--- title: "SST vs Terraform vs Pulumi: Infrastructure as Code in 2026" author: "Nate Laquis" author_role: "Founder & CEO" date: "2029-04-02" category: "Technology" tags: - infrastructure as code - SST vs Terraform - Pulumi IaC - cloud automation 2026 - IaC drift management excerpt: "Infrastructure as code adoption hit 78% among startups this year, but choosing the wrong tool can lock your team into painful abstractions and slow releases. Here is how SST, Terraform, and Pulumi actually compare when you move past the landing pages." reading_time: "12 min read" canonical_url: "https://kanopylabs.com/blog/sst-vs-terraform-vs-pulumi-iac" --- # SST vs Terraform vs Pulumi: Infrastructure as Code in 2026 ## What Infrastructure as Code Actually Solves Infrastructure as code means defining your cloud resources in files that live in version control, get reviewed in pull requests, and deploy through CI pipelines. Instead of clicking through the AWS console or running one-off CLI commands, you declare what you want and the tool figures out how to create, update, or destroy resources to match that declaration. The real value is not automation for its own sake. It is repeatability, auditability, and the ability to tear down and recreate entire environments in minutes. When your staging environment drifts from production because someone made a manual change three months ago, IaC gives you a single source of truth to reconcile against. When a new engineer joins, they can read the infrastructure definitions and understand the full topology without digging through a cloud console. Adoption numbers back this up. As of early 2026, roughly 78% of startups use some form of infrastructure as code, up from around 55% in 2023. The shift happened because cloud environments got complex enough that manual management became a liability, not a shortcut. If your stack includes a CDN, a database, a queue, a few Lambda functions, and a Kubernetes cluster, you are managing dozens of interconnected resources. Doing that by hand is slow, error-prone, and impossible to reproduce reliably. ![Cloud infrastructure network visualization showing interconnected services and resources](https://images.unsplash.com/photo-1558494949-ef010cbdcc31?w=800&q=80) The three tools that dominate this space in 2026 each take a fundamentally different approach. **Terraform** uses its own declarative language (HCL) and is cloud-agnostic with the largest provider ecosystem. **Pulumi** lets you write infrastructure in TypeScript, Python, Go, or C# with full programming language capabilities. **SST** is purpose-built for AWS and serverless, using TypeScript with high-level constructs and a live development experience that no other tool matches. ## SST: AWS-Native TypeScript with Live Lambda Debugging SST (Serverless Stack Toolkit) started as a framework for building serverless apps on AWS and has evolved into a full infrastructure-as-code tool that competes directly with Terraform and Pulumi for AWS workloads. Its core philosophy: if your team writes TypeScript, your infrastructure should be TypeScript too, with first-class constructs that eliminate boilerplate. The killer feature is **sst dev**, the live Lambda debugging experience. When you run `sst dev`, SST deploys your infrastructure to AWS but routes Lambda invocations back to your local machine. You set breakpoints in VS Code, inspect variables, and step through your function code while it executes against real AWS services. No mocking DynamoDB or faking S3 responses. Your local code talks to the actual cloud resources in your development environment. This cuts the feedback loop from minutes (deploy, wait, check CloudWatch logs) to seconds. SST provides high-level components for common patterns. Defining an API with Lambda handlers, a DynamoDB table, and an S3 bucket takes about 20 lines of code. The equivalent in raw Terraform or even CDK would be 80 to 150 lines because you would need to wire up IAM roles, permissions, API Gateway integrations, and resource policies manually. SST infers sensible defaults and handles the glue. ### Where SST Falls Short SST is AWS-only. If you need multi-cloud support or are deploying to GCP or Azure, SST is not an option. It also targets serverless and modern app architectures specifically. If your workload is a fleet of EC2 instances behind an ALB, SST's constructs will not help much, and you will drop down to raw CDK constructs or CloudFormation. State management in SST relies on AWS CloudFormation under the hood. That means you inherit CloudFormation's limitations: slow updates for large stacks, occasional rollback failures, and the 500-resource-per-stack limit. SST mitigates this by automatically splitting large apps into multiple stacks, but you will hit CloudFormation's rough edges on complex deployments. The community, while growing fast, is smaller than Terraform's or Pulumi's. You will find fewer Stack Overflow answers, fewer third-party tutorials, and a narrower ecosystem of plugins. That said, the SST Discord is one of the most responsive developer communities in the cloud tooling space, and the core team ships updates at a pace that puts most open-source projects to shame. ## Terraform: The Cloud-Agnostic Standard with the Largest Ecosystem Terraform is the most widely adopted IaC tool in the world, and for good reason. It supports every major cloud provider, hundreds of SaaS platforms, and even on-premise infrastructure through its provider model. If a service has an API, there is probably a Terraform provider for it. That ecosystem advantage is enormous and self-reinforcing: more providers attract more users, which attract more providers. You write Terraform in HCL (HashiCorp Configuration Language), a declarative language designed specifically for infrastructure. HCL is not a general-purpose programming language. You cannot write for loops, conditionals, or abstractions the way you would in TypeScript. Terraform offers `count`, `for_each`, and modules to handle reuse, but these constructs feel clunky compared to real programming language features. For simple infrastructure, HCL's declarative nature is a strength because it forces you to be explicit. For complex infrastructure with lots of conditional logic, it becomes a constraint. ![Developer writing infrastructure code on a laptop screen with terminal and editor open](https://images.unsplash.com/photo-1517694712202-14dd9538aa97?w=800&q=80) ### State Management in Terraform Terraform tracks the state of your infrastructure in a JSON file. This state file maps your HCL definitions to real cloud resources so Terraform knows what exists, what changed, and what needs to be created or destroyed. By default, state is stored locally. In practice, every team uses a remote backend like S3 + DynamoDB for state locking, Terraform Cloud, or a third-party tool like Spacelift or env0. State management is Terraform's biggest operational burden. If two engineers run `terraform apply` simultaneously without proper locking, you can corrupt your state file. If someone deletes a resource manually in the console, your state drifts from reality and the next apply can fail or produce unexpected results. At scale, managing state across dozens of Terraform workspaces, each with their own state file and backend configuration, requires dedicated tooling and process discipline. ### The Licensing Question HashiCorp changed Terraform's license from MPL to BSL (Business Source License) in 2023, which led to the OpenTofu fork under the Linux Foundation. In 2026, both Terraform and OpenTofu are viable options. If you are concerned about vendor lock-in to HashiCorp, OpenTofu provides a drop-in alternative. The ecosystems have diverged slightly, but most providers and modules work with both. If you are evaluating your [cloud provider strategy](/blog/aws-vs-google-cloud-vs-azure), the choice between Terraform and OpenTofu is worth considering alongside the cloud decision itself. ## Pulumi: General-Purpose Languages for Infrastructure Pulumi's pitch is simple: write your infrastructure in the same language you write your application. TypeScript, Python, Go, C#, Java, or YAML. No new language to learn. No DSL limitations. You get the full power of your programming language, including type checking, IDE autocomplete, unit testing with your existing test frameworks, and the ability to share code between your app and your infrastructure. For TypeScript teams, this is compelling. You can define a reusable `WebService` component that provisions a load balancer, an ECS service, a CloudWatch dashboard, and an alarm, then use it like any other class. Conditional logic, loops, async/await, and package management all work the way you expect. Pulumi translates your imperative code into a declarative resource graph and handles dependency resolution, parallelism, and rollback. ### Component Abstractions Pulumi's component model lets you build higher-level abstractions that encapsulate best practices. A platform team can create a `SecureDatabase` component that configures encryption at rest, automated backups, private subnet placement, and security groups. Application teams use that component without understanding the underlying 15 resources it creates. This layered approach works well in organizations with a platform engineering function. The component registry (Pulumi Packages) has grown significantly, with reusable components for Kubernetes, AWS, Azure, and GCP patterns. You can also publish private components within your organization, which is useful for enforcing standards across multiple teams and projects. ### Pulumi's State and Secrets Like Terraform, Pulumi tracks state. You can use the Pulumi Cloud service (hosted backend), a self-managed S3 backend, or a local file. Pulumi Cloud provides a web UI for viewing resource history, managing stacks, and setting RBAC policies. One advantage Pulumi has over Terraform: secrets are encrypted in state by default. Terraform stores secrets in plaintext in the state file, which is a security concern that teams frequently overlook until a compliance audit flags it. Pulumi also supports policy-as-code through CrossGuard, letting you enforce rules like "all S3 buckets must have encryption enabled" or "no security groups may allow 0.0.0.0/0 ingress." These policies run at preview time, catching violations before they reach production. Terraform achieves similar functionality through Sentinel (paid, Terraform Cloud only) or third-party tools like OPA/Conftest, but Pulumi's approach is more tightly integrated. ## Head-to-Head: Learning Curve, Multi-Cloud, and Preview Deployments Choosing between these tools comes down to three factors that affect your team's daily experience: how fast you can onboard engineers, whether you need resources outside AWS, and how your preview and staging workflows function. ### Learning Curve for TypeScript Teams If your team already writes TypeScript, **SST and Pulumi** have the lowest barrier. Engineers write infrastructure in a language they know, with types, autocomplete, and compiler checks they rely on daily. SST is even faster to learn because its high-level constructs handle common patterns without requiring deep AWS knowledge. You can deploy an API + database + auth stack in under an hour following the SST tutorial. **Terraform** requires learning HCL, which is straightforward but still a new syntax. The real learning curve is not HCL itself but Terraform's execution model: plan vs. apply, state management, workspace isolation, and module composition. Junior engineers can write basic Terraform in a day but take weeks to understand state management and module design patterns. Senior infrastructure engineers consider this investment worthwhile because HCL's constraints prevent the kind of spaghetti code that general-purpose languages enable. ### Multi-Cloud Support **Terraform** is the clear winner for multi-cloud. With providers for AWS, GCP, Azure, Cloudflare, Datadog, PagerDuty, GitHub, and hundreds more, you can manage your entire technology stack from one tool. This is particularly valuable if you are running workloads across providers, as covered in our [cloud provider comparison](/blog/aws-vs-google-cloud-vs-azure). **Pulumi** supports all major clouds and many SaaS providers. Its provider ecosystem is smaller than Terraform's but covers the most common services. Pulumi can also bridge Terraform providers, giving you access to Terraform's ecosystem from Pulumi code. **SST** is AWS-only. Full stop. If multi-cloud is a requirement, SST is off the table. ### Preview Deployments All three tools support some form of preview or dry-run. Terraform has `terraform plan`, Pulumi has `pulumi preview`, and SST has `sst diff`. But the real differentiator is how well they integrate with your [CI/CD pipeline](/blog/how-to-set-up-cicd). Terraform and Pulumi both have strong GitHub integration that posts plan output as PR comments. SST's preview deployments spin up isolated AWS environments per branch, which is powerful for full-stack testing but more expensive than a simple diff output. ## IaC Drift: The Hidden Cost That Grows with Scale Drift happens when your actual cloud resources diverge from what your IaC definitions say they should be. Someone changes a security group rule in the console. An automated process modifies a resource outside of your IaC pipeline. A failed apply leaves resources in a partially updated state. Drift is not a matter of if. It is a matter of when and how bad. At small scale, drift is an annoyance. You run a plan, see unexpected changes, and reconcile manually. At scale, with hundreds of resources across multiple environments, drift becomes a serious operational and security risk. A drifted security group could expose a database to the public internet. A drifted IAM policy could grant overly permissive access. A drifted autoscaling configuration could cause an outage under load. ![Data analytics dashboard showing infrastructure monitoring metrics and drift detection alerts](https://images.unsplash.com/photo-1551288049-bebda4e38f71?w=800&q=80) ### How Each Tool Handles Drift **Terraform** detects drift on every `terraform plan` by comparing state to the actual cloud resources. However, it only detects drift when you run a plan. Between runs, drift goes unnoticed. Tools like Spacelift, env0, and Terraform Cloud add scheduled drift detection, running plans on a cron schedule and alerting you when drift is detected. This is table stakes for production environments. **Pulumi** behaves similarly, detecting drift during `pulumi preview`. Pulumi Cloud offers drift detection as a feature, with scheduled runs and notifications. The built-in secrets encryption means drifted secrets are at least not exposed in plaintext in the state file. **SST** inherits CloudFormation's drift detection, which can be triggered manually or on a schedule. CloudFormation drift detection is slower and less granular than Terraform or Pulumi's approach, but it covers the same ground for AWS resources. ### Preventing Drift at Scale The best strategy is prevention: lock down console access with read-only IAM policies for production accounts, route all changes through your IaC pipeline, and run drift detection on a schedule (hourly for critical environments, daily for others). If you are [trying to control cloud costs](/blog/how-to-reduce-cloud-bill), drift detection also catches orphaned resources that inflate your bill. A forgotten NAT Gateway or an unused Elastic IP might cost $30 to $50/month each, and at scale those orphans add up fast. Regardless of which tool you choose, invest in drift detection early. The cost of remediating drift grows exponentially with the number of resources and the time between detection and remediation. Catching a drifted security group within an hour is a quick fix. Discovering it six months later, after other changes have been built on top of it, is a multi-day project. ## Which Tool Should You Pick? After working with all three tools across dozens of client engagements, here is how we recommend thinking about the decision. ### Choose SST If: - Your stack is entirely on AWS with no plans to go multi-cloud. - You are building serverless-first with Lambda, DynamoDB, S3, and API Gateway. - Your team writes TypeScript and values fast iteration with live debugging. - You want high-level constructs that reduce boilerplate for common patterns. - You are a small team (under 15 engineers) that prioritizes developer experience over ecosystem breadth. ### Choose Terraform If: - You need multi-cloud support or manage resources across many providers and SaaS platforms. - You want the largest ecosystem of providers, modules, and community knowledge. - Your organization has a dedicated platform or DevOps team comfortable with HCL. - You need a tool that works the same way regardless of which cloud you are deploying to. - You value the maturity and stability of a tool that has been in production for over a decade. ### Choose Pulumi If: - Your team wants to use a real programming language (TypeScript, Python, Go) for infrastructure. - You need reusable component abstractions that encapsulate organizational best practices. - Secrets encryption in state is a hard requirement and you do not want to bolt on external tooling. - You are building a platform engineering layer where TypeScript components wrap complex multi-resource patterns. - You want policy-as-code tightly integrated into your preview workflow. ### The Honest Answer for Most Startups If you are an early-stage startup building on AWS with a TypeScript team, start with SST. The developer experience will make your small team faster, and the migration path to Terraform or Pulumi exists if you outgrow it. If you are a Series B+ company with a platform team and multi-cloud needs, Terraform is the safe default. If your team is TypeScript-heavy and you want the flexibility of real code without being locked to AWS, Pulumi is the best of both worlds. The worst choice is no choice. Running infrastructure manually or through ad-hoc scripts creates the exact drift, repeatability, and security problems that IaC solves. Pick a tool, commit to it, and enforce its use across your organization. If you are evaluating IaC tools and want guidance on which fits your stack, team, and growth trajectory, our infrastructure team has deployed all three in production. [Book a free strategy call](/get-started) and we will walk through the tradeoffs for your specific situation. --- *Originally published on [Kanopy Labs](https://kanopylabs.com/blog/sst-vs-terraform-vs-pulumi-iac)*