The Challenge of Vendor Specific IaC Tooling

Hey folks,

When you are choosing an IaC tool, should you pick something vendor neutral like Terraform or OpenTofu, or stick with a tool offered by your cloud vendor?

I have seen that it's hard to create standard practices across diverse tooling. Tools like Bicep (for Azure) and CloudFormation (for AWS) were built in a vacuum. They weren't built to play well together or with other tools.

It’s similar to the features of the public clouds those tools were built to manage. AWS and Azure both have VPC constructs, managed databases, and managed Kubernetes. But the way that they've implemented IAM, identity and access management varies. How you utilize those tools so that you can get a user or a role to be authenticated within that cluster, database or network is going to be so different that you're not talking apples to apples when you compare them. It's apples and oranges. Both have IAM commands, but you must deal with them differently.

That's the same with infrastructure as code tooling. You can't approach IaC as if you're going to be able to create a solid sustainable solution if you have multiple tools in use.

Limitations of Vendor Solutions

There's going to be something else that you want to integrate with one day, like your DNS vendor, or your centralized logging solution. The vendor solutions mentioned above, such as CloudFormation or Bicep, do one thing: manage cloud resources from that vendor. You can hack around as much as you want, but if you are just using those vendor specific solutions, you're only going to create technical debt for yourself. Something that somebody is going to find is not easy to understand, isn't easily documented, it is going to look ugly and feel ugly to other people that come after you.

Vendor neutral tools like OpenTofu, Terraform and others give you more of a Swiss Army knife that can be used across your environments rather than a tool that does one thing.

Hopefully I’ve persuaded you to consider a vendor neutral option. But of the ones listed above, which do I recommend?

The OpenTofu Movement

At Masterpoint, we recommend OpenTofu for our IaC tooling. We're big fans of OpenTofu and big fans of open source generally.

If folks are building new systems, I don't know many that are picking Terraform deliberately. Maybe they're picking Terraform because they don't know that there's an alternative. They don't know about the drawbacks of Terraform.

But the OpenTofu team has really done a fantastic job of proving themselves. They've built some awesome differentiating functionality that I think is really valuable. Dynamic backends and encrypted state are just a few of the things that they've built that are really cool. They've also just been really good within the community.

People who don't have a huge corpus of Terraform code, who are starting new, are really gravitating towards OpenTofu in my experience. Even for those that do have a lot of Terraform, we've seen migration. Fidelity migrated 50,000 state files. That’s a big enterprise who made a huge switch to OpenTofu because there is just no optionality in terms of how you automate Terraform. You have to go with Terraform Cloud, unless you want to build the automation yourself.

Open Tofu is a direct fork of Terraform at version 1.5.7 and it is completely compatible. The only thing that we're starting to see divergences is where either OpenTofu or Terraform implement a new set of functionality that the other does not yet support. An example is if you use ephemeral values in Terraform, released in 1.10 in November 2024. OpenTofu released this in December 2025 in 1.11. If you are using a prior version of OpenTofu, that is a thing that will potentially break when you migrate. Do your research, or ask us!

But if you've been on Terraform 1.5 for a year past the business source license change, then you would have a super simple migration. We've migrated hundreds of thousands of lines of Terraform code to OpenTofu at this point. It's fully compatible and people shouldn't be worried about the migration.

If you want to automate your IaC, the rich ecosystem of good vendors that OpenTofu supports is really nice. I'm going to continue to recommend the open source one just because there's not a reason to go with a vendor locked solution.

May your IaC tooling always be vendor-neutral,

Matt @ Masterpoint

PS If you want to chat about how vendor specific tools like Bicep compare to OpenTofu, grab some time on my calendar here.