← Back to Blog RSS

Best Terraform Alternatives: Self-Hosted and Cloud

Terraform OpenTofu State Management Infrastructure

Terraform set the standard for infrastructure as code, but licensing concerns, state management pain, and multi-state complexity have pushed teams to look elsewhere. Today, there are genuinely good options worth knowing about.

TL;DR
$ cat terraform-alternatives.tldr
• HashiCorp's 2023 switch to the Business Source License (BSL) turned what felt like a technical tool into a licensing and governance question for thousands of teams.
• OpenTofu is the most direct drop-in replacement for Terraform, with full HCL compatibility and CNCF-backed open governance.
• Pulumi, Crossplane, Ansible, AWS CloudFormation, and Azure Bicep each solve different problems and suit different team profiles and infrastructure setups.
• Stategraph doesn't replace Terraform's engine — it replaces the state backend, giving teams resource-level locking, parallel execution, and SQL-queryable state across complex, multi-state environments.

For most teams, Terraform made sense because it was what everyone used. It had the provider ecosystem, the community, the Hashicorp configuration language, the Terraform modules, the same providers everyone else depended on, and enough operational familiarity that infrastructure teams could define infrastructure without turning every change into a design debate.

That changed in August 2023 when HashiCorp moved Terraform and other products from MPL 2.0 to the Business Source License. Internal use stayed largely intact because most teams are not reselling Terraform as part of a managed service, but the mood changed.

As soon as a tool that defines your entire cloud infrastructure moves from open source to source-available, your platform engineering roadmap starts to depend on a licensing model controlled by one vendor.

Even if you stay on Terraform, is the surrounding model still enough for the way teams actually manage cloud resources?

One state file, one global lock per root module, serial workflows that slow down as state grows, cross-state dependencies held together by wrapper logic, and orchestration wrappers that gradually become their own platform are the reasons people started considering alternatives to Terraform.

Why teams consider Terraform alternatives

The honest answer is that most teams are not looking for alternatives to Terraform because the IaC solution suddenly dropped in quality. Terraform still works. It still has the provider protocol, the cloud providers, the ecosystem, the registry, the accumulated examples, and the muscle memory. The problem is that its trade-offs are now more visible.

The first driver is governance

HashiCorp's Business Source License allows broad use, including internal production use, but it restricts certain competitive offerings and introduces a legal boundary that platform teams, procurement teams, and engineering leaders must now understand. The decision to standardize on Terraform, Terraform Cloud, or Terraform Enterprise now carries a different kind of risk than it did under MPL 2.0.

The second driver is scale

Terraform's state model works beautifully when a root module is small, ownership is clear, and one pipeline applies changes at a time. It gets more awkward when one state file tracks hundreds or thousands of cloud resources across multiple environments, when several teams need to change unrelated parts of the same infrastructure setup, or when the only way to avoid contention is to split state until cross-state dependency management becomes the actual system.

The BSL license change, explained

Before August 2023, Terraform was licensed under MPL 2.0, a permissive open-source license that made it straightforward to use, modify, redistribute, embed, and build on.

After the change, future Terraform releases moved to BSL 1.1, which is source-available rather than open source in the OSI sense. You can still see the code, use Terraform internally, and manage AWS infrastructure, Azure infrastructure, Google Cloud, Kubernetes, SaaS resources, networking, storage, and the rest of your cloud infrastructure with it.

The restriction becomes apparent when you embed Terraform into a commercial product, redistribute modified versions, or offer something HashiCorp may consider competitive.

It affects you, even if your team is not a vendor. Governance decisions age slowly. A platform standard chosen in 2026 may sit inside CI/CD, audit trails, role-based access control, drift detection, cloud consoles, and infrastructure management workflows for years. Once licensing becomes a concern, you should start considering alternatives to Terraform.

Where Terraform starts to struggle at scale

Terraform's traditional state model is file-shaped, even when the file is stored remotely in one of the following:

That state file tracks resources, attributes, outputs, dependencies, and metadata. Because Terraform must protect that source of truth, supported backends can lock state for operations that may write to it, and Terraform will not continue if it cannot acquire the lock.

That lock prevents corruption and means that two unrelated changes can block each other if they touch the same root module state, even when one engineer is changing a lifecycle rule on an S3 bucket, while another is adding a security group rule to application code infrastructure somewhere else in the graph.

The usual workaround is to split state.

Networking gets its own state, compute gets another, data gets another, environments get separated, teams get separated, and suddenly the infrastructure is no longer one graph but a federation of files.

Splitting state can help with lock contention, but it creates a new problem. Cross-state outputs become fragile, dependency order moves into third-party tools, Terragrunt-like orchestration starts carrying more logic, and teams end up managing infrastructure through an unofficial single control plane made out of wrappers, conventions, and hope.

The best Terraform alternatives

The right Terraform alternative depends on what problem you need to solve.

OpenTofu homepage: 'Open-Source Infrastructure as Code' under CNCF, with a main.tf example creating an S3 bucket.

OpenTofu

OpenTofu is the closest thing to Terraform without being Terraform.

It began as the OpenTF fork after the license change, moved under the Linux Foundation in September 2023, and was later accepted into the Cloud Native Computing Foundation as a Sandbox project in April 2025.

It keeps the HCL workflow, existing Terraform configurations, provider compatibility, and the familiar plan-and-apply model, making it the default answer for teams that want open governance without rewriting infrastructure code.

Not just a static fork anymore, OpenTofu 1.7 added state encryption and provider-defined functions, with OpenTofu 1.7 adding state encryption using AES-GCM, with key management integrations for AWS KMS, GCP KMS, and OpenBao.

Best for

Teams that want to keep HCL, the Terraform workflow, the same providers, and most existing tools, while moving to an open-source-governed project that is not controlled by a single vendor.

Key features

When not to use OpenTofu

OpenTofu is the wrong answer if your team is heavily invested in HCP Terraform Stacks, because Stacks are a configuration layer tied to HCP Terraform.

It's also not the solution if you want to move away from HCL into general-purpose programming languages, or if the core problem is multi-state dependency management and state lock contention.

After all, OpenTofu maintains the basic Terraform state model and can point state at a familiar backend like S3.

# Requires OpenTofu 1.10 or later
terraform {
backend "s3" {
bucket = "company-iac-state"
key = "prod/networking/terraform.tfstate"
region = "eu-west-1"
encrypt = true
use_lockfile = true # Native S3 locking — no DynamoDB table required
}
}
Pulumi homepage: 'Next-level infrastructure as code for humans and agents,' with a TypeScript index.ts example.

Pulumi

Pulumi is the main alternative for teams that want to write infrastructure in TypeScript, Python, Go, C#, Java, .NET, YAML, or other supported SDK paths rather than HCL.

Shifting away from HCL means infrastructure can use loops, conditionals, classes, functions, packages, unit tests, and application code patterns without pushing HCL beyond what it was designed to do. It's still infrastructure as code, but using familiar programming languages across AWS, Azure, Google Cloud, Kubernetes, and other providers.

Pulumi is different, not better.

Real programming languages are powerful, and they also create real codebases. For developer-heavy teams, that may be perfect, but for ops-heavy infrastructure teams that like the constraint of declarative HCL, Pulumi can feel like turning infrastructure into another application framework to maintain.

Best for

Pulumi is best for development-heavy teams that find HCL limiting and want reusable, testable infrastructure components written in languages they already use.

Key features

When not to use Pulumi

Pulumi is a weaker fit when the team is primarily ops-focused and comfortable in HCL, when per-resource Pulumi Cloud pricing becomes a concern at scale, or when the hard problem is cross-state dependency management rather than language expressiveness.

Pulumi stacks still have their own state boundary, which means changing the language does not magically erase state architecture.

Crossplane homepage: 'Crossplane Is the Cloud-Native Framework for Platform Engineering,' listing control-plane building blocks.

Crossplane

Crossplane is a Kubernetes-native approach where cloud resources are modeled as Kubernetes APIs, usually through custom resources and controllers, and then reconciled continuously.

It's a good choice for platform teams that have already made Kubernetes their control plane and want cloud resources, internal abstractions, and platform APIs to follow the same reconciliation model.

Selecting Crossplane is a bigger architectural shift than adopting OpenTofu or Pulumi. With Crossplane, the operating model becomes Kubernetes-shaped. Desired state lives in Kubernetes resources, GitOps becomes natural, and platform teams can build composites that hide cloud API complexity behind internal abstractions.

Best for

Crossplane is best for platform teams that already run Kubernetes deeply and want cloud infrastructure to be managed through Kubernetes APIs, controllers, and GitOps workflows.

Key features

When not to use Crossplane

Do not adopt Crossplane just to avoid Terraform. If your team is not already comfortable operating a Kubernetes cluster, Crossplane adds a learning curve and operational layer that may be heavier than the problem you started with.

Ansible Collaborative homepage introducing Ansible as an open-source IT automation engine.

Ansible

Ansible overlaps with infrastructure as code, but it does not behave like Terraform. It's procedural, agentless, YAML-driven, and commonly used for configuration management, application deployment, server automation, network automation, and operational tasks.

Because Ansible emphasizes automation over SSH without agents on remote systems, it is often combined with Terraform. Terraform provisions cloud resources. Ansible configures machines, deploys packages, manages services, and handles the messy server-level work that declarative provisioning tools are not always good at.

Best for

Ansible is best for teams focused on configuration management, post-provisioning automation, application deployment, and hybrid or on-premise infrastructure with SSH-based automation.

Key features

When not to use Ansible

Ansible is a poor replacement when the goal is declarative cloud infrastructure provisioning with strong drift detection, clean state management, policy-as-code around infrastructure changes, and predictable lifecycle management for multiple resources across multiple clouds.

AWS CloudFormation product page: 'Speed up cloud provisioning with infrastructure as code,' with a Benefits section.

AWS CloudFormation

AWS CloudFormation is the native AWS IaC tool. It is deeply integrated with AWS services, supports stack change sets, can roll back failed stack updates, and uses StackSets for multi-account and multi-region deployments.

For teams that focus on managing AWS infrastructure, the appeal is obvious. It is first-party, close to the AWS APIs, and does not require a separate third-party IaC framework to manage AWS resources.

The trade-off is just as obvious. CloudFormation is AWS-only. CloudFormation templates can become verbose in YAML or JSON. AWS CDK exists partly because many teams wanted a higher-level cloud development kit over the raw template model.

Best for

CloudFormation is best for teams that are all-in on AWS and want native service coverage, built-in rollback behavior, change set previewing, IAM integration, and no separate multi-cloud abstraction.

Key features

When not to use CloudFormation

CloudFormation is the wrong fit when the infrastructure spans multiple clouds, when the team needs a consistent IaC tool across AWS, Azure, and Google Cloud, or when the syntax overhead becomes its own productivity tax.

Microsoft Learn page for a Microsoft.Web resource showing Bicep, ARM template, and Terraform deployment options.

Azure Bicep

Azure Bicep is Microsoft's modern domain-specific language for Azure Resource Manager. It gives Azure teams a cleaner way to define infrastructure than ARM JSON while compiling down to ARM templates.

Bicep is a declarative language for deploying Azure resources, with concise syntax, type safety, modules, and integration across the Azure deployment lifecycle.

Like CloudFormation, Bicep's strength is its first-party nature, which also means it's limited. If your entire cloud lives in Azure, great. If your infrastructure requirements include AWS, GCP, Kubernetes, SaaS providers, or multi-IaC environments, Bicep isn't the right choice.

Best for

Azure Bicep is best for teams working exclusively on Azure that want a readable, first-party alternative to ARM templates.

Key features

When not to use Azure Bicep

Bicep is not the right fit if the infrastructure spans multiple clouds, if your team wants one IaC language across the entire cloud estate, or if the broader Terraform and OpenTofu ecosystem is central to how your team manages infrastructure today.

Stategraph homepage: 'Your infrastructure has a database now,' describing the operational database for infrastructure.

Stategraph

Stategraph does not ask you to replace Terraform or OpenTofu, instead highlighting that, even if the engine is fine, the state backend is a bottleneck.

Traditional Terraform state is a JSON document. Stategraph stores infrastructure state as a dependency graph in PostgreSQL instead, which means resources, dependencies, ownership, history, and relationships become structured data rather than buried attributes in a flat state file.

That changes what the backend can do. It can lock at the resource level instead of the full state level. It can run non-overlapping transactions in parallel. It can expose SQL-queryable inventory. It can manage cross-state operations through the graph instead of forcing every team to stitch outputs together through wrappers. Check out how Stategraph works for more details.

Stategraph doesn't require infrastructure teams to rewrite HCL, abandon Terraform modules, switch cloud providers, rebuild CI/CD, or retrain everyone on a new IaC framework. Teams keep Terraform or OpenTofu, the same providers, the same modules, and the same broad workflow. The backend layer changes, which is exactly where lock contention, slow applies, cross-state dependency pain, inventory gaps, and audit history tend to accumulate.

Stategraph 'infrastructure as a database' architecture: API, CLI, HCL, and AI Agent clients feed the server, exposing policy engine, remote execution, orchestration, inventory, cost, security, and compliance capabilities.

Best for

Stategraph is best for teams already running Terraform or OpenTofu at scale who are hitting state lock contention, slow serial applies, cross-state dependency pain, or a governance gap across multiple environments, and do not want to re-platform their entire IaC stack to fix state management.

Key features

When not to use Stategraph

Stategraph is not for teams that have moved away from Terraform or OpenTofu entirely. It is for teams that want to keep their existing HCL, providers, and CLI workflow, while replacing the backend layer that stores and locks state.

terraform {
backend "http" {
address = "https://<your-stategraph-host>/api/v1/states/backend/<group-id>"
username = "session"
password = var.stategraph_token
}
}

How to choose the right Terraform alternative

Start with the actual problem, not the tool category. If the issue is open governance and you want the least disruption, OpenTofu is the obvious place to begin. It keeps HCL, the provider ecosystem, existing Terraform configurations, and the workflow most teams already know.

If the issue is developer experience, Pulumi is the more natural alternative, because it lets teams write infrastructure in programming languages they already use. Pulumi works best when infrastructure is maintained by application teams, rather than when infrastructure teams value declarative constraints over general-purpose abstraction.

If your infrastructure model is already Kubernetes-native, consider Crossplane, as it turns cloud resources into reconciled Kubernetes resources.

If your primary work is configuration management, server automation, application deployment, or hybrid infrastructure, Ansible remains one of the strongest tools. Just don't mistake it for a stateful declarative cloud provisioning engine.

If the environment is AWS-only and first-party control is the priority, go for CloudFormation. If the environment is Azure-only, use Azure Bicep. Both reduce third-party dependency, and both give up cloud agnostic portability.

If Terraform or OpenTofu is already embedded in the organization and the pain is state file contention, slow plans and applies, cross-state dependencies, audit trails, unmanaged resources, or the lack of SQL-queryable infrastructure inventory, Stategraph is the solution that changes the backend rather than the whole infrastructure stack.

Conclusion

Not every team needs to rip out Terraform. Most teams probably should not. Terraform still has an enormous ecosystem, and OpenTofu now gives HCL-oriented teams an open governance path that keeps the familiar workflow alive.

However, most teams running serious infrastructure have at least one problem the classic model does not solve well, whether that is the Business Source License, the cognitive load of HCL workarounds, the limitations of single-cloud tools, or the operational drag of state file locking across a growing estate.

If the friction point is state lock contention, slow serial applies, cross-state dependencies, or not being able to ask basic SQL questions of your infrastructure, the answer may not be a new IaC engine at all. It may be a better state layer underneath the tools you already use.

Start Stategraph free or read the Stategraph docs.

Terraform alternatives FAQs

What is the best open-source alternative to Terraform?

OpenTofu is the best direct open-source alternative to Terraform for teams that want HCL, familiar commands, provider compatibility, and open governance. It was launched under the Linux Foundation after the Terraform license change and later accepted into CNCF as a Sandbox project.

Is OpenTofu production-ready?

Yes, OpenTofu is production-ready for many teams, especially those whose infrastructure is already compatible with the Terraform 1.5.x baseline and does not depend on HCP Terraform-specific features. Teams should still test providers, modules, state migration, and CI/CD behavior before switching production workflows.

What are the best Terraform Cloud alternatives for teams at scale?

The best Terraform Cloud alternatives depend on the surface area you need. Teams whose primary pain points are state management, lock contention, slow execution, and cross-state visibility should evaluate Stategraph, which changes the backend layer while keeping Terraform or OpenTofu in place.

Does Stategraph work with OpenTofu as well as Terraform?

Yes. Stategraph works with both Terraform and OpenTofu.

What is the difference between Terraform and Ansible?

Terraform is a declarative infrastructure provisioning tool with state management. Ansible is an agentless automation and configuration management tool that commonly uses SSH and YAML playbooks.

Terraform is usually better for defining cloud resources and managing desired infrastructure state, while Ansible is usually better for configuring servers, deploying applications, and automating operational tasks after resources exist.

Do I need to replace Terraform to fix state lock contention?

No. Replacing Terraform is one option, but it is not the only one. If the main problem is state lock contention, slow applies, and cross-state dependency overhead, a state backend replacement like Stategraph can address the bottleneck while leaving Terraform or OpenTofu, HCL, providers, and modules in place.

Try Stategraph free

If Terraform or OpenTofu still fits your team but the state layer has become the bottleneck, Stategraph is worth seeing in practice. It keeps your existing HCL, providers, modules, and CLI workflow, and replaces only the backend that stores and locks state.