What is Infrastructure as Code? Terraform vs Pulumi vs CDK Compared

Stop Clicking Around in the Console

Infrastructure as Code (IaC) means defining your cloud resources in source files instead of clicking through web consoles. Every server, database, network, and permission gets declared in code, versioned in Git, and deployed through a pipeline. It's the difference between "I think someone changed that security group last month" and "here's the exact commit that changed it, who approved it, and why."

The concept is settled -- everyone agrees IaC is essential. The question now is which tool to use. Terraform dominates the market, but AWS CDK and Pulumi are serious alternatives with real advantages. This guide covers why IaC matters, compares the three major tools head-to-head, and helps you make a decision based on your team's actual constraints.

What Is Infrastructure as Code?

Definition: Infrastructure as Code (IaC) is the practice of managing and provisioning computing infrastructure through machine-readable configuration files rather than manual processes. It enables version control, peer review, testing, and automated deployment of infrastructure changes.

Why IaC Matters: The Core Benefits

1. Reproducibility -- deploy identical environments for dev, staging, and production from the same code
2. Auditability -- every change is a Git commit with an author, timestamp, and review trail
3. Speed -- spinning up a new environment goes from days of manual work to a single pipeline run
4. Drift detection -- compare the actual state of your infrastructure to what the code declares
5. Disaster recovery -- rebuild your entire infrastructure from code if a region goes down

The Big Three: Terraform vs CDK vs Pulumi

Feature	Terraform	AWS CDK	Pulumi
Language	HCL (domain-specific)	TypeScript, Python, Java, C#, Go	TypeScript, Python, Go, C#, Java, YAML
Cloud support	Multi-cloud (AWS, GCP, Azure, 3000+ providers)	AWS only	Multi-cloud (AWS, GCP, Azure, Kubernetes)
State management	Remote backends (S3, Terraform Cloud)	CloudFormation stacks	Pulumi Cloud or self-managed backends
Dry-run	terraform plan	cdk diff	pulumi preview
Maturity	2014, massive ecosystem	2019, AWS-maintained	2018, growing ecosystem
License	BSL 1.1 (was MPL 2.0)	Apache 2.0	Apache 2.0
Learning curve	Low (HCL is simple) to medium (modules)	Medium (need to know CloudFormation concepts)	Low if you know the language

Terraform: The Industry Standard

How It Works

You write .tf files in HCL (HashiCorp Configuration Language), run terraform plan to see what will change, and terraform apply to execute. Terraform maintains a state file that maps your code to real resources.

resource "aws_s3_bucket" "data" {
  bucket = "my-app-data-bucket"

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

resource "aws_s3_bucket_versioning" "data" {
  bucket = aws_s3_bucket.data.id
  versioning_configuration {
    status = "Enabled"
  }
}

Strengths

• Largest provider ecosystem -- 3,000+ providers covering every cloud and SaaS product
• HCL is purpose-built and readable, even for non-developers
• Massive community: Stack Overflow answers, blog posts, and pre-built modules for everything
• terraform plan gives clear, predictable diffs before any change

Weaknesses

• HCL lacks loops, conditionals, and abstractions that general-purpose languages provide (though for_each and dynamic blocks help)
• State file management is a source of bugs -- state locks, state corruption, and manual state surgery are real operational burdens
• The BSL license change in 2023 led to the OpenTofu fork, creating ecosystem fragmentation

AWS CDK: Infrastructure in Real Languages

How It Works

CDK lets you define AWS resources using TypeScript, Python, or other supported languages. Under the hood, CDK synthesizes your code into CloudFormation templates and deploys them as CloudFormation stacks.

import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';

export class DataStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string) {
    super(scope, id);

    new s3.Bucket(this, 'DataBucket', {
      bucketName: 'my-app-data-bucket',
      versioned: true,
      removalPolicy: cdk.RemovalPolicy.RETAIN,
    });
  }
}

Strengths

• Use real programming languages with IDE autocompletion, type checking, and refactoring tools
• L2 and L3 constructs provide sensible defaults -- a single new ApplicationLoadBalancedFargateService() creates an ALB, ECS service, task definition, security groups, and IAM roles
• CloudFormation handles state management, rollbacks, and drift detection
• AWS maintains it -- first-class support for new AWS services

Weaknesses

• AWS-only. If you use GCP or Azure alongside AWS, CDK can't manage those resources.
• CloudFormation is slow. Large stacks take 10-30 minutes to deploy.
• CloudFormation's 500-resource limit per stack forces you to split large applications into multiple stacks.
• Debugging CloudFormation errors through CDK adds an abstraction layer that obscures the real problem.

Pulumi: Multi-Cloud with Real Languages

How It Works

Pulumi uses general-purpose languages to define infrastructure, similar to CDK, but it manages state directly (no CloudFormation intermediary). It supports AWS, GCP, Azure, Kubernetes, and dozens of other providers.

import * as aws from '@pulumi/aws';

const bucket = new aws.s3.Bucket('data-bucket', {
  bucket: 'my-app-data-bucket',
  versioning: { enabled: true },
  tags: {
    Environment: 'production',
    ManagedBy: 'pulumi',
  },
});

Strengths

• Multi-cloud with real languages -- the best of both CDK and Terraform
• Direct state management (no CloudFormation) means faster deployments
• Pulumi AI and the converter tool can translate Terraform HCL to Pulumi code
• Built-in secrets management -- encrypted in state by default

Weaknesses

• Smaller ecosystem and community than Terraform
• Pulumi Cloud (the managed backend) is a paid service for teams; self-managed backends work but require more setup
• Some Terraform providers don't have Pulumi equivalents yet

State Management Compared

Aspect	Terraform	AWS CDK	Pulumi
State storage	S3 + DynamoDB, Terraform Cloud	CloudFormation (managed by AWS)	Pulumi Cloud, S3, local file
State locking	DynamoDB or Terraform Cloud	Built into CloudFormation	Built into Pulumi Cloud
Drift detection	terraform plan (compares state to cloud)	CloudFormation drift detection	pulumi refresh
Import existing resources	terraform import	cdk import	pulumi import

Pricing and Tooling

• Terraform CLI -- free (BSL license). Terraform Cloud free tier: 500 managed resources. Team tier: $20/user/month.
• AWS CDK -- free. CloudFormation is free (you pay only for provisioned resources).
• Pulumi CLI -- free (Apache 2.0). Pulumi Cloud Individual: free. Team: $50/user/month. Enterprise: custom pricing.
• OpenTofu -- free fork of Terraform under MPL 2.0, maintained by the Linux Foundation.
• Infracost -- shows cost estimates in Terraform pull requests. Free for open source, $50+/month for teams.
• Spacelift -- CI/CD for Terraform/Pulumi/CloudFormation. Starts at $40/month.

Frequently Asked Questions

Which IaC tool should a beginner start with?

Start with Terraform. It has the largest community, the most learning resources, and skills transfer to any cloud provider. HCL is simpler than learning a general-purpose language's IaC patterns. Once you're comfortable with IaC concepts, you can evaluate CDK or Pulumi if their strengths align with your needs.

Can I use Terraform and CDK together?

Yes, but carefully. Some teams use Terraform for shared infrastructure (networking, DNS) and CDK for application-specific resources. The key is clear ownership boundaries -- don't manage the same resource from both tools. Use Terraform outputs and CDK's Fn.importValue to pass values between them.

What is OpenTofu and should I use it?

OpenTofu is a community fork of Terraform created after HashiCorp changed Terraform's license from MPL 2.0 to BSL 1.1. It's maintained by the Linux Foundation and is a drop-in replacement for Terraform. If the BSL license is a concern for your organization, OpenTofu is a viable alternative with growing community support.

How do I handle secrets in IaC?

Never store secrets in plain text in your IaC files. Terraform integrates with Vault, AWS Secrets Manager, and SSM Parameter Store via data sources. CDK can reference Secrets Manager and SSM parameters directly. Pulumi encrypts secrets in state by default and integrates with cloud KMS services.

Is CloudFormation still worth learning?

Only if you're deep in the AWS ecosystem and need to understand what CDK generates under the hood. Writing raw CloudFormation YAML/JSON is tedious compared to CDK or Terraform. However, understanding CloudFormation concepts (stacks, change sets, rollbacks) is valuable because CDK depends on them.

How do I migrate from manual infrastructure to IaC?

Use import commands (terraform import, cdk import, pulumi import) to bring existing resources under IaC management without recreating them. Start with the most critical resources (networking, databases) and work outward. Tools like Former2 can generate CloudFormation or Terraform from existing AWS resources automatically.

Pick a Tool and Commit

The worst IaC decision is using three tools across five teams. Pick one primary tool, standardize on it, and invest in modules and patterns that your team can reuse. Terraform is the safe default. CDK is the right choice for AWS-only shops that want TypeScript end-to-end. Pulumi is compelling for multi-cloud teams that want real languages without CloudFormation's limitations. All three are production-proven -- the choice matters less than consistency.