[CONTENT SPRINT] Add blog post on why choose Pulumi over Terraform

[sicarul]

Summary

• Adds a draft blog post explaining why teams choose Pulumi over Terraform, with TypeScript examples for components, aliases, secrets, stacks, providers, imports, and lifecycle guardrails.
• Includes balanced caveats about drift, provider bugs, eventual consistency, preview-time unknowns, and OpenTofu compatibility.
• Adds generated feature and OpenGraph images so the post is ready for editorial review.

Verification

• Blog-specific markdown lint passed: node ./scripts/lint/lint-markdown.js content/blog/why-choose-pulumi-over-terraform/index.md
• make build passed in the clean worktree.
• software-architect and code-reviewer follow-up reviews both approved after snippet fixes.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/why-choose-pulumi-over-terraform/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Opening "Why choose Pulumi over Terraform?" mirrors the title exactly — lead with a concrete pain point from the article (e.g., renaming a resource triggering an unexpected replacement) to earn the click
• "See how Pulumi improves refactoring, secrets, testing, provider wiring…" lists the full article agenda; withhold the list and let the article deliver it

LinkedIn

• Opening mirrors the title — lead with a specific failure mode (secrets visible in state, a rename that replaces a production database) to create immediate tension
• "We compare the two tools across… to show how Pulumi handles complex infrastructure patterns" names all topics and delivers the verdict; withhold the conclusion so the article still has something to reveal

Bluesky

• "Practical examples for refactoring, secrets, testing, provider wiring, safer changes, and honest IaC caveats" lists every section of the article — drop the list and add a line that signals there's more to read

---

Updated for commit d42ff7908ac5341bef3064e0880d50e8b9c0c739 (short: d42ff79) at 2026-05-18 19:24 UTC.

[pulumi-bot]

Your site preview for commit 86663e8 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19126-86663e8e.s3-website.us-west-2.amazonaws.com

[sicarul]

@claude #new-review

[github-actions]

🤖 Review regenerated on @sicarul's request.

[CamSoper]

@claude #update-review

[sicarul]

@claude #update-review

[github-actions]

🤖 @sicarul — review errored. Mention @claude #update-review again to retry.

[github-actions]

🤖 Review updated on @CamSoper's request.

[sicarul]

@claude #update-review

[github-actions]

🤖 @sicarul — review errored. Mention @claude #update-review again to retry.

[sicarul]

@claude Please check the latest feedback fixes on this PR.

[CamSoper]

@claude #new-review

[github-actions]

Pre-merge Review — Last updated 2026-05-19T00:50:28Z

Reviewing a draft; findings may change as you iterate.

Tip

Summary: This PR adds a single-subject blog post comparing Pulumi to Terraform, organized as an executive summary, a head-to-head comparison table, and per-feature sections on refactoring, secrets, lifecycle safety, stacks, testing, provider wiring, imports/migration, and an honest-tradeoffs caveat. It parallels existing Pulumi-vs-X comparison blogs. The wrongness that would derail a reader's success here is fabricated Pulumi APIs, non-idiomatic TypeScript examples that wouldn't compile, or mischaracterizations of Terraform capabilities. The review ran external claim verification (48 candidate claims), cited-claim spot-checks on every linked URL, a structural pass over the eight TypeScript snippets, the frontmatter/social-card sweep, and editorial-balance — zero contradictions and zero code-examples findings; remaining low-confidence items are mostly the verifier hitting truncated page bodies on correctly-cited Pulumi docs. Re-entrant: 1 new commit addressed style nits and clarified replaceOnChanges scope; low-confidence count reduced from 11 to 7.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	MEDIUM	Zero contradictions; 13 verdicts marked unverifiable, but each cites the right Pulumi or HashiCorp page — the verifier just couldn't pull body text from a truncated fetch. Five bullets moved to triaged where the verifier bound a Terraform-side claim to a Pulumi-side URL.
code correctness	HIGH	Eight TypeScript snippets reviewed structurally — alias, secrets, lifecycle, stack-reference, mocks, providers, and import patterns are idiomatic Pulumi and follow the AGENTS.md constructor style. Not executed.

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 32 of 48 claims verified (13 unverifiable, 0 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 5 Pass 1, 37 Pass 2 (verified 23, contradicted 0, unverifiable 14), 6 Pass 3 (verified 5, contradicted 0, unverifiable 1).
• Cited-claim spot-checks: 37 of 37 cited claims fetched and compared
• Frontmatter sweep: ran on body + meta_desc + social.{bluesky, linkedin, twitter}
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: ran (3 specialists: structural, existence, body-code-coverage); 0 findings
• Editorial-balance pass: ran (single-subject, N/A)
• Re-entrant (86663e8): verified fix-push addressed style nits (L33, L51, L118) and L137 lifecycle scope; no new findings introduced.

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	7	0	0

🔍 Verification trail

48 claims extracted · 32 verified · 13 unverifiable · 0 contradicted

• L3 in content/blog/why-choose-pulumi-over-terraform/index.md "date: 2026-05-18" → ➖ not-a-claim (evidence: The "claim" is a blog post front-matter date field (date: 2026-05-18) in the PR author's own file. This is metadata set by the PR author describing their own content, not a falsifiable third-party assertion.; source: content/blog/why-choose-pulumi-over-terraform/index.md L3)
• L5 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi improves refactoring, secrets management, testing, provider wiring, and safer infrastructure changes compared to Terraform." (also L17-28) → ✅ verified (framing: strengthened — the claim is a narrower summary of a broader, well-documented set of Pulumi-vs-Terraform comparisons; each individual dimension is independently…; evidence: Multiple authoritative sources, including Pulumi's own docs, confirm Pulumi's advantages over Terraform in all five areas: refactoring (IDE refactoring tools via general-purpose languages), secrets management ("Pulumi treats secrets as a f…; source: https://www.pulumi.com/docs/iac/comparisons/terraform/)
• L27 in content/blog/why-choose-pulumi-over-terraform/index.md "Terraform is a proven infrastructure as code tool with a large ecosystem and years of production use. Many teams choose Pulumi when they want to keep that infr…" → 🤷 unverifiable (evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/testing/) returns HTTP 200 but its content is about "Testing Pulumi Programs" and contains no passage supporting the claim about Terraform being a proven IaC tool or teams choosing Pu…; source: https://www.pulumi.com/docs/iac/concepts/testing/)
• L29 in content/blog/why-choose-pulumi-over-terraform/index.md "Why choose Pulumi over Terraform? Pulumi lets teams define cloud infrastructure in TypeScript, Python, Go, C#, Java, or YAML while adding first-class workflows…" → ✅ verified (evidence: The URL https://www.pulumi.com/docs/iac/concepts/options/aliases/ returns HTTP 200 and the page title confirms "aliases | Resource Options | Pulumi Docs", matching the claim's reference to Pulumi aliases as a resource option concept.; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/)
• L31 in content/blog/why-choose-pulumi-over-terraform/index.md "Terraform is a proven infrastructure as code tool with a large provider and module ecosystem." → 🤷 unverifiable (evidence: The pre-fetched page body is truncated and only contains navigation/menu content; it does not include the main body text of the Terraform intro page that would confirm or deny the claim about Terraform being "a proven infrastructure as cod…; source: https://developer.hashicorp.com/terraform/intro)
• L33 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi supports incremental migration with pulumi import." → ✅ verified (evidence: The cited URL (https://www.pulumi.com/docs/iac/adopting-pulumi/import/) returns HTTP 200 with the title "Import Existing Cloud Infrastructure | Pulumi Docs", confirming that Pulumi supports importing existing infrastructure via `pulumi imp…; source: https://www.pulumi.com/docs/iac/adopting-pulumi/import/)
• L33 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi supports first-class workflows for refactoring with Pulumi aliases, secrets, protect, retainOnDelete, deleteBeforeReplace, replaceOnChanges, provider re…" → 🤷 unverifiable (framing: shifted — the cited URL covers Pulumi Languages & SDKs, not refactoring workflows or the features listed in the claim; evidence: The cited URL (https://www.pulumi.com/docs/iac/languages-sdks/) returns HTTP 200 but its content is about Pulumi Languages & SDKs — it does not contain information about aliases, secrets, protect, retainOnDelete, deleteBeforeReplace, repla…; source: https://www.pulumi.com/docs/iac/languages-sdks/)
• L35 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi is often a better fit when infrastructure code needs to behave like application code: reviewed, tested, packaged, refactored, and shared across teams. T…" → ✅ verified (evidence: The cited URL https://www.pulumi.com/docs/iac/concepts/secrets/ returns HTTP 200 and is titled "Secrets Handling | Pulumi Concepts | Pulumi Docs", confirming it is a valid, live Pulumi documentation page about secrets.; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L37 in content/blog/why-choose-pulumi-over-terraform/index.md "The tradeoff is important: Pulumi is still an infrastructure as code engine. Provider bugs, cloud API eventual consistency, [drift](https://www.pulumi.com/docs…" → ✅ verified (evidence: The URL https://www.pulumi.com/docs/iac/cli/commands/pulumi_refresh/ returns HTTP 200 and is a valid Pulumi docs page for the pulumi refresh CLI command, which is the page about drift detection/refresh functionality being linked.; source: https://www.pulumi.com/docs/iac/cli/commands/pulumi_refresh/)
• L39 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi is often a better fit when infrastructure code needs to behave like application code: reviewed, tested, packaged, refactored, and shared across teams." → ✅ verified (framing: strengthened — the claim narrows the broader Pulumi positioning (general-purpose language features, testing, packaging, sharing) into a single concise sentence…; evidence: The claim is a well-established Pulumi positioning statement supported by official Pulumi docs and multiple authoritative sources. The official Pulumi vs. Terraform page states Pulumi programs use general-purpose languages giving authors "…; source: https://www.pulumi.com/docs/iac/comparisons/terraform/)
• L42 in content/blog/why-choose-pulumi-over-terraform/index.md "| Refactoring | Moved blocks or state commands for resource identity changes | Pulumi aliases can…" → ✅ verified (evidence: The URL https://www.pulumi.com/docs/iac/concepts/options/aliases/ returns HTTP 200 and is a live Pulumi documentation page titled "aliases | Resource Options | Pulumi Docs", confirming the page exists and covers the aliases resource opti…; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/)
• L43-44 in content/blog/why-choose-pulumi-over-terraform/index.md "| Lifecycle safety | Lifecycle meta-arguments and plan review | Pulumi resource options such as [protect](https://www.pulumi.com/docs/iac/concepts/options/prot…" → ➖ not-a-claim (evidence: The text at L43-44 is a table row describing Pulumi resource options (protect, retainOnDelete, deleteBeforeReplace) with embedded hyperlinks. The source_hint URL (https://www.pulumi.com/docs/iac/concepts/secrets/) returns HTTP 200 but is u…; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L45 in content/blog/why-choose-pulumi-over-terraform/index.md "Terraform uses HCL plus Terraform-specific functions and expressions as its language." → ✅ verified (framing: strengthened — claim narrows the source's "configuration language is based on HCL" to "HCL plus Terraform-specific functions and expressions"; the source's bro…; evidence: The official HashiCorp Terraform docs confirm: "Terraform's configuration language is based on a more general language called HCL," and multiple authoritative sources confirm Terraform's language includes HCL plus Terraform-specific functi…; source: https://developer.hashicorp.com/terraform/language/syntax/configuration)
• L45 in content/blog/why-choose-pulumi-over-terraform/index.md "| Environments | Workspaces or separate configurations | Pulumi stacks model environments with per-stack config…" → ✅ verified (evidence: The URL https://www.pulumi.com/docs/concepts/stacks/ returns HTTP 200, confirming the page exists. The claim links to this page as the reference for "Pulumi stacks," which is consistent with the page title "Stacks | Pulumi Concepts | Pulum…; source: https://www.pulumi.com/docs/concepts/stacks/)
• L46 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi aliases can map old resource identities to new ones during refactors." → ✅ verified (framing: strengthened — the source page covers the aliases feature broadly; the claim narrows it to the specific use case of mapping old resource identities to new ones…; evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/options/aliases/) returns HTTP 200 and is the official Pulumi docs page for the aliases resource option. The page title and URL confirm this is the aliases feature documentation; th…; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/)
• L47 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi tracks secrets and encrypts secret values in state." → ✅ verified (framing: strengthened — the source page covers secrets handling broadly; the claim narrows it to the specific behavior of tracking and encrypting secret values in state…; evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/secrets/) returns HTTP 200 and is titled "Secrets Handling | Pulumi Concepts | Pulumi Docs," confirming the page exists and covers secrets handling. The truncated body does not includ…; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L47 in content/blog/why-choose-pulumi-over-terraform/index.md "| Imports and migration | Import blocks, generated config, and state operations | pulumi import and…" → ✅ verified (evidence: The cited URL https://www.pulumi.com/docs/iac/adopting-pulumi/import/ returns HTTP 200 and the page title is "Import Existing Cloud Infrastructure | Pulumi Docs", confirming that pulumi import and migration tooling exist at this URL.; source: https://www.pulumi.com/docs/iac/adopting-pulumi/import/)
• L48 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi resource options protect, retainOnDelete, deleteBeforeReplace, and replaceOnChanges exist and make lifecycle intent explicit." → ✅ verified (framing: strengthened — the source confirms protect as a resource option; the claim lists four specific options (protect, retainOnDelete, deleteBeforeReplace, …; evidence: The cited URL (HTTP 200) confirms protect is a Pulumi resource option. The other options (retainOnDelete, deleteBeforeReplace, replaceOnChanges`) are well-documented Pulumi resource options in the same options namespace, and the pag…; source: https://www.pulumi.com/docs/iac/concepts/options/protect/)
• L48 in content/blog/why-choose-pulumi-over-terraform/index.md "| Provider wiring | Provider inheritance and aliases inside modules | Explicit [provider resources](https://www.pulumi.com/docs/iac/concepts/resources/provider…" → ✅ verified (evidence: The cited URL https://www.pulumi.com/docs/iac/concepts/resources/providers/ returns HTTP 200 and is a live Pulumi documentation page titled "Resource Providers | Pulumi Docs", confirming the link target exists and is valid.; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/)
• L49 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi stacks model environments with per-stack config, secrets, history, and outputs." → ✅ verified (framing: strengthened — the claim summarizes multiple stack features (config, secrets, history, outputs) that are individually documented on the stacks page; the source…; evidence: The Pulumi Stacks docs page (HTTP 200) confirms stacks exist as a concept, but the body is truncated before the detailed feature list. Based on well-established Pulumi documentation, stacks do model environments with per-stack configuratio…; source: https://www.pulumi.com/docs/concepts/stacks/)
• L49 in content/blog/why-choose-pulumi-over-terraform/index.md "| Testing | Validation, plan review, and external test harnesses | Pulumi programs can use normal [unit and integration test frameworks](https://www.pulumi.com…" → ✅ verified (evidence: The cited URL https://www.pulumi.com/docs/iac/concepts/testing/ returns HTTP 200 and is titled "Testing Pulumi Programs | Pulumi Docs", confirming the page exists and covers unit and integration test frameworks for Pulumi programs.; source: https://www.pulumi.com/docs/iac/concepts/testing/)
• L50 in content/blog/why-choose-pulumi-over-terraform/index.md "| Caveats | Declarative planning still has unknowns and drift | Pulumi improves the workflow around many pain points | It does not eliminate [drift](https://ww…" → ➖ not-a-claim (evidence: The text uses "drift" as a hyperlink pointing to the pulumi refresh docs page. This is a hyperlink anchor choice by the PR author — the URL resolves (HTTP 200) and the pulumi refresh command is indeed related to drift detection/remedia…; source: https://www.pulumi.com/docs/iac/cli/commands/pulumi_refresh/)
• L51 in content/blog/why-choose-pulumi-over-terraform/index.md "pulumi import and migration tooling support gradual adoption of Pulumi." → ✅ verified (framing: strengthened — the source page covers importing existing cloud infrastructure broadly; the claim narrows this to "gradual adoption," which is a valid subset of…; evidence: The cited URL https://www.pulumi.com/docs/iac/adopting-pulumi/import/ returns HTTP 200 and is titled "Import Existing Cloud Infrastructure | Pulumi Docs", confirming that Pulumi provides pulumi import tooling under its "adopting-pulumi"…; source: https://www.pulumi.com/docs/iac/adopting-pulumi/import/)
• L52 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi explicit provider resources make multi-region and multi-account wiring visible in code review." → 🤷 unverifiable (evidence: The cited URL returns HTTP 200, but the pre-fetched body is heavily truncated (navigation/menu content only) and does not contain any passage about explicit provider resources making multi-region and multi-account wiring "visible in code r…; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/)
• L53 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi programs can use normal unit and integration test frameworks." → ✅ verified (framing: strengthened — the source page covers testing Pulumi programs broadly (unit and integration testing); the claim is a narrower subset of what the source documen…; evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/testing/) returns HTTP 200 and is titled "Testing Pulumi Programs | Pulumi Docs", confirming that Pulumi has a dedicated testing concepts page. The body is truncated but the page's ex…; source: https://www.pulumi.com/docs/iac/concepts/testing/)
• L58 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi lets infrastructure teams use the features of whichever supported programming language they choose, such as classes, functions, types, loops, package ma…" → ✅ verified (framing: strengthened — the source page covers all supported language SDKs broadly; the claim enumerates specific features (classes, functions, types, loops, package ma…; evidence: The cited URL (https://www.pulumi.com/docs/iac/languages-sdks/) returns HTTP 200 and is the Pulumi Languages & SDKs documentation page. The body is truncated and doesn't contain the exact passage, but the page is the canonical reference fo…; source: https://www.pulumi.com/docs/iac/languages-sdks/)
• L88 in content/blog/why-choose-pulumi-over-terraform/index.md "Renaming a resource, moving it into a component, or reorganizing a project should not automatically mean replacing production infrastructure. Pulumi aliases le…" → ✅ verified (evidence: The pulumi/agent-skills SKILL.md confirms: "Renaming resources, moving them into components, or changing parents causes Pulumi to see them as new resources. Without aliases, refactoring destroys and recreates resources... Aliases preserve…; source: gh search code --owner pulumi "aliases" "preserve resource identity" → pulumi/agent-skills:authoring/skills/pulumi-best-practices/SKILL.md)
• L92 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi aliases let you tell Pulumi how a resource used to be addressed, so refactors can preserve resource identity when the old and new resources represent th…" → 🤷 unverifiable (evidence: The cited URL returns HTTP 200, but the pre-fetched body is truncated to navigation/menu content only and does not contain the substantive text about aliases that would confirm or deny the claim's framing.; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/)
• L102 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi aliases work when the old identity is modeled correctly, including details such as name, parent, type, project, and stack when those changed." → 🤷 unverifiable (evidence: The cited URL returns HTTP 200, but the pre-fetched body is truncated to navigation/menu content only and does not contain the supporting passage about aliases working when "name, parent, type, project, and stack" changed.; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/)
• L106 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi treats secrets as first-class values, encrypts them in state, and preserves secrecy as values flow through outputs." → 🤷 unverifiable (framing: strengthened — the claim combines three specific behaviors (first-class values, encrypted in state, secrecy preserved through outputs); the source page likely…; evidence: The cited URL returns HTTP 200, but the pre-fetched body is truncated to navigation/header content and does not contain the supporting passage about secrets being treated as first-class values, encrypted in state, or preserving secrecy thr…; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L106 in content/blog/why-choose-pulumi-over-terraform/index.md "Terraform has sensitive values and backend guidance for managing secrets." → ✅ verified (framing: strengthened — the claim says "sensitive values and backend guidance for managing secrets"; the source page is specifically about managing sensitive data in Te…; evidence: The cited URL https://developer.hashicorp.com/terraform/language/manage-sensitive-data returns HTTP 200 and is titled "Manage sensitive data in your configuration | Terraform | HashiCorp Developer", confirming that Terraform has guidance f…; source: https://developer.hashicorp.com/terraform/language/manage-sensitive-data)
• L114 in content/blog/why-choose-pulumi-over-terraform/index.md "This improves the default experience, but it is not runtime isolation. Your program can still access the decrypted value while it runs, so reviews, least privi…" → ✅ verified (evidence: The official Pulumi secrets docs state: "Secret values are decrypted and made available in plain text to the program at runtime." This directly confirms the claim that using requireSecret/pulumi.secret(...) is not runtime isolation — t…; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L118 in content/blog/why-choose-pulumi-over-terraform/index.md "pulumi.secret(...) can mark a plain input value as secret in Pulumi." → ✅ verified (framing: strengthened — the source page covers secrets broadly; the claim narrows to the specific pulumi.secret(...) API surface, which is a documented subset of that…; evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/secrets/) returns HTTP 200, confirming the page exists. The body is truncated and doesn't contain the specific pulumi.secret(...) passage, but pulumi.secret() is a well-known Pulu…; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L118 in content/blog/why-choose-pulumi-over-terraform/index.md "In the TypeScript SDK, config.requireSecret('dbPassword') retrieves secret configuration, and the program can still access the decrypted value while it runs." → 🤷 unverifiable (evidence: The cited URL returns HTTP 200, but the pre-fetched body is truncated and does not contain the supporting passage about config.requireSecret("dbPassword") or the claim that "the program can still access the decrypted value while it runs."; source: https://www.pulumi.com/docs/iac/concepts/secrets/)
• L122 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi gives teams explicit resource options for safety-sensitive intent, such as protect, retainOnDelete, deleteBeforeReplace, and replaceOnChanges." → ✅ verified (framing: strengthened — the source confirms protect as a resource option; the claim lists it alongside three other named options as a narrower enumeration of the broa…; evidence: The cited URL (HTTP 200) confirms protect is a Pulumi resource option documented under "Resource Options." The other options (retainOnDelete, deleteBeforeReplace, replaceOnChanges) are well-established Pulumi resource options in th…; source: https://www.pulumi.com/docs/iac/concepts/options/protect/)
• L137 in content/blog/why-choose-pulumi-over-terraform/index.md "Some Pulumi lifecycle options apply to custom resources, not component resources." → 🤷 unverifiable (evidence: The pre-fetched page body is truncated and does not contain any passage distinguishing which lifecycle options apply to custom resources vs. component resources. The page title confirms it is the protect option docs page, but the relevan…; source: https://www.pulumi.com/docs/iac/concepts/options/protect/)
• L141 in content/blog/why-choose-pulumi-over-terraform/index.md "Terraform workspaces can represent environments, but many teams eventually need stronger boundaries for configuration, secrets, history, and cross-environment…" → 🤷 unverifiable (evidence: The cited URL (https://www.pulumi.com/docs/concepts/stacks/) returned HTTP 200, but the body is truncated and contains only navigation/header content — no passage about Terraform workspaces, environment boundaries, configuration, secrets,…; source: https://www.pulumi.com/docs/concepts/stacks/; intuition: The claim is about Terraform workspace limitations, but the cited source is a Pulumi Stacks concepts page — an odd cita…)
• L164 in content/blog/why-choose-pulumi-over-terraform/index.md "Cross-stack references in Pulumi are cleaner than sharing an entire remote state file." → ✅ verified (framing: strengthened — the claim is an editorial opinion ("cleaner") that is a narrower characterization of a well-documented architectural difference: Pulumi StackRef…; evidence: Pulumi's StackReference lets stacks share specific named outputs, while Terraform's cross-stack sharing requires consuming an entire remote state file. The Pulumi docs note that with Pulumi Cloud as a Terraform backend, "root module output…; source: WebSearch ran query "Pulumi cross-stack references vs Terraform remote state sharing"; https://www.pulumi.com/docs/iac/get-started/terraform/terraform-state-backend/ and https://www.pulumi.com/docs/iac/comparisons/terraform/)
• L184 in content/blog/why-choose-pulumi-over-terraform/index.md "In Pulumi, provider resources are normal resources that can be passed through resource options, which makes multi-region or multi-account deployments easier to…" → 🤷 unverifiable (evidence: The cited URL returns HTTP 200 but the body is heavily truncated and contains only navigation/menu content — no substantive text about provider resources being "normal resources" passable through resource options or multi-region/multi-acco…; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/)
• L184 in content/blog/why-choose-pulumi-over-terraform/index.md "In Terraform, provider inheritance and aliases are often managed across module boundaries." → 🤷 unverifiable (evidence: The cited URL (https://www.pulumi.com/docs/iac/concepts/resources/providers/) returns HTTP 200, but the pre-fetched body is truncated and contains only navigation/menu content with no passage about Terraform provider inheritance or aliases…; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/; intuition: The claim is about Terraform behavior, but the verifier bound it to the Pulumi resource-providers concept page. That URL is the citation for the next clause about Pulumi providers; the Terraform characterization is uncited editorial framing.)
• L208 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi supports incremental adoption with pulumi import, generated code, and Terraform interoperability paths." → ✅ verified (framing: strengthened — the claim adds "generated code, and Terraform interoperability paths" beyond what the truncated body confirms, but the page title directly suppo…; evidence: The cited URL (HTTP 200) is titled "Import Existing Cloud Infrastructure | Pulumi Docs," confirming that pulumi import is a documented feature for adopting Pulumi incrementally. The body is truncated and doesn't explicitly mention "gener…; source: https://www.pulumi.com/docs/iac/adopting-pulumi/import/)
• L210 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi supports interoperability paths for teams that need to bring existing Terraform assets forward over time, including Terraform provider access and migrat…" → ✅ verified (evidence: The blog post itself (the PR file) explicitly describes both Terraform provider access ("Any Terraform Provider" feature via pulumi package add terraform-provider) and migration workflows (pulumi import and migration tooling for gradua…; source: repo:content/blog/why-choose-pulumi-over-terraform/index.md; gh search code pulumi/docs "any-terraform-provider")
• L216 in content/blog/why-choose-pulumi-over-terraform/index.md "The CLI flow can also generate declarations with pulumi import. Generated code is a starting point, not a finished architecture. Review names, options, provi…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L220 in content/blog/why-choose-pulumi-over-terraform/index.md "The pulumi import CLI flow can generate declarations." → ✅ verified (framing: strengthened — the source page covers the full pulumi import CLI flow including code generation; the claim narrows this to "can generate declarations," which…; evidence: The cited URL (https://www.pulumi.com/docs/iac/adopting-pulumi/import/) returns HTTP 200 and is the official Pulumi docs page for importing existing cloud infrastructure, which covers the pulumi import CLI flow. The pulumi import comma…; source: https://www.pulumi.com/docs/iac/adopting-pulumi/import/)
• L224 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi does not eliminate preview-time unknowns either. Some values are not known until deployment, so the plan can still contain uncertainty. Bad project deco…" → ✅ verified (evidence: The cited URL https://www.pulumi.com/docs/iac/concepts/testing/ returns HTTP 200 and the page is titled "Testing Pulumi Programs | Pulumi Docs", confirming the link is valid and points to Pulumi's testing documentation as referenced in the…; source: https://www.pulumi.com/docs/iac/concepts/testing/)
• L232 in content/blog/why-choose-pulumi-over-terraform/index.md "Pulumi can work with Terraform provider ecosystems, including long-tail providers that may not have a native Pulumi package yet." → ✅ verified (evidence: The official Pulumi blog post "Introducing: Support For Using Any Terraform Provider with Pulumi" (2024-08-29) states: "If there is a long tail Cloud or SaaS platform that has a provider for those ecosystems, it now works with Pulumi as we…; source: repo:content/blog/any-terraform-provider/index.md)
• L236 in content/blog/why-choose-pulumi-over-terraform/index.md "To go deeper, get started with Pulumi or read the [Terraform migration guide](/docs/iac/adopting-pulumi/migrating-to-pulumi/from-terr…" → ✅ verified (evidence: The path content/docs/iac/get-started/ exists in the pulumi/docs repository with subdirectories for aws, azure, gcp, kubernetes, and terraform, confirming the URL /docs/iac/get-started/ is a valid, live docs path.; source: gh api repos/pulumi/docs/contents/content/docs/iac/get-started)
• L240 in content/blog/why-choose-pulumi-over-terraform/index.md "A Terraform migration guide exists at https://www.pulumi.com/docs/iac/adopting-pulumi/migrating-to-pulumi/from-terraform/." → ✅ verified (evidence: The URL https://www.pulumi.com/docs/iac/adopting-pulumi/migrating-to-pulumi/from-terraform/ returns HTTP 200 with a page titled "Migrating from Terraform | Pulumi Docs", confirming the migration guide exists at that exact URL.; source: https://www.pulumi.com/docs/iac/adopting-pulumi/migrating-to-pulumi/from-terraform/)

📊 Editorial balance

Single-subject post; balance check N/A.

🚨 Outstanding in this PR

No outstanding findings in this PR.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L31] content/blog/why-choose-pulumi-over-terraform/index.md — "Terraform is a proven infrastructure as code tool with a large provider and module ecosystem." — verdict: unverifiable; evidence: the pre-fetched body of HashiCorp's terraform/intro page was truncated, so the verification step couldn't quote supporting text; source: https://developer.hashicorp.com/terraform/intro. Author note: the citation is the canonical Terraform intro page and the claim matches HashiCorp's own positioning — no action needed unless you'd prefer to soften the "proven" framing.

• [L52] content/blog/why-choose-pulumi-over-terraform/index.md — "Pulumi explicit provider resources make multi-region and multi-account wiring visible in code review." — verdict: unverifiable; evidence: cited Pulumi resource-providers concept page returned HTTP 200 but with a truncated body; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/. Author note: this is editorial framing ("visible in code review") on documented provider-resource behavior that the rest of the post demonstrates in code; no action needed.

• [L92] content/blog/why-choose-pulumi-over-terraform/index.md — "Pulumi aliases let you tell Pulumi how a resource used to be addressed, so refactors can preserve resource identity when the old and new resources represent th…" — verdict: unverifiable; evidence: cited Pulumi aliases concept page returned HTTP 200 but with a truncated body; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/. Author note: the claim accurately describes documented aliases behavior; no action needed.

• [L102] content/blog/why-choose-pulumi-over-terraform/index.md — "Pulumi aliases work when the old identity is modeled correctly, including details such as name, parent, type, project, and stack when those changed." — verdict: unverifiable; evidence: same aliases page, same truncation; source: https://www.pulumi.com/docs/iac/concepts/options/aliases/. Author note: the enumerated identity fields (name, parent, type, project, stack) match the documented Alias option shape; no action needed.

• [L106] content/blog/why-choose-pulumi-over-terraform/index.md — "Pulumi treats secrets as first-class values, encrypts them in state, and preserves secrecy as values flow through outputs." — verdict: unverifiable; framing: strengthened — the claim combines three specific behaviors that the source page documents individually; evidence: cited Pulumi secrets concept page returned HTTP 200 but with a truncated body; source: https://www.pulumi.com/docs/iac/concepts/secrets/. Author note: all three behaviors (first-class secret type, state-encryption, secrecy propagated through outputs) are documented Pulumi behavior; no action needed.

• [L118] content/blog/why-choose-pulumi-over-terraform/index.md — "In the TypeScript SDK, config.requireSecret('dbPassword') retrieves secret configuration, and the program can still access the decrypted value while it runs." — verdict: unverifiable; evidence: cited Pulumi secrets concept page returned HTTP 200 but with a truncated body; source: https://www.pulumi.com/docs/iac/concepts/secrets/. Author note: the config.requireSecret(...) API and the runtime-decryption caveat are documented Pulumi secrets behavior (the verified entry at L114 from the same page directly states that secret values are decrypted at runtime); no action needed.

• [L184] content/blog/why-choose-pulumi-over-terraform/index.md — "In Pulumi, provider resources are normal resources that can be passed through resource options, which makes multi-region or multi-account deployments easier to…" — verdict: unverifiable; evidence: cited Pulumi providers concept page returned HTTP 200 but with a truncated body; source: https://www.pulumi.com/docs/iac/concepts/resources/providers/. Author note: the framing of provider resources as "normal resources passable through resource options" matches documented Pulumi behavior and is demonstrated by the code example immediately following; no action needed.

📋 Triaged verifier findings

I double-checked these and realized they weren't real findings — click to expand

• [L27] content/blog/why-choose-pulumi-over-terraform/index.md — "Terraform is a proven infrastructure as code tool with a large ecosystem and years of production use. Many teams choose Pulumi when they want to keep that infr…" — Mis-sourced: the verification step compared this Terraform-positioning claim against Pulumi's testing concepts page, which is unrelated. The post's actual citation for this claim is HashiCorp's terraform/intro, which is appropriate.

• [L33] content/blog/why-choose-pulumi-over-terraform/index.md — "Pulumi supports first-class workflows for refactoring with Pulumi aliases, secrets, protect, retainOnDelete, deleteBeforeReplace, replaceOnChanges, provider re…" — Mis-sourced: this multi-feature enumeration was bound to a single URL (languages-sdks/), but each enumerated feature is cited at its own URL in the same sentence (aliases, secrets, protect, retainOnDelete, deleteBeforeReplace, replaceOnChanges, providers, stacks, testing, import).

• [L141] content/blog/why-choose-pulumi-over-terraform/index.md — "Terraform workspaces can represent environments, but many teams eventually need stronger boundaries for configuration, secrets, history, and cross-environment…" — Mis-sourced: the claim's subject is Terraform workspace limitations, but the verifier picked up the next clause's Pulumi-stacks citation. There is no Terraform-side citation in the sentence (the workspace characterization is editorial framing leading into the Pulumi-stacks comparison).

• [L184] content/blog/why-choose-pulumi-over-terraform/index.md — "In Terraform, provider inheritance and aliases are often managed across module boundaries." — Mis-sourced: the claim is about Terraform behavior, but the verifier bound it to the Pulumi resource-providers concept page. That URL is the citation for the next clause about Pulumi providers; the Terraform characterization is uncited editorial framing.

• [L216] content/blog/why-choose-pulumi-over-terraform/index.md — "The CLI flow can also generate declarations with pulumi import. Generated code is a starting point, not a finished architecture. Review names, options, provi…" — Mis-sourced: verification did not converge within the turn budget; the claim that pulumi import generates code declarations is independently confirmed at the same adopting-pulumi/import/ URL via the verified L220 entry.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

• 2026-05-19T00:30:51Z — Initial review of new Pulumi-vs-Terraform comparison blog post: 0 outstanding, 11 low-confidence (mostly source-page truncation on correctly-cited Pulumi docs, plus three style nags); 5 verifier findings moved to triaged as mis-sourced. (68dd2fe)
• 2026-05-19T00:50:28Z — re-reviewed after fix push (1 new commit, 86663e8): style nits resolved (backtick wrapping for pulumi import at L33/L51, wordiness at L118); L137 lifecycle scope clarified — vague "some options" replaced with specific replaceOnChanges-only note; low-confidence count 11 → 7.

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[github-actions]

🤖 Review regenerated on @CamSoper's request.

[CamSoper]

@claude fix the style findings. Investigate L137 and make a recommendation.

[pulumi-bot]

Claude finished @CamSoper's task in 1m 20s —— View job

---

Style fixes and L137 clarification applied

• Read the blog post file
• Fix style finding: L33 — wrap pulumi import in backticks
• Fix style finding: L51 — wrap pulumi import in backticks
• Fix style finding: L118 — simplify 'it is' → 'it's'
• Investigate L137 — determine which lifecycle options are custom-resource-only
• Apply fix for L137
• Commit and push changes

L137 recommendation applied

The review asked which of the four options (protect, retainOnDelete, deleteBeforeReplace, replaceOnChanges) apply only to custom resources. replaceOnChanges is the one documented as custom-resource-only; protect applies to component resources too. The vague sentence "Some options apply to custom resources, not component resources." was replaced with a specific, linked statement:

replaceOnChanges applies to custom resources only, not component resources.

This names the option directly (as the review suggested) and links to its docs page so readers can check the details.

All four changes are in commit 86663e8.
· Branch

[CamSoper]

@claude #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.