AWS CloudFormation, Pulumi, and Terraform are the most popular IaC options cloud developers use to provision AWS cloud resources. Like most stack choices, picking the right tool comes down to the resources and services you require, the support you’re looking for, and the price you’re willing to pay.
AWS CloudFormation and Terraform are mature and widely adopted systems, whereas Pulumi, a relatively new entrant, brings additional features and takes a comprehensive approach to cloud engineering. We compared the tools based on features and the user experience, so you can pick the one that suits you the best.
How does IaC help my startup?
As a startup, being agile is often the top priority. From having lean teams to using open-source and free dev tools, it’s all about moving fast. One thing that is often overlooked and yet takes a considerable chunk of your dev team’s time is infra overheads. Replicating infra and having clear visibility into what is running at any point in time is essential. Setting up an infrastructure that meets your customer's needs, is reliable, and can be scaled takes a lot of effort. This valuable time is taken away from developing your core application.
We compare AWS CloudFormation and Terraform based on their core offerings, developer experience, integrations and extensibility, testing and deployment, and pricing.
Core features
Provisioning infra as code is the common goal among these tools. Here’s how they do it differently. Understanding their state management, what configuration languages are supported, and what makes them unique are the first steps in getting to know these tools.
AWS CloudFormation | Terraform | Pulumi | |
State management | No state file | Self-managed (local, remote)/ managed | Self-managed / Pulumi Service |
Language | JSON / YAML | JSON / HCL | Python, Java, Node.js, Go, or .NET Core |
Paradigm | Declarative | Declarative | Imperative code turned into a declarative graph |
AWS Features support | Supports most new AWS services at launch | Often supports new AWS services faster | Supports all AWS services |
Multi cloud support | AWS Only | All public clouds, other resources. Often supports new AWS services faster | Supports all AWS services |
Unique feature(s) | CloudFormation designer, more languages using AWS CDK | Provision of third-party and custom apps | Remote deployments, automation API, Policy as code, secret encryption |
Developer experience
The three IaC tools have ecosystems of varying maturity. This also can be seen in the type and number of resources covered. Things like time to learn, modularity, and secret management can be seen below.
AWS CloudFormation | Terraform | Pulumi | |
Ease of use/learning curve | Very easy. Similar to other AWS tools. The designer makes it visual | Very easy. Human readable HCL, multi-cloud, and 3p support | Extremely easy. Use familiar languages, integrates with existing CI/CD |
Modularity | Yes, nested stacks with automatic dependency management | Yes, modules, automatic and manual | Yes, class, function, or package, in Pulumi files |
Integrated logging | Yes | Yes | Yes |
Resource coverage | All AWS and 3rd party AWS vendors | AWS, GCP, Azure, k8s, & 100s more | AWS, GCP, Azure, k8s, ~60 more |
Community | Active community. 7,600 Qs on Stackoverflow | A mature tool with a massive community. 15,275 Qs Stackoverflow. | Yes, active. 379 Qs on Stackoverflow. |
Existing templates | CloudFormation registry | Terraform registry | Pulumi registry |
Secret management | Yes. Use secret as a resource. | No. Managed using another product, Vault. | Yes. Secrets are encrypted in transit and in the state file. |
Support | Included with AWS support | Paid 24x7 enterprise support | Paid for enterprise and critical |
Target user | DevOps Engineer | DevOps Engineer | Platform Engineer |
When to avoid | Staying away from vendor lock-in. Need to deploy multiple cloud resources. | If you have dynamically changing environments and items like IAM users. Need secure storage of sensitive info like secrets. | If you plan to use the latest functionalities from cloud providers. |
Integrations and extensibility
IaC templates are the blueprints of your infra; thus, having extensibility is vital to support third-party and dynamically add custom resource types. We also see how soon they support new AWS resources and services.
AWS CloudFormation | Terraform | Pulumi | |
Extensibility | Limited to AWS resources and services. | Yes. Providers are extensible. | Dynamic providers for a custom resource type |
Resource coverage | All AWS, 3rd party | AWS, GCP, Azure, k8s, & 100s more | AWS, GCP, Azure, k8s, ~60 more |
AWS Features support | Supports most new AWS services at launch | Often supports new AWS services faster | Supports all AWS resources |
Latest version | 10 Nov 2022 | v1.3.4 | 3.46.1 |
Application Code | With AWS CodeDeploy2 | Limited. Use TF’s Go as a package in your application | Fully embed Pulumi with Automation API |
Testing and deploying
IaC tools simplify testing and can be deployed quickly with your existing CI/CD pipelines. Tools like AWS CloudFormation also offer automatic and manual rollback capabilities.
AWS CloudFormation | Terraform | Pulumi | |
Testing | TaskCat custom testing pipeline | Integration testing support. 3rd party tools Terratest, Kitchen-Terraform | External automated tests |
Policy as code | Yes | Yes | Yes |
Rollback capability | Yes, automatic & manual | Yes, manual | Yes, manual |
CI/CD integration | TaskCat, CodePipeline | GitHub Actions and CircleCI | AWS Code Services, Jenkins, CircleCI, and more |
Pricing
Pricing is often the most important decision factor for most startups. Here’s how they compare. They all offer paid support and enterprise version with additional features which can come in handy as your startup scales. Terraform is often the better choice for enterprise teams.
AWS CloudFormation | Terraform | Pulumi | |
Cost | Free tier* | Free*, Open-source | Free-tier, and Open-source |
Free version | Yes, up to 1,000 handler operations/mo/acc | Yes. (OSS) | Yes. Individual, free credits, & open-source. |
Support | Included with AWS support | Paid 24x7 enterprise support | Paid for enterprise and critical |
Enterprise version | Yes | Terraform Cloud, with additional collaboration and governance | Yes, with SSO, RBAC, and improved support. |
*Though the tools are free to use, the resources provisioned will cost you money. Spend less by leveraging the 100+ AWS services in their free tier.
Here’s the ultimate list of AWS free credit deals for your startup.
Deploying AWS resources using IaC
To give you an idea of what the code looks like, we have examples of deploying an S3 bucket using AWS CloudFormation, Terraform, and Pulumi.
S3 bucket using AWS CloudFormation
As the only platform-specific tool on the list, AWS CloudFormation is limited deploying AWS resources. Almost all AWS CloudFormation functionality can also be achieved using their UI.
AWSTemplateFormatVersion: "2010-09-09"
Description: Simple cloud formation for bucket creation and configuration
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: my-bucke
VersioningConfiguration:
Status: Enabled
S3 bucket using Terraform
Terraform uses the Hashicorp Configuration Language, which is very intuitive to use. There is also excellent documentation available for all the AWS resources.
resource "aws_s3_bucket" "my-bucket" {
bucket = "test-s3"
acl = "private"
versioning {
enabled = true
}
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
S3 bucket using Pulumi
Pulumi’s packages make it easy to create and manage an s3 bucket easily and in the language of your preference. The below example shows the code in YAML format.
resources:
bucket: test-s3
type: aws:s3:Bucket
properties:
acl: private
tags:
Environment: Dev
Name: My bucket
Further reading
Here are some informative articles that touch on this topic.