terraform VS hcl

When a change earns its way onto main, the train builds the container image one time and tags it by the commit SHA. That image is the artifact. It runs in dev immediately. And here's the part that makes promotion boring: shipping to prod doesn't rebuild anything. It re-points a config overlay (a Kustomize overlay, in practice, committed to the same repo) at the same SHA that's already running in dev. Same bytes, different environment. Promotion is a routing decision, not a build decision. The thing you tested in dev is the literal thing that runs in prod. Not a rebuild from the same commit and a hope. The same image. That cleanly splits two worlds that most setups jam into one giant deploy job. The slow-moving substrate (the cluster, the network, IAM, the shape of your manifests) changes on the order of a quarter and belongs to Terraform, ideally run through something like Terraform Cloud so applies are deliberate and auditable instead of run from someone's laptop. The fast-moving payload (image refs, rollouts, the things that change every commit) belongs to Git, reconciled continuously by a GitOps controller. Argo CD is the common one: it watches the repo, diffs the declared state against what's actually running in the cluster, and makes the cluster match. Change the overlay in Git, Argo CD notices and applies it. Flux does the same job if you prefer it. TF for the building, Git for the lights. The rule is simple: if it changes per release, Git owns it; if it changes per quarter, Terraform owns it. Match the tool to the rate of change and the six-hour deploy job that rewrites your infrastructure mid-flight just stops existing. One more piece falls out of this: tags are markers, not artifacts. The cluster never deploys a tag. The tag is a point-in-time anchor that says "this commit's state was live in prod," useful for audit, for rollback targeting, and for release notes. It records what shipped and when. Nothing reads it to decide what runs.

AWS EC2 / Azure VMs (Linux and Windows) — Dedicated job run terraform to provision and de-provision instances from packer templates.

Use an IaC tool like Terraform to define every resource declaratively, and a configuration management tool like Ansible for anything that runs on the instance itself.

⭐ hashicorp/terraform — 48,279 stars, 10,324 forks

Look, I don't know what else to tell 'ya, but in 2026 if you're getting "mysterious" charges from AWS after "deleting everything", you're simply not competent.

With a plethora of free billing tips from places like Duckbill https://www.duckbillhq.com/, to full-on repos like AWS-Nuke, https://github.com/ekristen/aws-nuke , down to AWS's own account monitoring and management services like Control Tower https://aws.amazon.com/controltower/, and Config https://aws.amazon.com/config/ , and full IAC ecosystems like Terraform https://developer.hashicorp.com/terraform or OpenTofu https://opentofu.org/ , you are not leveraging all the cost-management capabilities of the modern cloud.

Terraform has been iterating a lot more in the past few months introducing features or updates to the core binary which were always desired. Looking at the release notes of v1.15.0-alpha20260204 version , you see a few gems.

Having pre-execution options like in Terraform makes agent operations easier.

There's a Terraform GitHub issue that's been open for years: people want to customize modules without forking them. Add a lifecycle block. Tweak a tag. Simple stuff.

You’re integrating Puppet with other tooling (Terraform, CI/CD, internal platforms).

Be careful about linking to terraform docs for HCL, as it can be very easy to blur terraform's implementation of the behaviors from HCL itself

https://github.com/hashicorp/hcl/blob/v2.23.0/hclsyntax/spec... I believe is the actual language specification of heredocs

Similar to HCL which is way safer and clearer IMHO than all indent based craziness. Its lovely to see default values loaded thanks to some extra spaces. Brackets for the win!

https://github.com/hashicorp/hcl

This also reminds me of [HCL](https://github.com/hashicorp/hcl?tab=readme-ov-file#informat...)

Programming Model The first notable difference between Pulumi and Terraform is the programming language. Terraform uses a custom language called HashiCorp configuration language (HCL) to define infrastructure. In contrast, Pulumi offers more options, allowing you to choose from a list of popular programming languages.

Tenv utilizes go-version for semantic versioning and HCL parsing to extract version constraints from files like required_version in Terraform/OpenTofu or Terragrunt HCL files.

HCL is Hashicorp Configuration Language: https://github.com/hashicorp/hcl.

It's basically a DSL used by a bunch of Hashicorp products.

hcl is still MPLv2 https://github.com/hashicorp/hcl/blob/v2.23.0/LICENSE and my complaint is that the .go file has one import path but the compiler is going to secretly use a fork, versus updating the import path like a sane person. The only way anyone would know to check for why the complied code behaves differently is to know that trickery was possible

And that's not even getting into this horseshit: https://github.com/opentofu/hcl/blob/v2.20.1/go.mod#L1 which apparently allows one to declare a repos _import_ path to be different from the url used to fetch it

I have a similar complaint about how in the world anyone would know how "gopkg.in/yaml.v3" secretly resolved to

A Bake file can be written in HCL, YAML, or JSON. Docker recommends choosing HCL (HashiCorp Configuration Language) because it supports a more feature-complete Bake spec than the others. A valid Bake file should be called docker-bake followed by your chosen file extension.

In Kubernetes, we define deployments via YAML files. Whereas Nomad leverages HCL (HashiCorp Configuration Language).

Note that the Terragrunt configuration file uses the same HCL syntax as Terraform itself in terragrunt.hcl. Terragrunt also supports JSON-serialized HCL in a terragrunt.hcl.json file: where terragrunt.hcl is mentioned, you can always use terragrunt.hcl.json instead.