IaC Tools Compared: Terraform, Pulumi, CDK, OpenTofu, and CloudFormation


Introduction





Infrastructure as Code (IaC) has transformed cloud operations. Declarative configuration files version-controlled alongside application code enable reproducible deployments, automated testing, and collaborative infrastructure management. However, the IaC tool landscape has grown significantly. Choosing the right tool depends on team skills, cloud providers, and organizational requirements.





This article compares five major IaC tools: Terraform, Pulumi, AWS CDK, OpenTofu, and AWS CloudFormation.





Terraform: The Industry Standard





HashiCorp Terraform is the most widely adopted IaC tool. Its declarative HCL (HashiCorp Configuration Language) defines resources, providers manage cloud APIs, and state files track deployed infrastructure. The provider ecosystem covers 2,000+ services across AWS, Azure, GCP, Kubernetes, and countless third-party platforms.





Terraform's module registry enables reusable infrastructure components. The community module registry provides pre-built modules for common patterns like VPC creation, EKS clusters, and database deployments.






resource "aws_instance" "web" {


ami = "ami-0c55b159cbfafe1f0"


instance_type = "t3.micro"




tags = {


Name = "WebServer"


}


}







Terraform Cloud and Enterprise add collaboration features: remote state management, policy as code (Sentinel), cost estimation, and private module registry. The BSL license change in 2023 prompted community concern and forked projects.





OpenTofu: The Open-Source Fork





OpenTofu is a fork of Terraform created after HashiCorp's license change from MPL to BSL in August 2023. It is governed by the Linux Foundation and maintains compatibility with Terraform providers and modules. The project aims to remain permanently open-source under the MPL license.





OpenTofu 1.7+ has added features not yet in Terraform: client-side provider signing verification, provider-defined functions, and the `tofu test` command for end-to-end infrastructure testing. Migration from Terraform requires only switching the binary.





For organizations requiring a fully open-source IaC tool with a community governance model, OpenTofu is the natural choice. It supports the same workflow as Terraform: `tofu init`, `tofu plan`, `tofu apply`, `tofu destroy`.





Pulumi: Infrastructure as Real Code





Pulumi takes a fundamentally different approach. Instead of a domain-specific language, Pulumi uses general-purpose programming languages: TypeScript, Python, Go, C#, Java, and YAML. This enables loops, conditionals, functions, classes, and all the abstractions available in these languages.






import * as aws from "@pulumi/aws";




const bucket = new aws.s3.Bucket("my-bucket", {


website: { indexDocument: "index.html" },


forceDestroy: true,


});







Pulumi's Automation API enables embedding infrastructure operations in application code — ideal for internal platforms, self-service infrastructure, and dynamic multi-tenant environments. The Pulumi Cloud provides state management, secrets encryption, and deployment history.





Pulumi's learning curve depends on programming language familiarity. Teams already using TypeScript or Python find Pulumi more approachable than learning HCL. The trade-off is that real programming languages allow more complex, potentially harder-to-review code.





AWS CDK: Infrastructure for AWS-Native Teams





The AWS Cloud Development Kit (CDK) defines AWS infrastructure using familiar programming languages: TypeScript, Python, Java, C#, and Go. CDK constructs are reusable cloud components that encapsulate AWS best practices.





CDK synthesizes CloudFormation templates from construct code, then deploys them through CloudFormation. This means CDK inherits CloudFormation's limitations: slower deployment speed, strict resource limits, and manual state management.






const vpc = new ec2.Vpc(this, "Vpc", {


maxAzs: 3,


natGateways: 1,


});







CDK is ideal for teams fully committed to AWS. Its AWS-native constructs provide detailed resource configuration. The CDK Patterns library offers well-architected reference architectures. AWS-native integrations include CodePipeline deployment, IAM role management, and Service Catalog.





AWS CloudFormation





CloudFormation is AWS's native IaC service. It uses JSON or YAML templates to define AWS resources. CloudFormation manages resource creation, deletion, and updates with automatic rollback on failure.





CloudFormation's strengths include deep AWS integration (every AWS resource is supported), drift detection (identifying manual changes), StackSets for multi-region deployments, and Change Sets for reviewing updates.





Its limitations include verbose template syntax, no support for non-AWS resources, slow deployment for large templates (500 resource limit, 200+ parameter limit), and inadequate testing capabilities.





Choosing the Right Tool





| Tool | Language | State | Providers | Best For |


|---|---|---|---|---|


| Terraform | HCL | State file or Cloud | 2,000+ | Multi-cloud, general IaC |


| OpenTofu | HCL | State file or Cloud | 2,000+ | Open-source requirements |


| Pulumi | TypeScript, Python, Go | Pulumi Cloud | 1,000+ | Developer-centric teams |


| CDK | TypeScript, Python, Java | CloudFormation | AWS only | AWS-native teams |


| CloudFormation | JSON/YAML | AWS managed | AWS only | AWS-first organizations |





Conclusion





Terraform and OpenTofu remain the standard for multi-cloud IaC with broad provider support. Pulumi appeals to teams preferring real programming languages. CDK excels for AWS-native development with higher-level constructs. CloudFormation provides AWS-integrated resource management for organizations already committed to the AWS ecosystem. Evaluation should consider team expertise, cloud strategy, and operational requirements — not just feature checklists.