Hi All. A common question, but different perspecti...
# getting-started
Hi All. A common question, but different perspective… I’ve been using Terraform OSS + AWS for years, but am considering Pulumi for a new project (no pun intended). What are the drawbacks of using Pulumi? I’m building a list of attractive features, but as always the devil is in the details - where are the gotchas…? One area of concern is you can use Pulumi with self-managed backends etc for free, but it looks like costs will rise quickly if you want/need Pulumi Cloud backends for any audit requirements etc for an Enterprise setting…
there's no significant drawbacks with the Pulumi tool when compared to other declarative IaC tools. The biggest possible drawback has to do with your team's skills. If those writing the IaC are string programmers, you can see significant productivity gains when compared to Terraform, for example. But if your team can only write bash or simple python scripts and don't care to upskill, Pulumi won't work much better for you than Terraform would. What are your audit concerns when it comes to self-managed backends?
as a former terraform user, my only real concern was the backend. I figured out how to easily manage my own backends and really haven't looked back. The only real issue I've noticed with pulumi is that pulumi doesn't compare the actual infra to the state. What I mean by this is when using terraform, I could create some resources and then in the console delete them or modify them. Re-`terraform apply`ing would put things back they way they were declared. Pulumi doesn't do this. If you create a resource using pulumi and then modify or delete it in the console,
pulumi up
doesn't take any "corrective" action.
The S3 backend works pretty well in our experience and we like Pulumi overall. No major drawbacks so far. The flexibility compared to Terraform is the main benefit.
@colossal-tailor-72573 Pulumi doesn't default to refreshing its view of infrastructure, unlike Terraform. This may be behind what you are seeing here. Try setting this in
to always refresh, which is what we do:
Copy code
  refresh: always
Background here: https://www.reddit.com/r/devops/comments/u3b3wf/things_i_wish_i_knew_earlier_about_pulumi/i4o89s9/ I really wish Pulumi defaulted to refresh-always - correctness is more important than speed
oh, that's awesome!
Will review and implement accordingly. Thank you Richard!
@steep-toddler-94095 - Thanks for your response. The need for decent programming skills is a concern, but as long as this is known & factored into planning, then its manageable. Having decent skills & standards around Python for example offers benefits elsewhere (i.e in producing custom python packages). I havnt had any burning requirements for audit with TF as yet, but I like what having an audit trail offers towards controls validation & support (SOC II & any Regulatory requirements).
Thanks for confirming no issues with S3 backend & the handy refresh tip @salmon-gold-74709
@green-alligator-4238 Pulumi Cloud is equivalent to Terraform Cloud I would think - if using S3 backend, I think main audit areas are Pulumi code (version control, code reviews, etc, like with Terraform) and API usage (CloudTrail etc as with Terraform).
Can't really think of Terraform OSS features that help auditing vs Pulumi with S3, unless you are thinking of more declarative code. The flexibility of Pulumi is a huge advantage - for example, you could write your code (maybe as component resources) in such a way that you write extra auditing info as required to some data store / logging service. Once you've written these shared libraries, doing a 'new S3 bucket' call via your component resource (basically a class encapsulating your extra logic) is the simplest 'golden path', making it easier to get auditing 'for free' as well as simplifying life for developers.
Have a look at the PulumiUp 2023 videos, there were some from largely MS / Azure shops with a fairly locked down approach like this. You can also write policies as code to ensure things like EBS encryption or whatever.
These were the Washington Trust Bank and Sam Cogan talks
Thanks. There are no TF OSS features that help audi - hence the attractiveness of the capability on Pulumi Cloud/self hosted
Thanks all for contributing to the conv - its been very useful
I moved from TF to Pulumi years ago, biggest gotcha for me was like someone else mentioned, remembering to
pulumi refresh
often, especially if facing something that didn't seem to make sense.