Quick Answer: OpenTofu is the safest choice for new projects in 2026 -- it is the community fork of Terraform under the Linux Foundation, fully open-source, and compatible with all Terraform providers. For teams that want to write infrastructure in Python/TypeScript/Go instead of HCL, Pulumi is the best option. For AWS-only shops, AWS CDK provides the tightest integration.
The IaC Landscape in 2026
The infrastructure as code landscape was upended in 2023 when HashiCorp changed Terraform's license from MPL 2.0 (open-source) to BSL 1.1 (source-available but not open-source). This triggered the creation of OpenTofu, a community fork under the Linux Foundation. Two years later, the dust has settled and the implications are clear: the IaC ecosystem is fragmented but healthy, with multiple strong options for different needs.
We deployed identical infrastructure (VPC, ECS cluster, RDS database, S3 buckets, CloudFront distribution, Lambda functions) on AWS using each IaC tool and compared the experience across setup time, maintenance burden, team onboarding, and day-2 operations.
Quick Comparison
| Tool | Language | License | Multi-Cloud | State Management | Learning Curve |
|---|---|---|---|---|---|
| OpenTofu | HCL | MPL 2.0 (OSS) | Yes | File/S3/Cloud | Medium |
| Terraform | HCL | BSL 1.1 | Yes | File/S3/Cloud | Medium |
| Pulumi | TS/Py/Go/C# | Apache 2.0 | Yes | Pulumi Cloud/S3 | Low (if you know the language) |
| AWS CDK | TS/Py/Java/C# | Apache 2.0 | AWS only | CloudFormation | Medium |
| Crossplane | YAML (K8s CRDs) | Apache 2.0 | Yes | Kubernetes | High |
1. OpenTofu -- Best Overall for New Projects
OpenTofu is a drop-in replacement for Terraform. Same HCL syntax, same provider ecosystem, same state format. The difference is the license: OpenTofu is MPL 2.0 (genuinely open-source), backed by the Linux Foundation, and cannot be relicensed by a single company.
Why OpenTofu Over Terraform
- License safety -- no risk of BSL restrictions affecting your use case. Commercial products that embed or integrate with IaC tooling should use OpenTofu to avoid license ambiguity.
- Community governance -- Linux Foundation stewardship means no single company controls the project's direction
- Full compatibility -- existing Terraform configurations, modules, and state files work with OpenTofu without modification. Migration is literally
s/terraform/tofu/gin your scripts. - New features -- OpenTofu has added features not in Terraform, including client-side state encryption, early variable/local evaluation, and provider iteration with
for_each
Migration from Terraform
# Install OpenTofu
brew install opentofu
# Replace terraform binary
# Existing .tf files work unchanged
tofu init
tofu plan
tofu apply
# State files are compatible -- no migration neededWe migrated a production Terraform setup (47 resources, 12 modules) to OpenTofu in 15 minutes. Zero code changes, zero state migration, zero downtime.
Best for: Any team starting new IaC projects or migrating from Terraform. The safest long-term choice for HCL-based infrastructure management.
2. Terraform -- The Incumbent
Terraform remains the most widely used IaC tool, and for good reason: the largest provider ecosystem (3,000+ providers), the most community modules, and the most documentation and tutorials. If you have existing Terraform infrastructure, there is no urgent need to migrate.
When to Stay with Terraform
- Terraform Cloud/Enterprise -- if you use HashiCorp's managed state, policy-as-code (Sentinel), and workspace features, switching to OpenTofu loses these
- HashiCorp stack -- if you also use Vault, Consul, and Nomad, staying in the HashiCorp ecosystem has integration benefits
- Enterprise support -- HashiCorp provides commercial support for Terraform Enterprise
The BSL License Risk
For most users -- deploying infrastructure for your own company -- the BSL license changes nothing. The risk is for companies that build products that compete with HashiCorp's offerings (Terraform Cloud, Waypoint, etc.) or embed Terraform in commercial products. If you are just using Terraform to manage your AWS infrastructure, you are fine.
That said, the principle matters. An open-source project relicensing to restrict commercial use erodes trust, and OpenTofu's existence ensures a permanently open-source alternative.
3. Pulumi -- Best for Developer Teams
Pulumi's pitch is simple: write infrastructure in a language you already know. Instead of learning HCL, define infrastructure in TypeScript, Python, Go, Java, or C#. This means you get loops, conditionals, functions, type checking, testing, IDE support, and package management -- all things HCL struggles with.
Where Pulumi Wins
- No new language to learn -- your team already knows TypeScript or Python. HCL is yet another thing to learn, and its limitations (no real functions, awkward loops, limited conditionals) frustrate experienced programmers.
- Testing -- write unit tests for your infrastructure using your language's test framework. Mock cloud resources and verify that your IaC generates the expected resources. This is powerful for catching misconfigurations before deployment.
- Abstraction -- create reusable infrastructure components as classes/functions. Build a VPC class that encodes your company's networking standards, publish it as a package, and every team uses it. HCL modules can do this, but real programming languages do it better.
- IDE support -- full IntelliSense, type checking, and refactoring support from your IDE. HCL support in IDEs is limited by comparison.
Example: VPC in Pulumi TypeScript vs HCL
// Pulumi TypeScript
const vpc = new aws.ec2.Vpc("main", {
cidrBlock: "10.0.0.0/16",
enableDnsHostnames: true,
tags: { Name: "production" },
});
const subnets = ["10.0.1.0/24", "10.0.2.0/24"].map((cidr, i) =>
new aws.ec2.Subnet(`subnet-${i}`, {
vpcId: vpc.id,
cidrBlock: cidr,
availabilityZone: `us-east-1${String.fromCharCode(97 + i)}`,
})
);Where Pulumi Falls Short
- Smaller community -- fewer tutorials, blog posts, and Stack Overflow answers compared to Terraform
- State management -- Pulumi Cloud is the default state backend, and the free tier is limited. Self-managed backends (S3, Azure Blob) are available but require more setup.
- Provider coverage -- Pulumi supports most major cloud providers but the long tail of niche providers is thinner than Terraform's 3,000+ registry
- Imperative freedom -- the ability to write arbitrary code in infrastructure definitions can lead to overly complex, hard-to-review IaC. HCL's limitations are also guardrails.
Best for: Developer teams that dislike HCL and want to use their existing programming language skills for infrastructure management.
4. AWS CDK -- Best for AWS-Only Teams
AWS CDK (Cloud Development Kit) generates CloudFormation templates from TypeScript, Python, Java, or C# code. If your infrastructure is 100% AWS, CDK provides the tightest integration with the deepest type-safe coverage of AWS services.
CDK's Advantages
- AWS-native constructs -- CDK L2 and L3 constructs encode AWS best practices. Creating an ECS Fargate service with CDK automatically sets up load balancers, security groups, IAM roles, and CloudWatch alarms with sensible defaults. In Terraform, you would configure each resource manually.
- Type-safe AWS resources -- every AWS resource property is typed. Your IDE shows available properties, required parameters, and valid values. Catch misconfigurations at compile time, not during deployment.
- Constructs Hub -- a registry of reusable, community-built CDK constructs that package common patterns
- CloudFormation integration -- CDK generates CloudFormation, which means you get CloudFormation's rollback protection, drift detection, and resource import features
CDK's Limitations
- AWS only -- no GCP, Azure, or other cloud provider support (though cdktf bridges CDK to Terraform providers)
- CloudFormation limits -- CDK is ultimately constrained by CloudFormation's 500-resource stack limit, update behavior, and deployment speed
- Abstractions hide complexity -- L2/L3 constructs create resources you may not realize exist. A single CDK line can generate 15 CloudFormation resources, making debugging and cost estimation harder.
Best for: Teams that are all-in on AWS and want the deepest integration with AWS services. Particularly strong for teams deploying ECS, Lambda, and API Gateway workloads.
5. Crossplane -- Best for Kubernetes-Native Teams
Crossplane extends Kubernetes with custom resources that provision cloud infrastructure. Instead of running a separate IaC tool, you define cloud resources as Kubernetes YAML and kubectl apply them.
The Kubernetes-Native Approach
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
metadata:
name: production-db
spec:
forProvider:
region: us-east-1
dbInstanceClass: db.t3.medium
engine: postgres
engineVersion: "16"
allocatedStorage: 50Apply with kubectl apply -f rds.yaml and Crossplane provisions the RDS instance. The Kubernetes reconciliation loop continuously ensures the actual state matches the desired state -- if someone modifies the RDS instance manually, Crossplane reverts it.
When Crossplane Makes Sense
- Your team already manages everything through Kubernetes
- You want a single control plane for applications and infrastructure
- You need continuous reconciliation (GitOps for infrastructure)
- You are building an internal platform that abstracts cloud resources for development teams
When It Does Not
Crossplane requires a running Kubernetes cluster, which adds complexity for teams that do not already use Kubernetes. The learning curve is steep -- you need to understand Kubernetes CRDs, controllers, and composition. For teams that just need to provision some EC2 instances and RDS databases, Crossplane is massive overkill.
Best for: Platform engineering teams building internal developer platforms on Kubernetes.
How to Choose
| Scenario | Recommended Tool |
|---|---|
| New project, multi-cloud or cloud-agnostic | OpenTofu |
| Existing Terraform infrastructure | Stay with Terraform or migrate to OpenTofu |
| Developer team that dislikes HCL | Pulumi |
| AWS-only, deep AWS integration needed | AWS CDK |
| Kubernetes-native platform team | Crossplane |
| Small team, just getting started | OpenTofu (most resources/tutorials available) |
| Enterprise with HashiCorp stack | Terraform Enterprise |
FAQ
Should I use Terraform or OpenTofu in 2026?
OpenTofu for new projects. It is fully open-source, Linux Foundation governed, and compatible with all Terraform providers and state files. Existing Terraform setups can migrate with zero code changes.
Is Pulumi better than Terraform?
Pulumi is better for developer teams that want to use a real programming language. Terraform/OpenTofu is better for the largest provider ecosystem and the most community resources.
What IaC tool should a small team use?
AWS-only: AWS CDK in TypeScript. Multi-cloud: OpenTofu. Developer teams that resist HCL: Pulumi.
Can I mix IaC tools?
Yes, and many organizations do. A common pattern is Terraform/OpenTofu for core infrastructure (VPCs, databases, Kubernetes clusters) and Pulumi or CDK for application-level resources that benefit from programming language features. State files are separate, so tools do not conflict.
Last updated June 2026. Tested with OpenTofu 1.8, Terraform 1.9, Pulumi 3.x, AWS CDK v2, and Crossplane 1.16.