I’m exploring using Pulumi for our infrastructure but am concerned about the heavy emphasis on Typescript. Is there anything with Pulumi that can be done with Typescript but not Python?

Plenty... I'm deep-diving

pulumi-python

since a few weeks and although theoretically everything can be done in python, it turns out that the documentation as well as examples are heavily lacking, making any progress very difficult I think pulumi has a lot of potential but even though I'm a heavy python fan I'm torn myself wether I should go back to Terraform until pulumi is more mature :/

Thank you, that is very useful to hear. The fact that they’ve chosen Typescript as their first language to emphasize makes me wonder how well they understand - and are engaged with - their primary audience. Terraform has come a long way the past few months with the addition of

for_each

and

yamldecode

. However it’s also clear that there are some bad design decisions behind these such as it being impossible to nest _for_each_ loops due to `each.key`/`each.value` being fixed for both loops. All our new code for IAM policies, roles, users, and groups are written to import and parse YAML, which I’m planning to open source for others to use, however what would take a few minutes in Python took tens of hours to write for Terraform:

#####
# Roles - Extract & Transform
#####

locals {
  # extract role data from files
  role_file_paths = fileset(path.module, "config/roles/**/*.yaml")
  role_configs = {
    for x in flatten([
      for file_path in local.role_file_paths : [
        for role, obj in yamldecode(file(file_path)).user_roles : {
          (role) = obj
        }
      ]
    ]) : keys(x)[0] => values(x)[0]
  }

  # intermediate steps to work around the limitations of "for_each"
  role_policies = { for k, v in local.role_configs : k => v.policies if lookup(v, "policies", []) != [] }
  role_policy_pairs = flatten([
    for role, policies in local.role_policies : [
      for policy in policies : {
        account = local.role_configs[role].account
        role    = role
        policy  = policy
      }
    ]
  ])

  # string => map(string)
  role_policy_joins = {
    for obj in local.role_policy_pairs :
    replace("${obj.role}${obj.policy}", "/arn:aws:iam::|([[:punct:]]+)/", "_") => obj
  }
}

My Python experience has been the same as Louis'. I've been POC'ing Pulumi by trying to forklift as much of our application as possible into it. The app is currently managed by a mixture of Kops, Terraform, legacy custom bash scripts, and custom Go code, so it would be a huge win to be able to consolidate it into one place.

I totally agree with you Matt : Pulumi's implementation in Python is the most unpythonistic thing I've ever seen There are hard typings everwhere and classes to wrap every single input and output : you almost never use native structures Might as well do it in C++, which I think they very well might

Is it a fair assessment to say that it’s easier to just learn Typescript and use that rather than trying to use Pulumi with any of the other “supported” languages?

I think it's a matter of personal preference. I wouldn't for sure : I'm Pythonista all the way 🐍

Does Pulumi with Python still save time over and have fewer issues than Terraform, especially when it comes to more junior engineers who would need to learn a lot for using either of the two?

Well most of the time when I use for example

pulumi_aws

I end up looking at the Terraform provider's documentation and implementation : Pulumi is merely wrapping it so the documentation & logic are often times easier to understand in Terraform I'm by no means a junior engineer, and even I find this circumvoluted process cumbersome... so I'd say that for now a junior has a better chance on Terraform That's of course assuming that your project won't require Pulumi-specific concepts such as Dynamic Providers