Terraform vs Pulumi vs OpenTofu in 2026: Choosing an IaC Tool
Table of Contents
Infrastructure as Code is at a crossroads. HashiCorp’s decision to switch Terraform’s license to BSL in August 2023 fractured the ecosystem into three camps: those who stayed with Terraform, those who migrated to the open-source fork OpenTofu, and those who seized the moment to adopt Pulumi’s “infrastructure in real programming languages” approach. Terraform still holds 32.8% of the IaC market, but competition has never been fiercer — and the tools have never been more capable.
This article is a detailed comparison of Terraform 1.14, Pulumi 3.x, and OpenTofu 1.11 for DevOps engineers, SREs, and tech leads choosing an IaC tool for a new project or evaluating whether to migrate from Terraform.
Overview of the Contenders
Terraform — The Market Leader Under a New License
Terraform was created by HashiCorp in 2014 and essentially defined the Infrastructure as Code category. The current version is Terraform 1.14.5 (February 11, 2026). The hashicorp/terraform repository on GitHub has approximately 45,000 stars.
Terraform uses its own declarative language, HCL (HashiCorp Configuration Language), to describe infrastructure. Its provider model supports thousands of integrations: AWS, Azure, GCP, Kubernetes, Cloudflare, Datadog, and hundreds more. The Terraform Registry contains thousands of reusable modules.
The key change: starting with version 1.6, Terraform is distributed under the BSL 1.1 (Business Source License). This permits free use for internal infrastructure but prohibits commercially offering Terraform as a managed service without an agreement with HashiCorp. In practice, most companies can continue using Terraform for free, but SaaS platforms for infrastructure management (competitors to HCP Terraform) cannot.
Terraform 1.14 introduces Terraform Stacks — a new mechanism for managing groups of configurations as a unified whole — along with an improved module testing framework and experimental generative AI support for HCL.
OpenTofu — The Open-Source Fork With Innovation
OpenTofu is a community-driven fork of Terraform created in response to the license change. The project is governed by the Linux Foundation and was accepted into the CNCF at the Sandbox level in April 2025. The current version is OpenTofu 1.11 (supported until August 2026). On GitHub it has approximately 23,000 stars, and its contributor count has tripled since launch to 160+. The project has surpassed 10 million downloads from GitHub releases alone.
OpenTofu maintains 100% backward compatibility with Terraform 1.5.x configurations and is distributed under the MPL 2.0 license (fully open-source, no commercial restrictions).
But OpenTofu is not simply “Terraform without BSL.” The project actively ships features that Terraform lacks:
- State file encryption (since v1.7) — AES-GCM encryption with AWS KMS, GCP KMS, Azure Key Vault, OpenBao, and PBKDF2 support
- Provider-defined functions (v1.7) — ability for providers to define custom functions
- Early variable evaluation (v1.8) — variables in previously forbidden contexts (module sources, backend configuration)
- Provider iteration with for_each (v1.9) — iterate over providers dynamically
- Lifecycle destroy meta-argument (v1.11) — control resource destruction behavior
Pulumi — Infrastructure in Real Programming Languages
Pulumi was founded in 2017 and takes a radically different approach: instead of a DSL like HCL, it uses general-purpose programming languages — TypeScript, Python, Go, .NET (C#/F#), Java, and YAML. The current version is Pulumi 3.223.0. On GitHub pulumi/pulumi has approximately 22,000 stars, with adoption growing at 45% year-over-year.
Pulumi supports 150+ cloud providers and offers native Kubernetes integration, including canary deployments with Prometheus and automatic Envoy sidecar injection.
The biggest news of 2026: Pulumi added native support for Terraform and HCL. The Pulumi CLI can now interpret HCL code via a Terraform bridge, and Pulumi Cloud can serve as a state backend for Terraform and OpenTofu. This feature is in private beta with GA expected in Q1 2026.
Pulumi is licensed under Apache 2.0 (open-source). Pulumi Cloud (managed state backend, dashboard, RBAC) has a free tier: 150,000 Pulumi Credits per month (managing up to ~200 cloud resources) and 3,000 free deployment minutes for all tiers.
Languages and Developer Experience
The difference in how infrastructure is described is the most fundamental distinction and shapes the entire development workflow.
HCL: Declarative Simplicity vs Limitations
Terraform and OpenTofu use HCL — a declarative language purpose-built for infrastructure description:
# Terraform / OpenTofu — HCL
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
tags = {
Name = "web-server"
Environment = var.environment
}
}
resource "aws_security_group" "web_sg" {
name = "web-sg"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}HCL is easy to read and understand, with a low barrier to entry for DevOps engineers without deep programming experience. However, HCL is not a full programming language: it has limited loops, conditionals, no objects, classes, or proper abstractions. Practicing DRY (Don’t Repeat Yourself) with HCL becomes extremely difficult for large infrastructures.
Pulumi: The Full Power of Programming Languages
Pulumi lets you use familiar languages with their complete feature set — loops, functions, classes, interfaces, package managers, and testing frameworks:
// Pulumi — TypeScript
import * as aws from "@pulumi/aws";
const webServer = new aws.ec2.Instance("web", {
ami: "ami-0c55b159cbfafe1f0",
instanceType: "t3.micro",
tags: {
Name: "web-server",
Environment: config.require("environment"),
},
});
const webSg = new aws.ec2.SecurityGroup("web-sg", {
ingress: [{
fromPort: 80,
toPort: 80,
protocol: "tcp",
cidrBlocks: ["0.0.0.0/0"],
}],
});# Pulumi — Python
import pulumi_aws as aws
web_server = aws.ec2.Instance("web",
ami="ami-0c55b159cbfafe1f0",
instance_type="t3.micro",
tags={
"Name": "web-server",
"Environment": config.require("environment"),
})Pulumi integrates with IDEs, debuggers, and linters because it uses mainstream languages, providing autocompletion, static analysis, type checking, and standard unit testing workflows. Infrastructure becomes testable and refactorable in the same way as application code.
One practitioner noted: “Even with less documentation, I could reason my way through problems with Pulumi because I could read Go code — the only complexity left was the AWS concepts, not the tool’s language.”
Infrastructure Testing
Testing is where Pulumi significantly outpaces the competition:
| Capability | Terraform / OpenTofu | Pulumi |
|---|---|---|
| Unit tests | No native (external: Terratest) | Native (pytest, Jest, Go test) |
| Property tests | No | Native |
| Integration tests | External (Terratest) | Native |
| Mock providers | Limited | Full support |
| Test framework | terraform test (basic) | Any language framework |
// Pulumi — unit test with Mocha + Chai
import * as pulumi from "@pulumi/pulumi/runtime";
import { expect } from "chai";
describe("Infrastructure", () => {
it("should create an instance with correct tags", async () => {
const infra = await import("../index");
const tags = await new Promise((resolve) =>
infra.webServer.tags.apply(resolve)
);
expect(tags).to.have.property("Environment");
});
});Pulumi’s Policy as Code SDK allows writing compliance policies in code, enabling complex logic and reusability — a significant advantage over Terraform’s Sentinel, which requires learning yet another DSL.
Licensing: The Great Divide
Licensing has become the defining factor in IaC tool selection since 2023.
| Aspect | Terraform | OpenTofu | Pulumi |
|---|---|---|---|
| License | BSL 1.1 | MPL 2.0 (open-source) | Apache 2.0 (open-source) |
| Internal use | Free | Free | Free |
| Commercial SaaS based on the tool | Prohibited without agreement | Allowed | Allowed |
| Managed cloud service | HCP Terraform ($0–$70/mo/user) | None (self-hosted or third-party) | Pulumi Cloud (free tier: 150K credits/mo) |
| Governance | HashiCorp (IBM) | Linux Foundation / CNCF | Pulumi Corp. (VC-funded) |
For most companies, Terraform’s BSL is not a problem — it only restricts creating competing SaaS platforms. But for organizations that require fully open-source tooling (government, large enterprises with compliance mandates), OpenTofu and Pulumi provide guarantees that Terraform can no longer offer.
Security: State File Encryption
The state file is one of the most sensitive parts of IaC: it contains a complete description of your infrastructure, including secrets, IP addresses, and configurations. Protecting it is critical.
OpenTofu: Native Client-Side Encryption
OpenTofu is the only tool of the three that provides native client-side encryption of state files. Introduced in version 1.7, this feature encrypts state before sending it to the backend using AES-GCM. The Terraform community had requested this feature for years, but HashiCorp never implemented it — OpenTofu shipped it within months of the fork.
# OpenTofu — state encryption via AWS KMS
terraform {
encryption {
key_provider "aws_kms" "main" {
kms_key_id = "arn:aws:kms:us-east-1:123456789:key/abcd-1234"
region = "us-east-1"
}
method "aes_gcm" "primary" {
keys = key_provider.aws_kms.main
}
state {
method = method.aes_gcm.primary
enforced = true
}
plan {
method = method.aes_gcm.primary
enforced = true
}
}
}Supported key providers: AWS KMS, GCP KMS, Azure Key Vault, OpenBao (open-source Vault fork), and PBKDF2 (passphrase). Even if your backend storage is compromised or misconfigured, the state file remains unreadable without the encryption key.
Terraform: No State Encryption
Terraform does not support native state file encryption. State protection depends entirely on the backend: S3 with SSE, Azure Blob with encryption at rest — but this is server-side storage encryption, not client-side.
Pulumi: Automatic Secret Encryption
Pulumi encrypts individual secrets in the state file automatically using Pulumi Cloud, a passphrase, or an external KMS. This is not full state encryption (like OpenTofu), but secret values are protected:
// Pulumi — secrets encrypted automatically
const dbPassword = new pulumi.Config().requireSecret("dbPassword");
const db = new aws.rds.Instance("mydb", {
password: dbPassword, // encrypted in state
});Provider Ecosystem
The breadth of cloud provider and service support determines a tool’s real-world applicability.
Terraform has the largest ecosystem by far: the Terraform Registry contains thousands of providers and modules. Virtually every cloud service, SaaS platform, or infrastructure component has a Terraform provider. This is Terraform’s primary competitive advantage, built over 10+ years.
OpenTofu is fully compatible with Terraform providers. All providers for AWS, Azure, GCP, Kubernetes, and other services work with OpenTofu without modification. The OpenTofu Registry mirrors Terraform’s providers and modules, making migration practically seamless.
Pulumi supports 150+ cloud providers, including all major clouds and popular SaaS services. Pulumi reuses Terraform provider plugins via a Terraform bridge, expanding coverage. However, not all Terraform providers are available through the bridge, and some edge cases may require workarounds.
# Terraform / OpenTofu: provider initialization
terraform init # or: tofu init
# Pulumi: providers install as regular packages
npm install @pulumi/aws
pip install pulumi-aws
go get github.com/pulumi/pulumi-aws/sdk/v6/go/awsMigration from Terraform
To OpenTofu
Migrating from Terraform to OpenTofu is the simplest path available. Major enterprises, including Fidelity, have already migrated production infrastructure successfully.
- Replace the binary: swap
terraformfortofuin your PATH - State files: OpenTofu uses the same state format as Terraform 1.5.x — no conversion needed
- Configurations:
.tffiles work without changes - CI/CD: replace
terraformwithtofuin your pipelines
# Migration is literally a binary swap
# Instead of:
terraform plan
terraform apply
# Use:
tofu plan
tofu applyRecommended migration path:
- From Terraform ≤ 1.5.x → migrate to OpenTofu 1.6.2, then upgrade
- From Terraform 1.8.x → migrate to OpenTofu 1.8.2, then upgrade
The migration is low-risk and reversible — you can pilot OpenTofu on development infrastructure, verify it meets your needs, and roll back to Terraform if necessary.
Key gotchas:
- Replace fully qualified provider names with short form (
hashicorp/awsinstead ofregistry.terraform.io/hashicorp/aws) - Terraform 1.6+ features (Stacks) have no OpenTofu equivalents
- CI/CD pipelines need command updates
To Pulumi
Migrating from Terraform to Pulumi is more involved, but Pulumi provides dedicated tooling:
# Convert existing Terraform configuration
pulumi convert --from terraform --language typescript
# Import Terraform state
pulumi import --from terraform ./terraform.tfstatepulumi convert translates HCL into your chosen programming language. The output typically requires manual refinement, but the basic structure is preserved. For large infrastructures, migration can take weeks.
New in 2026: Pulumi Cloud can now serve as a state backend for Terraform and OpenTofu, enabling a hybrid approach — manage part of your infrastructure in HCL while gradually converting to Pulumi.
Scaling and Performance
Execution Speed
For IaC tools, the speed of plan and apply operations matters at scale:
- Terraform and OpenTofu show comparable performance due to their shared codebase. Planning 500+ resources takes 30–120 seconds depending on providers
- Pulumi can be faster for incremental updates thanks to smarter dependency tracking, but the first
pulumi upon a large project is comparable toterraform apply
State Management
| Aspect | Terraform | OpenTofu | Pulumi |
|---|---|---|---|
| State format | JSON | JSON (TF-compatible) | JSON (proprietary format) |
| State encryption | None (backend-dependent) | Client-side AES-GCM | Secret-level encryption |
| Remote backends | S3, GCS, Azure Blob, HCP Terraform | S3, GCS, Azure Blob + encryption | Pulumi Cloud, S3, Azure Blob |
| State locking | Yes | Yes | Yes |
| Workspace/Stack management | Workspaces | Workspaces | Stacks |
Monorepos and Large Projects
Terraform/OpenTofu: large infrastructure management splits across multiple state files using terraform_remote_state for cross-referencing. Tools like Terragrunt help manage inter-module dependencies.
Pulumi: allows standard monorepo patterns from programming languages (npm workspaces, Go modules), and Stack references provide type-safe cross-stack dependencies.
Summary Comparison Table
| Criterion | Terraform 1.14 | OpenTofu 1.11 | Pulumi 3.x |
|---|---|---|---|
| License | BSL 1.1 | MPL 2.0 (open-source) | Apache 2.0 |
| Configuration language | HCL | HCL (compatible) | TypeScript, Python, Go, .NET, Java, YAML |
| State encryption | None | Client-side AES-GCM | Secret-level encryption |
| Providers | 3,000+ | Compatible with Terraform | 150+ (+ Terraform bridge) |
| Testing | Basic (terraform test) | Basic | Native (pytest, Jest, Go test) |
| Governance | HashiCorp (IBM) | Linux Foundation / CNCF | Pulumi Corp. |
| Migration from Terraform | — | Drop-in (binary swap) | pulumi convert + refinement |
| GitHub Stars | ~45,000 | ~23,000 | ~22,000 |
| Learning curve | Medium (HCL) | Medium (HCL) | Low (if you know the language) |
| IDE support | VS Code, JetBrains (HCL) | VS Code, JetBrains (HCL) | Full (any language) |
| CI/CD integration | Native (GitHub Actions, GitLab) | Native | Native |
| Cloud service | HCP Terraform | None (self-hosted) | Pulumi Cloud |
| AI integration | Experimental | None | Pulumi AI (Neo) |
When to Choose Terraform
Terraform remains the best choice when:
- Your team is already invested in Terraform — large HCL codebase, configured pipelines, trained engineers. Migration may not be justified
- You need the largest provider ecosystem — if your infrastructure includes rare SaaS services, the chances of finding a ready-made Terraform provider are highest
- HCP Terraform — fully managed workflow with RBAC, Sentinel policies, cost estimation, and audit logging
- Terraform Stacks — for managing groups of configurations as a unified whole (new feature, no equivalent in competitors)
- BSL license is not an issue — for the vast majority of companies, BSL restrictions are irrelevant
When to Choose OpenTofu
OpenTofu is preferable when:
- Open-source is non-negotiable — government projects, compliance requirements, corporate policies mandating fully open-source software
- State file security is critical — native state encryption via KMS is a unique feature that neither Terraform nor Pulumi offers at the same level
- Migration from Terraform must be painless — OpenTofu accepts existing .tf files and state without changes
- CNCF ecosystem — if your infrastructure is built on CNCF projects (Kubernetes, Prometheus, Envoy), OpenTofu fits the same philosophy
- Innovation without waiting for HashiCorp — for_each on providers, early variable evaluation, lifecycle destroy — features the community shipped faster
When to Choose Pulumi
Pulumi is the best choice when:
- Your team is developers first — if your engineers think in TypeScript, Python, or Go rather than HCL, Pulumi gives them the power of familiar tools
- Infrastructure testing is critical — native unit and integration tests with familiar frameworks (Jest, pytest) without external dependencies
- Complex business logic in infrastructure — dynamic resource generation, conditional logic, application-level abstractions — everything HCL struggles with
- Cloud-native SaaS — Pulumi Cloud provides dashboards, RBAC, drift detection, and the AI assistant Neo out of the box
- Hybrid approach — since 2026, Pulumi Cloud can serve as a state backend for Terraform/OpenTofu, enabling gradual migration
- Kubernetes-native development — Pulumi has native Kubernetes integration with complete API coverage, canary deployments, and service mesh support
Conclusion
In 2026, the IaC tool choice comes down to three questions: licensing philosophy, preferred language, and state file security requirements.
Terraform remains the safe default. The largest ecosystem, the most documentation and available specialists, and mature enterprise features (HCP Terraform). The BSL license is not a problem for 95% of companies. If you have a working Terraform infrastructure and no pressing need to migrate — stay on Terraform.
OpenTofu is the logical choice for those who value open-source and security. Seamless migration from Terraform, unique state file encryption, CNCF backing, and an active community make OpenTofu attractive for enterprises with strict compliance requirements. For new HCL-based projects, start with OpenTofu instead of Terraform — you get the same capabilities plus bonuses, without licensing risk.
Pulumi is the future of IaC for developer-first teams. If your team writes TypeScript or Python and wants to apply software engineering best practices (testing, abstractions, CI/CD) to infrastructure, Pulumi delivers an experience that HCL tools cannot replicate. And native HCL support in 2026 makes Pulumi a universal platform capable of unifying all IaC approaches.
A pragmatic recommendation: OpenTofu for HCL teams (safe, free, compatible), Pulumi for developer teams (powerful, testable, flexible). And some organizations are already practicing a hybrid approach: Terraform/OpenTofu for standard infrastructure, Pulumi for application-focused stacks.
Sources
- Terraform v1.14.5 Release — GitHub
- OpenTofu Guide: Features, Installation & Migration (2026) — StateGraph
- Pulumi Adds Native Support for Terraform and HCL — InfoQ
- Infrastructure as Code: Terraform vs OpenTofu vs Pulumi — A 2026 Comparison — Dasroot
- OpenTofu State and Plan Encryption — OpenTofu Docs
- Terraform License Change (BSL) — Impact on Users — Spacelift
- OpenTofu | CNCF — CNCF
- How To Choose Between Terraform, Pulumi, And OpenTofu — Open Source For You
- Pulumi Pricing — Pulumi