Table of Contents
What is the Pulumi IaC tool? This is probably the question many people who are new to Pulumi will ask in their heads, me too.
For DevOps engineers like me, using IaC is almost a regular and mandatory thing.
Personally, I usually use Terraform because it is flexible and supports many providers so far.
I also use CloudFormation for AWS environment, but it has many disadvantages, and IaC limits are completely dependent on AWS.
What is the Pulumi IaC tool?
Back to the main story. Pulumi introduces itself as an IaC tool in any programming language.
What does this mean?
Let’s make a comparison table.
| Terraform | Pulumi | ARM (Azure Resource Manager) | GCP (Google Cloud Deployment Manager) | CloudFormation (AWS) | AWS CDK | |
| Supported Languages | HashiCorp Configuration Language (HCL) | Go, Python, TypeScript/JavaScript, C#, Java | JSON (primarily), Bicep (abstraction layer) | YAML | JSON or YAML | TypeScript, Python, Java, C#, Go |
| File Format | .tf (configuration), .tfvars (variables) | Programming language files (.py, .go, .ts, .cs, .java) | .json (template), .parameters.json (parameters), .bicep | .yaml | .json or .yaml (template) | Programming language files (.ts, .py, .java, .cs, .go) |
| Provider Connection | Go-based plugins, configured via provider block in configuration files. | Programming language libraries (SDKs), directly imported in code. | Azure REST API, resources and properties declared in the template. | Google Cloud REST API, resources and properties declared in the configuration file. | AWS REST API, Resources and properties declared in the template. | AWS SDK directly integrated, infrastructure defined using code. |
Looking at the table above, you must have noticed the difference.
Terraform, although very popular, requires everyone to learn the HCL language syntax and does not support other languages. Actually, this is not too troublesome, HCL is quite simple.
Pulumi currently supports multiple languages, it is similar to AWS CDK, but it is independent of AWS.
AWS CDK can only create resources on AWS, while Pulumi can create resources on Azure, GCP and more.
So, we can temporarily answer that Pulumi is an IaC tool that supports multiple programming languages. It is independent and can create many resources with different providers.
Features of Pulumi IaC
Here are some of the features that Pulumi IaC has.
Infrastructure Definition and Management
- Multi-language support: Allows you to define infrastructure using familiar languages such as Python, TypeScript/JavaScript, Go, C#, Java and YAML.
- Declarative model with the flexibility of imperative language: You describe the desired state of the infrastructure, and Pulumi creates, updates, or deletes resources to achieve that state. Using a programming language allows adding logic, loops, and conditionals to the infrastructure definition.
- Resources: The basic units of infrastructure managed by Pulumi, such as virtual servers, containers, databases, cloud services, and more.
- Components: Allows you to create abstraction layers by grouping multiple resources together into a logical unit that is reusable and easier to manage.
- State Management: Tracks the current state of your infrastructure, helping Pulumi identify changes that are needed when you update your configuration. The state can be stored on the Pulumi Cloud or other backends.
- Preview: Shows a detailed preview of changes that will be made before they are applied, helping you understand the impact and avoid unexpected errors.
- Deploy: Makes planned changes to create or update your infrastructure.
- Destroy: Deletes all resources managed by a Pulumi stack.
- Refresh: Synchronizes Pulumi’s state with the actual state of your infrastructure.
- Import Resources: Allows you to manage existing resources (created outside of Pulumi) by importing them into Pulumi’s management.
Project Organization and Management
- Projects: Organize your infrastructure code into logical units.
- Stacks: Independent environments (e.g. dev, staging, prod) of the same project, each with its own configuration and state.
- Configuration: Allows you to define configuration variables that can change between stacks.
- Secrets: Securely manage sensitive information by encrypting it in state.
Extensibility and Integration
- Multi-cloud and provider support: Interact with multiple cloud providers (AWS, Azure, GCP, Kubernetes, etc.) and other services through a rich provider ecosystem.
- Extensibility: Ability to build custom providers and resources.
Security and Compliance (IaC related)
- Policy as Code: Define and enforce security and compliance policies during infrastructure deployment.
- Secrets Management: Integrate to securely manage secrets in IaC configuration.
What are the disadvantages of Pulumi?
Any service or tool has its drawbacks, including Pulumi IaC, so what is it?
Limited popularity and community
This is the first problem, just like Terraform in the early days, Pulumi is also new and it is not as popular as Terraform.
And accordingly, the Pulumi support community is not as large as Terraform. If you encounter a problem with Pulumi and search for an answer on the internet, you may not get anything.
Significant complexity
Next is the complexity of Pulumi. I have used a number of different IaC tools, and I have found that Pulumi is not easy for someone to get started.
Supporting many different languages makes searching for information and documentation more complicated. Accordingly, the complexity of the problem also increases.
Meanwhile, Terraform only has a single HCL language, all documents have the same format, if you understand one provider, the other providers are similar.
Dependency and difficulty in controlling libraries
Pulumi uses libraries to connect to service providers. These libraries make Pulumi very dependent and not to mention it is very difficult to control in terms of quality, also because it is written in many different languages.
Feeling slow when executing
I did a simple lab to create a VPC and an EC2 instance to run Nginx. If with Terraform, this happens relatively quickly.
You can see more at my GitHub repository: https://github.com/dungpham91/pulumi-example
Pulumi gives me a feeling of being quite slow, I think it is because it needs time to compile the code before running.
Limitations in security scanning support
You may have heard of tools like Snyk or Checkov, these are tools that help you scan IaC code to find security vulnerabilities. Make sure your IaC complies with security standards.
Unfortunately, popular tools like Snyk or Checkov do not support Pulumi. Pulumi is quite limited in this regard, although it provides a product called Pulumi CrossGuard (Policy as Code), but it is still very limited.
CrossGuard only provides ready-made templates of CIS, ISO27001, PCI DSS policy packs for TypeScript mainly. Other languages like Python, C# or Java do not have it.
You will have to define these policy files yourself. And if you are a Python user like me, then you are almost unable to ensure your IaC is CIS compliant, because you cannot write the entire policy yourself.
For example, you can see the policy file I created below.
https://github.com/dungpham91/pulumi-example/blob/main/policy-pack/aws/ec2/deny_public_ssh.py
So, when you use Pulumi IaC, consider carefully the disadvantage of less IaC scanning to compliant security standards.
Conclusion
This article is just a brief introduction to Pulumi IaC, hope you have an overview of it. In the next articles, I will guide you how to use Pulumi in a project.
