https://pulumi.com logo
#getting-started
Title
# getting-started
g

green-alligator-4238

12/28/2023, 11:31 AM
Hi All. A common question, but different perspective… I’ve been using Terraform OSS + AWS for years, but am considering Pulumi for a new project (no pun intended). What are the drawbacks of using Pulumi? I’m building a list of attractive features, but as always the devil is in the details - where are the gotchas…? One area of concern is you can use Pulumi with self-managed backends etc for free, but it looks like costs will rise quickly if you want/need Pulumi Cloud backends for any audit requirements etc for an Enterprise setting…
s

steep-toddler-94095

12/28/2023, 10:40 PM
there's no significant drawbacks with the Pulumi tool when compared to other declarative IaC tools. The biggest possible drawback has to do with your team's skills. If those writing the IaC are string programmers, you can see significant productivity gains when compared to Terraform, for example. But if your team can only write bash or simple python scripts and don't care to upskill, Pulumi won't work much better for you than Terraform would. What are your audit concerns when it comes to self-managed backends?
c

colossal-tailor-72573

12/30/2023, 2:49 AM
as a former terraform user, my only real concern was the backend. I figured out how to easily manage my own backends and really haven't looked back. The only real issue I've noticed with pulumi is that pulumi doesn't compare the actual infra to the state. What I mean by this is when using terraform, I could create some resources and then in the console delete them or modify them. Re-`terraform apply`ing would put things back they way they were declared. Pulumi doesn't do this. If you create a resource using pulumi and then modify or delete it in the console,
pulumi up
doesn't take any "corrective" action.
s

salmon-gold-74709

01/02/2024, 10:16 AM
The S3 backend works pretty well in our experience and we like Pulumi overall. No major drawbacks so far. The flexibility compared to Terraform is the main benefit.
@colossal-tailor-72573 Pulumi doesn't default to refreshing its view of infrastructure, unlike Terraform. This may be behind what you are seeing here. Try setting this in
Pulumi.yaml
to always refresh, which is what we do:
Copy code
options:
  refresh: always
Background here: https://www.reddit.com/r/devops/comments/u3b3wf/things_i_wish_i_knew_earlier_about_pulumi/i4o89s9/ I really wish Pulumi defaulted to refresh-always - correctness is more important than speed
c

colossal-tailor-72573

01/02/2024, 4:30 PM
oh, that's awesome!
Will review and implement accordingly. Thank you Richard!
g

green-alligator-4238

01/04/2024, 5:37 PM
@steep-toddler-94095 - Thanks for your response. The need for decent programming skills is a concern, but as long as this is known & factored into planning, then its manageable. Having decent skills & standards around Python for example offers benefits elsewhere (i.e in producing custom python packages). I havnt had any burning requirements for audit with TF as yet, but I like what having an audit trail offers towards controls validation & support (SOC II & any Regulatory requirements).
Thanks for confirming no issues with S3 backend & the handy refresh tip @salmon-gold-74709
s

salmon-gold-74709

01/04/2024, 5:40 PM
@green-alligator-4238 Pulumi Cloud is equivalent to Terraform Cloud I would think - if using S3 backend, I think main audit areas are Pulumi code (version control, code reviews, etc, like with Terraform) and API usage (CloudTrail etc as with Terraform).
Can't really think of Terraform OSS features that help auditing vs Pulumi with S3, unless you are thinking of more declarative code. The flexibility of Pulumi is a huge advantage - for example, you could write your code (maybe as component resources) in such a way that you write extra auditing info as required to some data store / logging service. Once you've written these shared libraries, doing a 'new S3 bucket' call via your component resource (basically a class encapsulating your extra logic) is the simplest 'golden path', making it easier to get auditing 'for free' as well as simplifying life for developers.
Have a look at the PulumiUp 2023 videos, there were some from largely MS / Azure shops with a fairly locked down approach like this. You can also write policies as code to ensure things like EBS encryption or whatever.
These were the Washington Trust Bank and Sam Cogan talks
g

green-alligator-4238

01/04/2024, 6:12 PM
Thanks. There are no TF OSS features that help audi - hence the attractiveness of the capability on Pulumi Cloud/self hosted
Thanks all for contributing to the conv - its been very useful
g

gifted-gigabyte-53859

01/11/2024, 7:27 AM
I moved from TF to Pulumi years ago, biggest gotcha for me was like someone else mentioned, remembering to
pulumi refresh
often, especially if facing something that didn't seem to make sense.