← Back to context

Comment by gouggoug

2 days ago

Not an opinion on Pulumi specifically, but an opinion on using imperative programming languages for infrastructure configuration: don't do it. (This includes using things like CDKTF)

Infrastructure needs to be consistent, intuitive and reproducible. Imperative languages are too unconstrained. Particularly, they allow you to write code whose output is unpredictable (for example, it'd be easy to write code that creates a resources based on the current time of day...).

With infrastructure, you want predictability and reproducibility. You want to focus more on writing _what_ your infra should look like, less _how_ to get there.

12 comments

gouggoug

Reply
__turbobrew__  4 hours ago

> for example, it'd be easy to write code that creates a resources based on the current time of day

Some languages make that impossible to do, for example starlark.

juffasdfwa  1 day ago

The imperative trite just comes off as geriatric. There are better arguments you can use here which you have shared below. One of which I agree with.

nothrabannosir  2 days ago

Couldn't disagree more.

I have written both TF and then CDKTF extensively (!), and I am absolutely never going back to raw TF. TF vs CDKTF isn't declarative vs imperative, it's "anemic untyped slow feedback mess" vs "strong typesystem, expressive builtins and LSP". You can build things in CDKTF that are humanly intractable in raw TF and it requires far less discipline, not more, to keep it from becoming an unmaintainable mess. Having a typechecker for your providers is a "cannot unsee" experience. As is being able to use for loops and defining functions.

That being said, would I have preferred a CDKTF in Haskell, or a typed Nix dialect? Hell yes. CDKTF was awful, it was just the least bad thing around. Just like TF itself, in a way.

But I have little problems with HCL as a compilation target. Rich ecosystem and the abstractions seem sensible. Maybe that's Stockholm syndrome? Ironically, CDKTF has made me stop hating TF :)

Now that Hashicorp put the kibosh on CDKTF though, the question is: where next...

  • Too  9 hours ago

    This does not match my experience. Terraform validate will check for types and you have great IDE support with refactor, find usages, resource documentation and everything else you might expect. You can of course build a monster of untyped dictionaries but that’s true for almost any language. Do you have examples of something else that the validation step does not find?

    • nothrabannosir  41 minutes ago

      I never had this integrated with an editor but maybe I didn’t try hard enough. With CDKTF, a stock typescript IDE automatically has tab complete for every provider you want. That + being able to use functions, variables, loops, arrays, and structs for composition made it a completely different experience.

      If those things all end up coming to terraform I’m all ears. For now it seemed more like a compilation target.

kstrauser  2 days ago

Thanks for saving me the trouble of writing exactly that. I want my IaC to be roughly as Turing complete as JSOJ. It’s sooo tempting to say “if only I could write this part with a for loop…” and down that path lies madness.

There are things I think Terraform could do to improve its declarative specs without violating the spirit. Yet, I still prefer it as-is to any imperative alternatives.

vanviegen  2 days ago

> Particularly, they allow you to write code whose output is unpredictable

Is that an easy mistake to make and a hard one to recover from, in your experience?

The way you have to bend over backwards in Terraform just to instantiate a thing multiple times based on some data really annoys me..

  • gouggoug  1 day ago

    > Is that an easy mistake to make and a hard one to recover from, in your experience?

    If you're alone in a codebase? Probably not.

    In a company with many contributors of varying degrees of competence (from your new grad to your incompetent senior staff), yes.

    In large repositories, without extremely diligent reviewers, it's impossible to prevent developers from creating the most convoluted anti-patterny spaghetti code, that will get copy/pasted ad nauseam across your codebase.

    Terraform as a tool and HCL as a programming language leave a lot to be desire (in hindsight only, because, let's be honest, it's been a boon for automation), but their constrained nature makes it easier to reign in the zealous junior developer who just discovered OOP and insists on trying it everywhere...

    • juffasdfwa  1 day ago

      > but their constrained nature makes it easier to reign in the zealous junior developer who just discovered OOP and insists on trying it everywhere...

      I don't think this is true anymore. Junior devs of today seem to be black pilled on OOP.

      1 reply →

  • franktankbank  1 day ago

    Agreed, I'm fine with a declarative format in one file as long as I can control the imperative bits on which it depends.

popalchemist  2 days ago

yes. IaC is a misnomer. IaC implementations should have a spec (some kind of document) as the source of truth; not code.