Terraform vs OpenTofu vs Pulumi — IaC in 2026
After the BSL split, the IaC landscape has settled into three real options. Here is how each one behaves under load, in CI, and on day-200.
| Dimension | Terraform | OpenTofu | Pulumi |
|---|---|---|---|
| Module ecosystem | 10 | 9 | 7 |
| Language ergonomics | 6 | 6 | 9 |
| State handling | 7 | 8 | 8 |
| Policy as code | 8 | 7 | 9 |
| Drift detection | 7 | 7 | 8 |
| Community | 8 | 9 | 7 |
| Total | 46/60 | 46/60 | 48/60 |
Where each one wins, where each one loses.
Terraform
Still the largest module ecosystem and the default in most enterprises. HCL is unloved but predictable. HCP Terraform adds real value if you can stomach the licence and pricing.
Enterprises that want the mainstream choice, the largest provider catalogue, and HCP Terraform's collaboration features.
BSL licensing, slower iteration on language features, and a community that increasingly maintains forks rather than upstream patches.
OpenTofu
The MPL-licensed fork that won. State encryption, dynamic provider iteration, and a faster release cadence on community-driven features. Drop-in compatible for most modules in 2026.
Teams that want HCL semantics without BSL exposure, plus state encryption and faster community iteration.
No HCP-equivalent first-party SaaS. You bring your own backend, runner, and policy stack — Spacelift, Env0, Scalr, or self-hosted.
Pulumi
Real programming languages mean real abstractions and real tests. Pulumi Cloud is genuinely good. Smaller community, occasional rough edges in the providers furthest from the AWS/GCP/Azure trio.
Software teams that want IaC to live in TypeScript or Go alongside their applications, with proper unit tests and component reuse.
Smaller talent pool, less StackOverflow surface area, and provider quality drops sharply outside the top dozen.
Terraform is still the safe enterprise default but it is no longer the obvious one. OpenTofu has earned a place as the open alternative for teams that want HCL without BSL. Pulumi remains the right answer when your team treats infrastructure as software, not configuration.
For new projects in 2026, OpenTofu is the better default than Terraform: same syntax, better licence, faster community iteration, and state encryption out of the box. Pick Terraform when HCP Terraform's collaboration features are non-negotiable. Pick Pulumi when your team will genuinely use the programming-language affordances rather than treating them as ornamentation.
The post-BSL world
The 2023 BSL relicence reshaped the IaC market more than any technical change in the previous five years. By 2026 the dust has settled, and the market has three credible answers: Terraform, OpenTofu, and Pulumi.
I run all three for different clients. The decision is no longer purely technical — licence posture, talent pool, and platform team taste all matter — but the technical differences are real, and they show up clearly under production load.
Terraform — still the default, no longer the obvious one
Terraform in 2026 is still the most widely deployed IaC tool by a comfortable margin. The provider ecosystem on the public registry is the largest. HCP Terraform has matured into a credible platform with good RBAC, run history, drift detection, and policy enforcement via Sentinel.
What has changed is the centre of gravity. Many community modules are now dual-published or have moved entirely to OpenTofu. New language features ship slower than they did in the 0.12 era. Provider authors hedge between the two ecosystems. The BSL licence keeps a slow but persistent share of new projects out of Terraform.
You pick Terraform when you need HCP Terraform's collaboration features, when your platform team has years of HCL muscle memory, or when an enterprise procurement decision has already been made.
OpenTofu — the open default
OpenTofu has done what most forks fail to do: matched the original on capability and pulled ahead in the dimensions the community cared most about. State encryption at rest is built in. Dynamic provider iteration solved a long-standing gap. Provider iteration with for_each is cleaner. The release cadence on community-driven features has been faster than HashiCorp's for two years now.
For most modules, drop-in compatibility holds. The migration story from Terraform 1.5 to OpenTofu is well-documented and routine. The remaining gap is the lack of a HashiCorp-equivalent first-party SaaS — you assemble your own runtime from Spacelift, Env0, Scalr, or self-hosted runners. For most teams in 2026 this is a feature, not a bug.
Pulumi — IaC as software
Pulumi remains the only mainstream IaC tool that lets you write infrastructure in real programming languages. In TypeScript, Go, Python, or .NET you get loops, conditionals, packages, unit tests, and component composition that HCL approximates badly.
The win shows up most in two cases: when a platform team is genuinely building reusable abstractions for application teams, and when infrastructure logic needs to share types with application code. The cost is a smaller talent pool, a smaller community, and uneven provider quality outside the AWS/GCP/Azure/Kubernetes core.
Pulumi Cloud is genuinely well-designed — better than HCP Terraform on policy-as-code (CrossGuard) and similarly good on state and run history.
State, the unglamorous decider
State handling is the dimension that most teams underweight until they have a corrupt state file at midnight. OpenTofu's state encryption at rest is the most important new IaC feature of the last two years. Pulumi's state model with checkpointing handles partial-failure scenarios better than Terraform's two-phase apply. Terraform with HCP backend is solid but still leaks unencrypted state to backends if you misconfigure.
Policy as code
Sentinel (Terraform), OPA-via-Conftest (OpenTofu, Terraform), and CrossGuard (Pulumi) are all viable. The honest ranking by ergonomics in 2026 is CrossGuard > OPA > Sentinel. Sentinel is fine but it is its own DSL and the testing story is weaker.
The recommendation
For new projects in 2026, default to OpenTofu. Same syntax, better licence, more momentum, state encryption included. Use Terraform when HCP's collaboration features are essential to a regulated workflow. Use Pulumi when your platform team will genuinely build software-style abstractions and write tests for them — not when "real programming languages" is just a slide in a deck.
Whatever you pick, version-pin the binary, pin every provider, run plans in CI on every PR, and treat drift as a P2 incident. The tool matters less than the discipline around it.