Hi All.
A common question, but different perspecti...
# getting-startedg
green-alligator-4238
12/28/2023, 11:31 AMHi All.
A common question, but different perspective…
I’ve been using Terraform OSS + AWS for years, but am considering Pulumi for a new project (no pun intended).
What are the drawbacks of using Pulumi?
I’m building a list of attractive features, but as always the devil is in the details - where are the gotchas…?
One area of concern is you can use Pulumi with self-managed backends etc for free, but it looks like costs will rise quickly if you want/need Pulumi Cloud backends for any audit requirements etc for an Enterprise setting…
s
steep-toddler-94095
12/28/2023, 10:40 PMthere's no significant drawbacks with the Pulumi tool when compared to other declarative IaC tools. The biggest possible drawback has to do with your team's skills. If those writing the IaC are string programmers, you can see significant productivity gains when compared to Terraform, for example. But if your team can only write bash or simple python scripts and don't care to upskill, Pulumi won't work much better for you than Terraform would.
What are your audit concerns when it comes to self-managed backends?
c
colossal-tailor-72573
12/30/2023, 2:49 AMas a former terraform user, my only real concern was the backend. I figured out how to easily manage my own backends and really haven't looked back.
The only real issue I've noticed with pulumi is that pulumi doesn't compare the actual infra to the state.
What I mean by this is when using terraform, I could create some resources and then in the console delete them or modify them. Re-`terraform apply`ing would put things back they way they were declared.
Pulumi doesn't do this. If you create a resource using pulumi and then modify or delete it in the console,
pulumi ups
salmon-gold-74709
01/02/2024, 10:16 AMThe S3 backend works pretty well in our experience and we like Pulumi overall. No major drawbacks so far. The flexibility compared to Terraform is the main benefit.
salmon-gold-74709
01/02/2024, 10:19 AM@colossal-tailor-72573 Pulumi doesn't default to refreshing its view of infrastructure, unlike Terraform. This may be behind what you are seeing here. Try setting this in
Pulumi.yaml Copy code
options:
refresh: alwaysc
colossal-tailor-72573
01/02/2024, 4:30 PMoh, that's awesome!
colossal-tailor-72573
01/02/2024, 4:30 PMWill review and implement accordingly. Thank you Richard!
g
green-alligator-4238
01/04/2024, 5:37 PM@steep-toddler-94095 - Thanks for your response.
The need for decent programming skills is a concern, but as long as this is known & factored into planning, then its manageable. Having decent skills & standards around Python for example offers benefits elsewhere (i.e in producing custom python packages).
I havnt had any burning requirements for audit with TF as yet, but I like what having an audit trail offers towards controls validation & support (SOC II & any Regulatory requirements).
green-alligator-4238
01/04/2024, 5:39 PMThanks for confirming no issues with S3 backend & the handy refresh tip @salmon-gold-74709
s
salmon-gold-74709
01/04/2024, 5:40 PM@green-alligator-4238 Pulumi Cloud is equivalent to Terraform Cloud I would think - if using S3 backend, I think main audit areas are Pulumi code (version control, code reviews, etc, like with Terraform) and API usage (CloudTrail etc as with Terraform).
salmon-gold-74709
01/04/2024, 5:44 PMCan't really think of Terraform OSS features that help auditing vs Pulumi with S3, unless you are thinking of more declarative code.
The flexibility of Pulumi is a huge advantage - for example, you could write your code (maybe as component resources) in such a way that you write extra auditing info as required to some data store / logging service.
Once you've written these shared libraries, doing a 'new S3 bucket' call via your component resource (basically a class encapsulating your extra logic) is the simplest 'golden path', making it easier to get auditing 'for free' as well as simplifying life for developers.
salmon-gold-74709
01/04/2024, 5:44 PMHave a look at the PulumiUp 2023 videos, there were some from largely MS / Azure shops with a fairly locked down approach like this. You can also write policies as code to ensure things like EBS encryption or whatever.
salmon-gold-74709
01/04/2024, 5:46 PMThese were the Washington Trust Bank and Sam Cogan talks
g
green-alligator-4238
01/04/2024, 6:12 PMThanks. There are no TF OSS features that help audi - hence the attractiveness of the capability on Pulumi Cloud/self hosted
green-alligator-4238
01/04/2024, 6:12 PMThanks all for contributing to the conv - its been very useful
g
gifted-gigabyte-53859
01/11/2024, 7:27 AMI moved from TF to Pulumi years ago, biggest gotcha for me was like someone else mentioned, remembering to
pulumi refresh