I’m exploring using Pulumi for our infrastructure ...
# python
I’m exploring using Pulumi for our infrastructure but am concerned about the heavy emphasis on Typescript. Is there anything with Pulumi that can be done with Typescript but not Python?
Plenty... I'm deep-diving
since a few weeks and although theoretically everything can be done in python, it turns out that the documentation as well as examples are heavily lacking, making any progress very difficult I think pulumi has a lot of potential but even though I'm a heavy python fan I'm torn myself wether I should go back to Terraform until pulumi is more mature :/
Thank you, that is very useful to hear. The fact that they’ve chosen Typescript as their first language to emphasize makes me wonder how well they understand - and are engaged with - their primary audience. Terraform has come a long way the past few months with the addition of
. However it’s also clear that there are some bad design decisions behind these such as it being impossible to nest _for_each_ loops due to `each.key`/`each.value` being fixed for both loops. All our new code for IAM policies, roles, users, and groups are written to import and parse YAML, which I’m planning to open source for others to use, however what would take a few minutes in Python took tens of hours to write for Terraform:
Copy code
# Roles - Extract & Transform

locals {
  # extract role data from files
  role_file_paths = fileset(path.module, "config/roles/**/*.yaml")
  role_configs = {
    for x in flatten([
      for file_path in local.role_file_paths : [
        for role, obj in yamldecode(file(file_path)).user_roles : {
          (role) = obj
    ]) : keys(x)[0] => values(x)[0]

  # intermediate steps to work around the limitations of "for_each"
  role_policies = { for k, v in local.role_configs : k => v.policies if lookup(v, "policies", []) != [] }
  role_policy_pairs = flatten([
    for role, policies in local.role_policies : [
      for policy in policies : {
        account = local.role_configs[role].account
        role    = role
        policy  = policy

  # string => map(string)
  role_policy_joins = {
    for obj in local.role_policy_pairs :
    replace("${obj.role}${obj.policy}", "/arn:aws:iam::|([[:punct:]]+)/", "_") => obj
My Python experience has been the same as Louis'. I've been POC'ing Pulumi by trying to forklift as much of our application as possible into it. The app is currently managed by a mixture of Kops, Terraform, legacy custom bash scripts, and custom Go code, so it would be a huge win to be able to consolidate it into one place.
Our team is a Go team, but Pulumi's Go support is not good yet, so I went with Python, which is our next-most-comfortable language. Nobody on our team writes typescript/javascript.
There are a whole lot of gotchas in Python.
and things like it (like
) don't work the way you think because Pulumi multiprocesses in weird places under the hood. Context managers (
statements) are not respected during resource creation. You can't access pulumi attributes as primitive types except in extremely restrictive
functions; otherwise they're all of type
, which you can't do anything with in plain Python. The claim on the "Why Pulumi" page that you get to manage your infrastructure without learning "yet another ... DSL dialect" is false, because Pulumi with Python is absolutely a DSL.
👍 3
It has taken me many tens of hours to get anything done, and so far I like what I have, but don't love it.
👍 2
I totally agree with you Matt : Pulumi's implementation in Python is the most unpythonistic thing I've ever seen There are hard typings everwhere and classes to wrap every single input and output : you almost never use native structures Might as well do it in C++, which I think they very well might
👍 1
Is it a fair assessment to say that it’s easier to just learn Typescript and use that rather than trying to use Pulumi with any of the other “supported” languages?
I think it's a matter of personal preference. I wouldn't for sure : I'm Pythonista all the way 🐍
Does Pulumi with Python still save time over and have fewer issues than Terraform, especially when it comes to more junior engineers who would need to learn a lot for using either of the two?
Well most of the time when I use for example
I end up looking at the Terraform provider's documentation and implementation : Pulumi is merely wrapping it so the documentation & logic are often times easier to understand in Terraform I'm by no means a junior engineer, and even I find this circumvoluted process cumbersome... so I'd say that for now a junior has a better chance on Terraform That's of course assuming that your project won't require Pulumi-specific concepts such as Dynamic Providers