Crossplane vs Terraform vs Pulumi: Which Infrastructure Automation Fits Your Platform?
Platform teams choosing infrastructure automation face a fundamental decision: traditional Infrastructure as Code (Terraform, Pulumi) or Kubernetes-native control planes (Crossplane). Each approach has different trade-offs for developer self-service, multi-cloud governance, and operational complexity.
Quick comparison
| Crossplane (self-hosted) | Upbound (managed Crossplane) | Terraform / OpenTofu | Pulumi | |
|---|---|---|---|---|
| Approach | Kubernetes-native control plane | Managed Kubernetes control plane | Declarative IaC, plan-and-apply | SDK-based IaC, imperative |
| State management | Kubernetes etcd (no state files) | Managed by Upbound | State files (local, S3, Terraform Cloud) | State files (local, S3, Pulumi Cloud) |
| Reconciliation | Continuous, detects and fixes drift | Continuous | Manual: terraform plan && apply |
Manual: pulumi up |
| Developer self-service | Native: kubectl apply or GitOps |
Native: kubectl apply or GitOps |
Requires CI/CD wrapper | Requires CI/CD wrapper |
| Multi-cloud | Single control plane, any provider | Single control plane, any provider | Separate configs per provider | Separate programs per provider |
| Swiss providers | cloudscale.ch, Exoscale providers available | cloudscale.ch, Exoscale via self-hosted | cloudscale.ch, Exoscale providers available | cloudscale.ch, Exoscale providers available |
| Maturity | CNCF Graduated (2024) | Commercial (Upbound, founded 2020) | Mature (HashiCorp, since 2014) | Growing (Pulumi, since 2018) |
| License | Apache 2.0 | Commercial SaaS | BSL 1.1 (Terraform) / MPL 2.0 (OpenTofu) | Apache 2.0 (engine) / Commercial (Cloud) |
| Best for | Platform teams on Kubernetes | Crossplane without operations overhead | Traditional ops teams, brownfield infra | Developer-centric teams wanting real code |
Terraform / OpenTofu
Terraform is the most widely adopted IaC tool. You define infrastructure in HCL files, run terraform plan to preview changes, and terraform apply to execute them.
Strengths:
- Mature ecosystem with thousands of providers
- Well-understood plan-and-apply workflow
- Large community, extensive documentation
- OpenTofu fork available under MPL 2.0 license
Limitations:
- State file management is a constant operational burden. Lost or corrupted state means manual recovery.
- No continuous reconciliation. Drift between plan and reality goes undetected until the next
apply. - No native developer self-service. Developers submit tickets or PRs; platform team runs
apply. - HCL is a DSL, not a general-purpose language. Limited logic and testing capabilities.
- HashiCorp's BSL license change (2023) created uncertainty; OpenTofu fork addresses this
Best for: Teams managing traditional infrastructure (VMs, networks, DNS) that don't need developer self-service.
Pulumi
Pulumi uses real programming languages (Python, TypeScript, Go) instead of a DSL. Infrastructure is defined as code in the same languages developers already use.
Strengths:
- Real programming languages: loops, conditionals, tests, and IDE tooling
- Familiar developer experience
- Good for application-infrastructure co-location
- Supports all major cloud providers
Limitations:
- Still requires state files (Pulumi Cloud or self-managed backend)
- No continuous reconciliation. Same drift problem as Terraform.
- No native Kubernetes integration. Separate tool from your container platform.
- Smaller ecosystem than Terraform
- Small talent pool. Fewer Pulumi engineers available in Switzerland compared to Terraform or Kubernetes specialists. Hiring or contracting for Pulumi expertise is harder.
- Commercial cloud service for team features
Best for: Developer-centric teams that want infrastructure in the same language as their applications.
Crossplane (self-hosted)
Crossplane runs as a Kubernetes controller. You define infrastructure as Kubernetes custom resources, and Crossplane continuously reconciles the desired state against reality.
Strengths:
- No state files. Kubernetes etcd is the source of truth.
- Continuous reconciliation. Detects and fixes drift automatically.
- Developer self-service. Developers provision infrastructure via
kubectl applyor GitOps, same as deploying applications. - Compositions. Platform teams define guardrails and abstractions; developers get a simple API.
- Multi-cloud from one control plane: AWS, Azure, GCP, cloudscale.ch, Exoscale, Kubernetes, Helm, SQL.
- Builds on Kubernetes skills. Any engineer familiar with Kubernetes controllers and CRDs can operate Crossplane, unlike tools that require learning a separate ecosystem.
- CNCF Graduated project with vendor-neutral governance.
- Apache 2.0 license. No BSL surprises.
Limitations:
- Steeper learning curve than Terraform, especially Composition Functions
- Kubernetes cluster required to run the control plane
- Smaller provider ecosystem than Terraform (growing rapidly)
- Debugging can be harder (Kubernetes events vs Terraform output)
Best for: Platform teams already on Kubernetes that want developer self-service and continuous reconciliation.
Upbound (managed Crossplane)
Upbound offers a managed Crossplane control plane as a SaaS product, plus commercial features for enterprise teams.
Strengths:
- Crossplane without operating the control plane yourself
- Commercial support and enterprise features
- Upbound Marketplace for provider packages
Limitations:
- US-based SaaS. Data processed outside Switzerland.
- Starting at $1,000+/month for managed control planes
- Vendor dependency for a control plane that could be self-hosted
- Less flexibility than self-hosted for Swiss provider integrations
Best for: US/global teams wanting Crossplane without Kubernetes operations expertise.
VSHN Crossplane Consulting and Operations
VSHN is an official Crossplane commercial vendor (listed on crossplane.io). We help Swiss platform teams adopt Crossplane: architecture review, composition development, migration, and production operations.
What VSHN offers:
- Architecture review: Assess your infrastructure automation needs and design a Crossplane architecture (1-day engagement).
- Composition development: Build custom Compositions and Composition Functions for your team's self-service APIs.
- Migration from Terraform: Plan and execute migration of existing Terraform-managed infrastructure to Crossplane.
- Training: Hands-on Crossplane training for your platform team, delivered with training partners.
- 24/7 operations: VSHN operates your Crossplane control plane on APPUiO Cloud or your own Kubernetes cluster.
- Swiss providers: Production-proven Crossplane providers for cloudscale.ch and Exoscale.
Pricing: CHF 250/hour consulting. Scoped engagements from 1-day architecture reviews to multi-month platform builds.
Production track record: VSHN has run Crossplane in production since 2021, powering the entire VSHN Application Catalog on APPUiO Cloud. Hundreds of managed service instances are provisioned and reconciled daily.
Best for: Swiss platform teams adopting Crossplane who want hands-on expertise and operational support from an official vendor.
Crossplane vs Terraform: the key difference
Terraform automates infrastructure provisioning. Crossplane builds an infrastructure platform with developer self-service.
If your developers submit Jira tickets for infrastructure and your platform team runs terraform apply, Crossplane eliminates that bottleneck. Developers provision what they need via kubectl or GitOps, within the guardrails your platform team defines.
If you manage static infrastructure that rarely changes, Terraform's plan-and-apply workflow is simpler and more mature.
When to choose Crossplane with VSHN
Crossplane with VSHN makes sense when:
- Your platform team wants to offer developer self-service for infrastructure
- You're already on Kubernetes and want infrastructure automation in the same ecosystem
- You need multi-cloud governance from a single control plane
- Terraform state management has become a pain point
- You want Swiss-specific providers (cloudscale.ch, Exoscale) or custom Crossplane providers implemented for your control plane
- Your team needs hands-on help from an official Crossplane vendor
For a detailed sovereignty analysis, see our Crossplane sovereignty assessment.
Next steps
Ready to evaluate Crossplane for your platform? Book a free 30-minute call with our Crossplane team. We'll discuss your current setup, identify where Crossplane fits, and outline next steps.