pyramid for IaC: 70% unit (fast, cheap, no cloud), 20% integration (isolated account, expensive), 10% e2e (full stack, very expensive). Terratest (Go) is the popular framework for Terraform/CDK integration tests. One integration test takes 5-20 minutes (deploy + verify + destroy).

What advantage does a CDK unit test (Template assertions) have over an integration test?

Pulumi vs Terraform vs CDK: a pragmatic choice

Terraform remains the most widely used IaC tool in 2024 - a massive module ecosystem, a large community, and all cloud providers. Pulumi and CDK win where programming language expressiveness and tests are needed.

OpenTofu is the open-source fork of Terraform following HashiCorp's license change to BSL (2023). A drop-in replacement: same HCL files, same providers, same workflow. A Linux Foundation project. Recommendation for new projects without Terraform legacy: consider OpenTofu instead of Terraform, with Pulumi/CDK for complex logic.

Monorepo for IaC: store IaC code alongside application code. Pulumi TypeScript + application TypeScript in one repository. CDK constructs tested with the same jest tests as backend code. CI/CD pipeline: test app -> test IaC -> deploy app -> deploy infra. Reduces coordination overhead between application and infrastructure teams.

Pulumi/CDK fully replace Terraform - migration should happen immediately

Terraform remains the standard for most teams. Pulumi/CDK solve specific problems: type safety, tests, complex logic

Terraform has 1000+ providers, a huge Registry of ready-made modules, every cloud, every integration (Atlantis, Spacelift, env0). Migrating an existing Terraform codebase is expensive. The Pulumi Conversion Tool exists but is not perfect. A pragmatic approach: Terraform for the baseline + Pulumi/CDK for components requiring complex logic

When is Pulumi preferable to CDK for a multi-cloud company?

Related Topics

Pulumi/CDK are tools in the IaC and cloud compliance ecosystem:

  • Compliance and Audit — Policy as code via CrossGuard/CDK Aspects
  • Prometheus and Grafana — Monitoring infrastructure is created via IaC

Key Ideas

  • Pulumi/CDK: real languages (TypeScript/Python) instead of a DSL. Type safety, IDE support, tests
  • CDK -> CloudFormation (AWS only). Pulumi -> Provider API directly (120+ providers)
  • Testing: unit (template assertions, seconds), integration (real deploy, minutes), policy (OPA/CrossGuard)
  • Terraform remains the standard for most teams. Pulumi/CDK shine for complex logic and multi-cloud

Вопросы для размышления

  • How do you structure IaC modules so a platform team can provide safe defaults to application teams?
  • When do CDK Aspects and Pulumi CrossGuard replace AWS Config Rules, and when do they complement them?
  • How do you migrate an existing Terraform codebase to Pulumi without production infrastructure downtime?

Связанные уроки

  • devops-14 — Terraform is the baseline IaC tool for comparison
  • devops-16 — Prometheus/Grafana infrastructure is deployed via Pulumi/Helm
  • cloud-15 — Compliance guardrails are implemented through IaC policies
  • sd-01-intro
Pulumi and CDK: IaC with real programming languages