content(what-is): expand the top IaC tools comparison

[alexleventer]

Summary

Rewrites content/what-is/top-iac-tools.md for AEO and SEO as a listicle/comparison page. Refreshes the tool catalog (adds OpenTofu, Crossplane, AWS CDK; restructures GCP coverage around Config Connector), corrects outdated facts (Terraform's BSL relicensing in August 2023), and adds a comprehensive side-by-side comparison table, decision tree, and FAQ.

What changed

• Opening definition — bold one-sentence definition of an IaC tool plus a short framing paragraph stating the page is opinionated about evaluation criteria.
• Evaluation criteria table — 7 criteria (languages, multi-cloud, state, testing/abstractions, ecosystem, governance, license) with why each matters.
• Multi-cloud tools — Pulumi, Terraform, OpenTofu, Crossplane. Each entry uses a consistent bullet-list shape (Languages, Multi-cloud, State, Testing/abstractions, Governance, License) so they're directly comparable.
• Cloud-specific tools — CloudFormation, AWS CDK, ARM/Bicep, GCP CDM/Config Connector. Same consistent shape.
• Side-by-side comparison table — 8 tools across 7 dimensions (languages, clouds, state, reuse, testing, license).
• Decision tree — 4-branch guidance for choosing based on cloud commitment, language preference, and operational model.
• FAQ — 10 doubt-removers: most popular, Pulumi vs. Terraform, Terraform vs. OpenTofu, multi-tool usage, YAML for IaC, pricing, Kubernetes support, policy as code, secrets, drift.
• Cross-links — IaC, Pulumi, Terraform comparison, DevOps, YAML, configuration management.

Factual corrections from the previous version

• Terraform license: now correctly described as Business Source License (BSL) since August 2023, not generic open source.
• GCP coverage: Config Connector now mentioned alongside the older CDM, reflecting Google's current direction.
• Removed dated emoji-rich phrasing in favor of neutral comparison prose.
• Added OpenTofu, Crossplane, and AWS CDK, which were previously missing or under-covered.

Test plan

• make serve; visit /what-is/top-iac-tools/ and confirm rendering (incl. comparison table)
• Spot-check cross-links (/what-is/what-is-infrastructure-as-code/, /docs/iac/comparisons/terraform/, /docs/iac/comparisons/terraform/opentofu/, /docs/iac/get-started/terraform/, /docs/insights/policy/, /product/esc/)
• CI lint + pinned review

🤖 Generated with Claude Code

[pulumi-bot]

Your site preview for commit 8fcd689 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19274-8fcd689b.s3-website.us-west-2.amazonaws.com

[github-actions]

Pre-merge Review — Last updated 2026-05-20T16:55:02Z

Tip

Summary: This PR is a substantial rewrite of content/what-is/top-iac-tools.md — a what-is comparison page that now covers Pulumi, Terraform, OpenTofu, Crossplane, CloudFormation, AWS CDK, ARM/Bicep, and GCP Deployment Manager/Config Connector with per-tool prose, bullet specs, a side-by-side table, and a FAQ. The kind of wrongness that would hurt a reader is factual: language lists, provider counts, license/lineage details, and policy-engine claims that they're likely to repeat or build a decision on. External claim verification ran (86 claims extracted, 61 verified, 12 contradicted, 5 unverifiable — rate-limit errors hit two of the unverifiables), frontmatter sweep ran, Vale lint ran, and the temporal-trigger sweep flagged "as of 2025" framing.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	MEDIUM	Verifier rate-limited on two CDK/GCP claims; the verdict trail captures the rest.

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 61 of 86 claims verified (5 unverifiable, 13 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 43 Pass 1, 0 Pass 2, 43 Pass 3 (verified 27, contradicted 8, unverifiable 8).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
12	13	0	0

🔍 Verification trail

86 claims extracted · 61 verified · 5 unverifiable · 13 contradicted

• L3 in content/what-is/top-iac-tools.md "The meta description lists the top IaC tools covered as: Pulumi, Terraform, OpenTofu, CloudFormation, ARM/Bicep, GCP Deployment Manager, and AWS CDK." → ✅ verified (evidence: The meta_desc field at line 3 reads: "A comparison of the top Infrastructure as Code (IaC) tools — Pulumi, Terraform, OpenTofu, CloudFormation, ARM/Bicep, GCP Deployment Manager, AWS CDK." This exactly matches the claim's listed tools.; source: repo:content/what-is/top-iac-tools.md)
• L12 in content/what-is/top-iac-tools.md "This page covers the most widely adopted IaC tools as of 2025." → ➖ not-a-claim (evidence: The text "This page covers the most widely adopted IaC tools as of 2025." appears verbatim at line 12 of the file. This is a temporal scope statement authored by the PR author describing their own page's coverage — it is a faithful descrip…; source: repo:content/what-is/top-iac-tools.md)
• L30 in content/what-is/top-iac-tools.md "| Multi-cloud | Whether the tool natively supports the clouds and SaaS providers you target today and the ones you might in 24 months. |" → ➖ not-a-claim (framing: not-a-claim — the "24 months" figure is the author's own editorial planning horizon in a criterion description, not a third-party-attributed numerical claim.; evidence: The text is the PR author's own editorial description of a table criterion ("Multi-cloud") in their IaC tools comparison article. The "24 months" planning horizon is the author's own framing choice for the criterion, not a third-party-attr…; source: WebSearch ran query "IaC tool evaluation criteria multi-cloud support future planning"; claim is author's own editorial content, not a verifiable external fact.)
• L31 in content/what-is/top-iac-tools.md "| State model | Whether state is managed for you, lives in a file you have to host, or is implicit in the cloud platform. Affects collaboration, locking, a…" → ➖ not-a-claim (evidence: This line is a table cell in the PR author's own documentation describing a comparison criterion ("State model") for IaC tools. It is a descriptive definition authored by the PR writer, not an attribution to a third-party source, and conta…; source: content/what-is/top-iac-tools.md L31)
• L37 in content/what-is/top-iac-tools.md "The list of tools below is filtered down to actively maintained, production-grade options. Niche or stalled tools are omitted." → ➖ not-a-claim (evidence: The text at L37 of the file reads: "The list of tools below is filtered down to actively maintained, production-grade options. Niche or stalled tools are omitted." This is an editorial/framing statement made by the PR author about their ow…; source: repo:content/what-is/top-iac-tools.md)
• L45 in content/what-is/top-iac-tools.md "Pulumi defines infrastructure in general-purpose programming languages: TypeScript, JavaScript, Python, Go, C#, Java, and YAML." → ✅ verified (framing: strengthened — official docs say ".NET" (broader family: C#, F#, PowerShell); claim narrows to "C#", which is the most prominent .NET language and a valid subs…; evidence: The official Pulumi languages & SDKs docs state: "Pulumi supports TypeScript, JavaScript, Python, Go, .NET, Java, and YAML." The claim lists "C#" instead of ".NET", but C# is the primary .NET language Pulumi surfaces and is commonly used i…; source: https://www.pulumi.com/docs/iac/languages-sdks/)
• L45 in content/what-is/top-iac-tools.md "Pulumi ships a managed state backend (Pulumi Cloud) with built-in encryption and locking." → ✅ verified (evidence: The file at L45 states verbatim: "ships a managed state backend (Pulumi Cloud) with built-in encryption and locking, plus self-managed backends for teams that need them." The claim is an exact subset of this sentence.; source: repo:content/what-is/top-iac-tools.md)
• L45 in content/what-is/top-iac-tools.md "Pulumi supports self-managed backends for teams that need them." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md explicitly states: "Pulumi supports over 290 cloud and SaaS providers and ships a managed state backend (Pulumi Cloud) with built-in encryption and locking, plus self-managed backends for teams…; source: repo:content/what-is/top-iac-tools.md)
• L45 in content/what-is/top-iac-tools.md "Pulumi supports 290+ providers across cloud and SaaS." (also L48, L143) → ❌ contradicted (framing: shifted — claim states "290+ providers" but authoritative sources cite "150+" (docs.pulumi.com) or "120+" (GitHub README); the "290+" figure appears nowhere on…; evidence: Current official Pulumi sources do not support "290+". The Pulumi docs page states "Browse and search Pulumi packages for 150+ cloud providers and services," and the pulumi/pulumi GitHub README says "120+ providers." No pulumi.com page use…; source: https://www.pulumi.com/docs/ and https://github.com/pulumi/pulumi; intuition: The "290+" figure is suspiciously precise and higher than any current official Pulumi source; may be stale or fabricate…)
• L47 in content/what-is/top-iac-tools.md "Pulumi supports TypeScript, JavaScript, Python, Go, C#, Java, and YAML as infrastructure languages." (also L143) → ✅ verified (framing: strengthened — claim narrows ".NET" to "C#"; the official docs use ".NET" (which includes C#/F#/VB.NET), but the Pulumi product page itself uses "C#" as the re…; evidence: The official Pulumi Languages & SDKs docs state: "Pulumi supports TypeScript, JavaScript, Python, Go, .NET, Java, and YAML." The product page also lists "TypeScript/JavaScript, Python, Go, C#, Java, and YAML" explicitly using C# as the .NE…; source: https://www.pulumi.com/docs/iac/languages-sdks/)
• L48 in content/what-is/top-iac-tools.md "Pulumi supports AWS, Azure, GCP, Oracle, Kubernetes, plus 290+ providers across cloud and SaaS." → ❌ contradicted (framing: narrowed — claim broadens the provider count to "290+" but official sources consistently cite 120–180+; the claim overclaims the current figure.; evidence: Official Pulumi sources give lower figures: the GitHub README states "120+ providers," the Pulumi docs homepage says "150+ cloud providers and services," and the 2024 year-in-review blog references "180+ supported providers." No authoritat…; source: https://www.pulumi.com/docs/ ; https://github.com/pulumi/pulumi ; https://www.pulumi.com/blog/pulumi-year-in-review/; intuition: 290+ is suspiciously high compared to all official Pulumi figures (120–180+); may be conflating Pulumi native providers…)
• L49 in content/what-is/top-iac-tools.md "Pulumi's state is managed by default in Pulumi Cloud with encryption and locking; self-managed backends are supported." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md contains the exact bullet: "State. Managed by default in Pulumi Cloud with encryption and locking; self-managed backends supported." The surrounding prose also states: "Pulumi…ships a manage…; source: repo:content/what-is/top-iac-tools.md, L49)
• L50 in content/what-is/top-iac-tools.md "Pulumi supports native unit and integration testing." → ✅ verified (framing: strengthened — the source bullet also mentions components; the claim isolates only the testing aspect, which is a narrower subset of the source's broader state…; evidence: The file at L50 (Pulumi's "Testing and abstractions" bullet) states: "Native unit and integration testing; reusable components in real code." This directly confirms the claim that Pulumi supports native un…; source: repo:content/what-is/top-iac-tools.md)
• L51 in content/what-is/top-iac-tools.md "Pulumi Policies support policy as code in the same languages as the IaC programs." → ❌ contradicted (framing: narrowed — claim broadens the source's "TypeScript/JavaScript, Python, or OPA (Rego)" to "the same languages as the IaC programs"; Go, C#, and Java are not yet…; evidence: The /docs/insights/policy/ page states: "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego)" — with Go and .NET listed as "Future." Pulumi IaC supports TypeScript, JavaScript, Python, Go, C#, Java, and YAML…; source: repo:content/docs/insights/policy/_index.md)
• L52 in content/what-is/top-iac-tools.md "Pulumi is licensed under Apache 2.0 (open source) with commercial Pulumi Cloud features." → ✅ verified (evidence: The file content/what-is/top-iac-tools.md explicitly states under Pulumi's License bullet: "Apache 2.0 (open source); commercial Pulumi Cloud features." The pulumi/pulumi GitHub repository's LICENSE file is confirmed to be the Apache L…; source: repo:content/what-is/top-iac-tools.md (L52 area) and gh api repos/pulumi/pulumi/contents/LICENSE)
• L54 in content/what-is/top-iac-tools.md "### Terraform" → ✅ verified (evidence: The URL https://www.terraform.io/ resolves to the live official Terraform site, titled "Terraform | HashiCorp Developer", confirming it is the correct canonical URL for Terraform.; source: https://www.terraform.io/)
• L56 in content/what-is/top-iac-tools.md "Terraform state lives in a file the user hosts (S3, Azure Blob, GCS, or HashiCorp's commercial backend) with locking." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md (Terraform section) states: "State lives in a file you host (S3, Azure Blob, GCS, or HashiCorp's commercial backend) with locking, which works but requires explicit setup." This matches the clai…; source: repo:content/what-is/top-iac-tools.md)
• L56 in content/what-is/top-iac-tools.md "Terraform's license changed from MPL 2.0 to the Business Source License (BSL) in August 2023." (also L63, L69, L76, L144-145, L175) → ✅ verified (evidence: Multiple authoritative sources confirm the exact claim. Gruntwork: "On Thursday, August 10, 2023, HashiCorp announced that it was switching Terraform from the MPL v2 license to a 'Business Source License' (BSL)." The date (August 2023), th…; source: https://www.gruntwork.io/blog/the-impact-of-the-hashicorp-license-change-on-gruntwork-customers)
• L56 in content/what-is/top-iac-tools.md "Terraform's license changed from the open-source MPL 2.0 to the source-available Business Source License (BSL) as of August 2023." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md line 56 states: "As of August 2023, Terraform's license changed from the open-source MPL 2.0 to the source-available Business Source License (BSL)." This matches the well-documented HashiCorp an…; source: repo:content/what-is/top-iac-tools.md)
• L61 in content/what-is/top-iac-tools.md "Terraform Test was introduced in Terraform version 1.6+." (also L144) → ✅ verified (evidence: The official HashiCorp blog confirms: "The general availability of Terraform 1.6 brings a new Terraform test framework that deprecates and replaces the previous experimental feature first added in version 0.15."; source: https://www.hashicorp.com/en/blog/terraform-1-6-adds-a-test-framework-for-enhanced-code-validation)
• L62 in content/what-is/top-iac-tools.md "OSS Terraform users typically pair with Open Policy Agent for governance." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md, in the Terraform section under Governance, states: "Sentinel (commercial) for policy; OSS users typically pair with Open Policy Agent." This directly matches the claim.; source: repo:content/what-is/top-iac-tools.md)
• L62 in content/what-is/top-iac-tools.md "Sentinel is a commercial (not open-source) policy-as-code tool for Terraform." → ✅ verified (evidence: Multiple authoritative sources confirm Sentinel is HashiCorp's commercial, proprietary policy-as-code framework — not open source. As one source states: "Sentinel is a policy-as-code framework that integrates seamlessly as part of their co…; source: https://community.intel.com/t5/Blogs/Tech-Innovation/Cloud/Exploring-the-Power-of-HashiCorp-Terraform-Sentinel-Terraform/post/1511303; https://aws.amazon.com/blogs/apn/scale-securely-with-hashicorp-terraform-and-sentinel-policy-as-code/)
• L65 in content/what-is/top-iac-tools.md "For a direct comparison see Pulumi vs. Terraform." → ✅ verified (evidence: The file content/docs/iac/comparisons/terraform/_index.md exists with title: Terraform and h1: Pulumi vs. Terraform, confirming the URL /docs/iac/comparisons/terraform/ is valid and the link text "Pulumi vs. Terraform" matches exac…; source: repo:content/docs/iac/comparisons/terraform/_index.md)
• L69 in content/what-is/top-iac-tools.md "OpenTofu is under the Linux Foundation's stewardship." → ✅ verified (evidence: The opentofu.org homepage states verbatim: "OpenTofu is a reliable, flexible, community-driven infrastructure as code tool under the Linux Foundation's stewardship." This is confirmed by the Linux Foundation's own press release announcing…; source: https://opentofu.org/)
• L69 in content/what-is/top-iac-tools.md "OpenTofu is a community fork of Terraform 1.6.x created in response to the BSL license change." → ❌ contradicted (framing: shifted — claim says "fork of Terraform 1.6.x" but sources consistently say the fork was from Terraform 1.5.x (the last MPL-licensed version); Terraform 1.6 wa…; evidence: Multiple authoritative sources confirm OpenTofu was forked from Terraform 1.5.x (the last MPL-licensed version), not 1.6.x. The OpenTofu manifesto states "Forking the legacy MPL-licensed Terraform," and sources note "OpenTofu forked from T…; source: https://opentofu.org/manifesto/ ; https://scalr.com/learning-center/opentofu-vs-terraform ; https://encore.cloud/resources/opentofu-vs-terraform-2026)
• L69 in content/what-is/top-iac-tools.md "OpenTofu was created in response to the BSL license change." → ✅ verified (evidence: The OpenTofu announcement blog post states: "Two weeks ago, HashiCorp announced they are changing the license to all their core products, including Terraform, to the Business Source License (BSL). In an attempt to keep Terraform open sourc…; source: https://github.com/opentofu/opentofu.org/blob/main/blog/2023-08-25-opentofu-announces-fork-of-terraform.md (via gh search code --owner opentofu))
• L76 in content/what-is/top-iac-tools.md "OpenTofu is licensed under the Mozilla Public License 2.0 (open source)." → ✅ verified (evidence: The opentofu/opentofu README on GitHub states: "Mozilla Public License v2.0", and the OpenTofu org CHARTER.md confirms "All new inbound code contributions to the Project must be mad…; source: gh search code --owner opentofu "Mozilla Public License" (opentofu/opentofu:README.md, opentofu/org:CHARTER.md))
• L78 in content/what-is/top-iac-tools.md "See Terraform vs. OpenTofu for a deeper look." → ✅ verified (evidence: The file content/docs/iac/comparisons/terraform/opentofu.md exists in the pulumi/docs repo, which Hugo serves at the URL path /docs/iac/comparisons/terraform/opentofu/, confirming the linked path is valid.; source: gh api repos/pulumi/docs/contents/content/docs/iac/comparisons/terraform)
• L80 in content/what-is/top-iac-tools.md "Crossplane runs as a Kubernetes control plane that provisions cloud resources via custom resource definitions (CRDs)." (also L82) → ✅ verified (evidence: The official Crossplane docs confirm: "Crossplane creates Kubernetes Custom Resource Definitions (CRDs) to represent the external resources as native Kubernetes objects" and it "lets you build a control plane with Kubernetes-style declarat…; source: https://docs.crossplane.io/v1.20/getting-started/introduction/)
• L80 in content/what-is/top-iac-tools.md "### Crossplane" → ✅ verified (evidence: The URL https://www.crossplane.io/ resolves to the official Crossplane project website, confirmed live with the title "Crossplane Is the Cloud-Native Framework for Platform Engineering."; source: https://www.crossplane.io/)
• L82 in content/what-is/top-iac-tools.md "Crossplane lets you manage cloud resources with the same kubectl and Argo CD workflow as your applications." → ✅ verified (framing: strengthened — claim narrows the broader "Crossplane + Argo CD manage all resources" to the specific framing of using "the same kubectl and Argo CD workflow as…; evidence: (escalated from pass1) Multiple authoritative sources confirm this. The official Crossplane docs state "Argo CD and Crossplane are a great combination. Argo CD provides GitOps while Crossplane turns any Kubernetes cluster into a Universal…; source: https://docs.crossplane.io/latest/guides/crossplane-with-argo-cd/ and https://blog.upbound.io/argo-crossplane-managing-application-stack)
• L85 in content/what-is/top-iac-tools.md "Crossplane supports AWS, Azure, GCP, plus a growing provider catalog." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md, in the Crossplane section, states: "Multi-cloud. AWS, Azure, GCP, plus a growing provider catalog; depth varies." — which directly matches the claim.; source: repo:content/what-is/top-iac-tools.md)
• L86 in content/what-is/top-iac-tools.md "Crossplane state is stored as Kubernetes resources; controllers reconcile continuously." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md contains the exact text under the Crossplane section: "State. Stored as Kubernetes resources; controllers reconcile continuously."; source: repo:content/what-is/top-iac-tools.md)
• L88 in content/what-is/top-iac-tools.md "Crossplane inherits Kubernetes RBAC and admission controllers, with OPA integration via Kyverno or Gatekeeper." → ❌ contradicted (framing: shifted — the claim frames Kyverno as an OPA integration mechanism, but Kyverno is a distinct non-OPA policy engine; only Gatekeeper provides OPA integration f…; evidence: The file at L88 reads "OPA integration via Kyverno or Gatekeeper." However, Kyverno is NOT an OPA-based tool — it is an independent Kubernetes-native policy engine with its own rule language. Only Gatekeeper (OPA Gatekeeper) provides OPA i…; source: repo:content/what-is/top-iac-tools.md (L88); Kyverno's own documentation explicitly states it is a separate policy engine from OPA/Gatekeeper.; intuition: Kyverno and OPA/Gatekeeper are commonly listed together as Kubernetes policy options, but they are architecturally dist…)
• L89 in content/what-is/top-iac-tools.md "Crossplane is part of the CNCF (Cloud Native Computing Foundation)." → ✅ verified (evidence: The official CNCF project page confirms: "Crossplane was accepted to CNCF on June 25, 2020, moved to the Incubating maturity level on September 14, 2021, and then moved to the Graduated maturity level on October 28, 2025." Crossplane is un…; source: https://www.cncf.io/projects/crossplane/)
• L89 in content/what-is/top-iac-tools.md "Crossplane is licensed under Apache 2.0 and is part of the CNCF." → ✅ verified (evidence: The official Crossplane GitHub repo states "Crossplane is under the Apache 2.0 license" and "Crossplane is a Cloud Native Computing Foundation project." The CNCF project page confirms Crossplane was accepted to CNCF on June 25, 2020 and ha…; source: https://github.com/crossplane/crossplane (license + CNCF membership); https://www.cncf.io/projects/crossplane/ (CNCF membership confirmed))
• L97 in content/what-is/top-iac-tools.md "AWS CloudFormation manages deployments as 'stacks' with cross-account and cross-region support via StackSets." → ✅ verified (evidence: AWS official docs confirm both parts of the claim. CloudFormation manages deployments as "stacks" (per the Welcome page and multiple docs), and StackSets provides cross-account and cross-region support: "StackSets extends the capability of…; source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
• L97 in content/what-is/top-iac-tools.md "CloudFormation templates are JSON or YAML; deployments are managed as 'stacks' with cross-account and cross-region support (StackSets)." → ✅ verified (evidence: The file at L97 states: "Templates are JSON or YAML; deployments are managed as 'stacks' with cross-account and cross-region support (StackSets)." This accurately describes AWS CloudFormation: templates are authored in JSON or YAML, deploy…; source: repo:content/what-is/top-iac-tools.md)
• L104 in content/what-is/top-iac-tools.md "AWS CloudFormation is a proprietary AWS service (license)." → ✅ verified (evidence: The file at content/what-is/top-iac-tools.md describes CloudFormation as "AWS's first-party IaC service" — a proprietary, closed-source service managed entirely by AWS. This is consistent with the claim that CloudFormation is a proprietary…; source: repo:content/what-is/top-iac-tools.md)
• L106 in content/what-is/top-iac-tools.md "### AWS Cloud Development Kit (CDK)" → ✅ verified (evidence: The URL https://aws.amazon.com/cdk/ is live and resolves to the official AWS Cloud Development Kit page, titled "Open Source Development Framework - AWS Cloud Development Kit - AWS", confirming both the product name and the URL used in the…; source: https://aws.amazon.com/cdk/)
• L108 in content/what-is/top-iac-tools.md "AWS CDK code is synthesized to CloudFormation templates and deployed via CloudFormation." → 🤷 unverifiable (evidence: verify-claims.py errored on this claim: RuntimeError: HTTP 429: {"type":"error","error":{"type":"rate_limit_error","message":"This request would exceed your organization's rate limit of 2,000,000 input tokens per minute (org: 85d1a054-3697…)
• L108 in content/what-is/top-iac-tools.md "AWS CDK supports TypeScript, JavaScript, Python, Java, and C# as infrastructure languages." (also L112) → ❌ contradicted (framing: narrowed — claim lists only 5 languages (TypeScript, JavaScript, Python, Java, C#) but the source confirms 6, including Go; omitting Go makes the claim narrowe…; evidence: The official AWS CDK docs state: "The AWS Cloud Development Kit (AWS CDK) has first-class support for the TypeScript, JavaScript, Python, Java, C#, and Go general-purpose programming languages." The claim omits Go, making it an incomplete…; source: https://docs.aws.amazon.com/cdk/v2/guide/languages.html)
• L110 in content/what-is/top-iac-tools.md "AWS CDK supports TypeScript, JavaScript, Python, Java, and C# as infrastructure languages." (also L148) → ❌ contradicted (framing: narrowed — claim lists only 5 languages (TypeScript, JavaScript, Python, Java, C#) but the source confirms 6, including Go; the claim omits a supported languag…; evidence: The AWS CDK v2 official docs state: "The AWS Cloud Development Kit (AWS CDK) has first-class support for the TypeScript, JavaScript, Python, Java, C#, and Go general-purpose programming languages." The claim omits Go, which is an officiall…; source: https://docs.aws.amazon.com/cdk/v2/guide/languages.html)
• L111 in content/what-is/top-iac-tools.md "The 'CDK for Terraform' (CDKTF) project extends the CDK model to Terraform providers." → ✅ verified (framing: strengthened — claim says CDKTF "extends the CDK model to Terraform providers"; source confirms it leverages AWS CDK concepts/libraries and applies them to Ter…; evidence: HashiCorp's official CDKTF architecture docs confirm: "CDKTF shares core concepts and components with the Amazon Web Services Cloud Development Kit (AWS CDK)" and "CDK for Terraform leverages concepts and libraries from the AWS Cloud Devel…; source: https://developer.hashicorp.com/terraform/cdktf/concepts/cdktf-architecture)
• L115 in content/what-is/top-iac-tools.md "AWS CDK is licensed under Apache 2.0 (open source) and deploys via the AWS CloudFormation service." → ✅ verified (evidence: AWS CDK FAQs confirm: "AWS CDK is distributed under the Apache License, Version 2.0" and it is "an open-source software development framework... deploying it through AWS CloudFormation." The GitHub repo LICENSE file and official AWS CDK do…; source: https://aws.amazon.com/cdk/faqs/ and https://github.com/aws/aws-cdk/blob/main/LICENSE)
• L117 in content/what-is/top-iac-tools.md "### Azure Resource Manager (ARM) and Bicep" → ✅ verified (evidence: The URL https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview resolves to a live Microsoft Learn page titled "What is Azure Resource Manager?" which covers both ARM and Bicep: "Bicep is a language that was desi…; source: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview)
• L119 in content/what-is/top-iac-tools.md "Azure Resource Manager is Microsoft's native deployment service; ARM templates are JSON." → ✅ verified (evidence: Azure Resource Manager (ARM) is Microsoft's native deployment and management service for Azure, and ARM templates are JSON-formatted files — this is well-established Microsoft documentation fact. The PR file (line ~119 in the ARM/Bicep sec…; source: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview)
• L119 in content/what-is/top-iac-tools.md "Bicep is an Azure-specific DSL that compiles to ARM JSON." → ✅ verified (evidence: Multiple authoritative sources confirm the claim. For example: "Bicep is a domain-specific language (DSL) built for Azure resource deployment" and "Bicep files are transpiled into ARM templates before deployment." The claim that Bicep is a…; source: WebSearch ran query "Bicep Azure DSL compiles to ARM JSON"; top results from learn.microsoft.com, devopsschool.com, sqlstad.nl, and others all confirm the claim.)
• L119 in content/what-is/top-iac-tools.md "ARM/Bicep state is implicit and managed by Azure." → ✅ verified (evidence: ARM/Bicep deployments use Azure Resource Manager as the backend, which tracks resource state implicitly — there is no separate state file to manage, mirroring the same pattern described for CloudFormation in the same file ("State is implic…; source: repo:content/what-is/top-iac-tools.md)
• L122 in content/what-is/top-iac-tools.md "ARM/Bicep is Azure only (no multi-cloud support)." → ✅ verified (evidence: ARM (Azure Resource Manager) templates and Bicep are Microsoft Azure's first-party IaC tools, designed exclusively to deploy and manage Azure resources. They have no native support for provisioning resources on AWS, GCP, or any other cloud…; source: repo:content/what-is/top-iac-tools.md (document structure separates multi-cloud tools from cloud-specific tools, placing ARM/Bicep in the latter category))
• L126 in content/what-is/top-iac-tools.md "ARM/Bicep is proprietary (Azure service); Bicep tooling is MIT-licensed." → ✅ verified (evidence: The Azure/bicep GitHub repo confirms: "All files except for the Azure Architecture SVG Icons...are subject to the MIT license." ARM/Bicep is an Azure (Microsoft) proprietary service/language, and the Bicep tooling is MIT-licensed open sour…; source: https://github.com/Azure/bicep — LICENSE file and repo README)
• L128 in content/what-is/top-iac-tools.md "### Google Cloud Deployment Manager and Config Connector" → ✅ verified (evidence: The URL https://cloud.google.com/deployment-manager/docs resolves to the live official docs page titled "Google Cloud Deployment Manager documentation," confirming it is a valid and active link for the product.; source: https://cloud.google.com/deployment-manager/docs/?hl=en)
• L130 in content/what-is/top-iac-tools.md "Google Cloud Deployment Manager (CDM) manages GCP resources using YAML and Jinja2 templates." → ✅ verified (framing: strengthened — claim narrows 'YAML, Jinja2, or Python' to 'YAML and Jinja2 templates'; source's broader form proves the claim as a subset, though Python is als…; evidence: Official Google Cloud Deployment Manager docs confirm: "A configuration is a file written in YAML syntax" and "Templates can be written in either Jinja 2.10.x or Python 3.x." The claim correctly identifies YAML and Jinja2 but omits Python…; source: https://docs.cloud.google.com/deployment-manager/docs/fundamentals)
• L130 in content/what-is/top-iac-tools.md "Google now positions Config Connector — a Kubernetes-based controller that manages GCP resources via CRDs — as the modern GCP-first IaC layer." → 🤷 unverifiable (framing: shifted — the factual description of Config Connector (Kubernetes-based controller managing GCP resources via CRDs) is accurate, but the claim that Google "pos…; evidence: Google's official docs confirm Config Connector is "an open source Kubernetes add-on that lets you manage Google Cloud resources through Kubernetes" using CRDs and controllers. However, no Google source was found explicitly positioning it…; source: WebSearch ran query "Google positions Config Connector modern GCP-first IaC recommended 2024 2025"; top results from cloud.google.com/config-connector/docs/overview and cloud.google.com/blog/products/devops-sre/how-config-connector-compares-for-infrastructure-management/)
• L132-133 in content/what-is/top-iac-tools.md "Google Cloud Deployment Manager supports YAML and Jinja2 templates; Config Connector uses YAML CRDs." → 🤷 unverifiable (evidence: verify-claims.py errored on this claim: RuntimeError: HTTP 429: {"type":"error","error":{"type":"rate_limit_error","message":"This request would exceed your organization's rate limit of 2,000,000 input tokens per minute (org: 85d1a054-3697…)
• L137 in content/what-is/top-iac-tools.md "Google Cloud Deployment Manager and Config Connector are proprietary GCP services." → ❌ contradicted (framing: shifted — the claim labels Config Connector "proprietary" but it is Apache 2.0 open source; only Deployment Manager could arguably be called proprietary (it is…; evidence: Config Connector (k8s-config-connector) is publicly available on GitHub at GoogleCloudPlatform/k8s-config-connector under the Apache License 2.0 — it is open source, not proprietary. The repo metadata confirms: `"license":{"key":"apache-2.…; source: gh api repos/GoogleCloudPlatform/k8s-config-connector)
• L143 in content/what-is/top-iac-tools.md "Pulumi supports TS, JS, Python, Go, C#, Java, YAML and 290+ providers." → ❌ contradicted (framing: narrowed — claim broadens "over 150 providers" to "290+ providers"; source supports the lower figure, not the higher claim; evidence: A December 2025 Pulumi blog post states the public registry has "now over 150 providers and 7,500 resource types." No authoritative source supports the "290+ providers" figure claimed in the PR.; source: https://www.pulumi.com/blog/2025-product-launches/; intuition: 290+ is nearly double the ~150 figure cited in official Pulumi sources as of late 2025; the number appears inflated.)
• L144-145 in content/what-is/top-iac-tools.md "Terraform introduced Terraform Test in version 1.6+." → ✅ verified (evidence: The official HashiCorp Terraform docs state: "This testing framework is available in Terraform v1.6.0 and later." The HashiCorp blog confirms: "The general availability of Terraform 1.6 brings a new Terraform test framework."; source: https://developer.hashicorp.com/terraform/language/tests)
• L148 in content/what-is/top-iac-tools.md "AWS CDK supports TypeScript, JavaScript, Python, Java, and C# and is AWS only (CloudFormation)." → ❌ contradicted (framing: narrowed — claim lists "TypeScript, JavaScript, Python, Java, and C#" but the source also includes Go as a supported language; the claim omits Go, making it an…; evidence: The official aws/aws-cdk README lists: "The CDK is available in the following languages: JavaScript, TypeScript, Python, Java, .NET, Go (Go ≥ 1.16.4)." The claim omits Go, which is an officially supported language.; source: https://github.com/aws/aws-cdk/blob/main/README.md (via gh api repos/aws/aws-cdk/contents/README.md))
• L148 in content/what-is/top-iac-tools.md "AWS CDK is licensed under Apache 2.0." → ✅ verified (evidence: The LICENSE file in the official aws/aws-cdk GitHub repository decodes to "Apache License Version 2.0, January 2004", confirming AWS CDK is licensed under Apache 2.0.; source: gh api repos/aws/aws-cdk/contents/LICENSE)
• L149 in content/what-is/top-iac-tools.md "Azure ARM/Bicep uses JSON and Bicep DSL, is Azure only, and ARM is proprietary while Bicep is MIT-licensed." → ✅ verified (evidence: The Azure/bicep GitHub repository LICENSE file (base64-decoded) begins "MIT License — Copyright (c) Microsoft Corporation", confirming Bicep is MIT-licensed. ARM templates are a proprietary Microsoft/Azure format (no open-source license),…; source: gh api repos/Azure/bicep/contents/LICENSE)
• L150 in content/what-is/top-iac-tools.md "GCP CDM/Config Connector uses YAML, Jinja2, and CRDs, is GCP only, and is proprietary." → ❌ contradicted (framing: shifted — the claim merges two separate tools (CDM and Config Connector) into one description, incorrectly attributing Jinja2 to Config Connector and labeling…; evidence: (escalated from pass1) The claim conflates GCP Cloud Deployment Manager (which uses YAML + Jinja2) with Config Connector (which uses YAML + CRDs, not Jinja2). Critically, Config Connector is explicitly open source: "Config Connector is ful…; source: https://cloud.google.com/config-connector/docs/overview)
• L161 in content/what-is/top-iac-tools.md "Most teams aren't choosing in a vacuum. They're choosing relative to where they are today — a Terraform shop adding policy, an AWS shop hitting CloudFormation'…" → ➖ not-a-claim (evidence: The "18 months" figure here is not a factual/numerical claim about an external measurable quantity — it is editorial/advisory prose authored by the PR author themselves, offering a planning horizon recommendation. It is a faithful descript…; source: content/what-is/top-iac-tools.md L161 (PR author's own editorial content))
• L165 in content/what-is/top-iac-tools.md "### What is the most popular IaC tool?" → ➖ not-a-claim (evidence: The text "### What is the most popular IaC tool?" is a section heading/question in a markdown document, not a falsifiable assertion about the world. It makes no factual claim that can be verified or contradicted.; source: content/what-is/top-iac-tools.md L165)
• L167 in content/what-is/top-iac-tools.md "Pulumi is the fastest-growing IaC tool among teams that want general-purpose languages and built-in testing." → 🤷 unverifiable (framing: shifted — source says "Pulumi's ecosystem is growing rapidly" (a general growth statement); claim asserts "fastest-growing IaC tool among teams that want gener…; evidence: The pulumi.com/what-is/top-iac-tools/ page describes Pulumi's ecosystem as "growing rapidly" and highlights general-purpose language support, but contains no claim that Pulumi is the "fastest-growing IaC tool among teams that want general-…; source: https://www.pulumi.com/what-is/top-iac-tools/; intuition: Superlative "fastest-growing" growth claims for a specific audience segment typically require survey/market data citati… (WebSearch dispatched but verification did not converge within the turn budget))
• L169 in content/what-is/top-iac-tools.md "### Is Pulumi better than Terraform?" → ➖ not-a-claim (evidence: The text "### Is Pulumi better than Terraform?" is a section heading (H3 markdown), not a falsifiable assertion. It poses a question rather than making a factual claim, and serves as a navigational/structural element in the document.; source: content/what-is/top-iac-tools.md L169)
• L171 in content/what-is/top-iac-tools.md "For most multi-cloud teams that already use general-purpose languages, yes — Pulumi removes the friction of learning a DSL and brings testing, abstraction, and…" → ✅ verified (evidence: The file content/docs/iac/comparisons/terraform/_index.md exists at the path /docs/iac/comparisons/terraform/ and is titled "Pulumi vs. Terraform", confirming the link target and anchor text used in the claim are correct.; source: repo:content/docs/iac/comparisons/terraform/_index.md)
• L175 in content/what-is/top-iac-tools.md "OpenTofu remains open source under MPL 2.0 under Linux Foundation stewardship." → ✅ verified (evidence: OpenTofu's own org README states "It is hosted by the Linux Foundation (LF)" and TSC notes confirm "OpenTofu forked MPL licensed repo. It's still MPL in the fork." The opentofu.org hero component also reads "as code tool under the Linux Fo…; source: gh search code --owner opentofu "MPL" "Linux Foundation" → opentofu/.github profile/README.md and opentofu/org TSC/2026-04-14_NOTES.md)
• L175 in content/what-is/top-iac-tools.md "OpenTofu maintains compatibility with Terraform's HCL and provider ecosystem." → ✅ verified (framing: strengthened — claim narrows 'HCL, modules, and providers' to 'HCL and provider ecosystem'; source's broader form proves the claim as a subset; evidence: The file itself at the OpenTofu section states: "It maintains compatibility with Terraform's HCL, modules, and providers under the Linux Foundation's stewardship." The claim that OpenTofu maintains compatibility with Terraform's HCL and pr…; source: repo:content/what-is/top-iac-tools.md)
• L175 in content/what-is/top-iac-tools.md "OpenTofu is a community fork of Terraform 1.6.x created after HashiCorp relicensed Terraform under the source-available Business Source License in 2023." → ❌ contradicted (framing: shifted — claim says "fork of Terraform 1.6.x" but sources confirm the fork was from Terraform 1.5.7 (last MPL release); Terraform 1.6 was the first BSL-licens…; evidence: Multiple authoritative sources confirm OpenTofu was forked from Terraform 1.5.7 (the last MPL-licensed release), not 1.6.x. One source states: "OpenTofu was forked from Terraform 1.5.7 in August 2023 after HashiCorp's BSL license change."…; source: https://kx.cloudingenium.com/en/opentofu-open-source-terraform-fork-infrastructure-guide/ and https://opentofu.org/manifesto/)
• L179 in content/what-is/top-iac-tools.md "Pulumi can import Terraform state and consume Terraform modules directly." → ✅ verified (evidence: The /docs/iac/get-started/terraform/ page explicitly lists both capabilities: "Reference existing Terraform state files from Pulumi" and "Import and use Terraform modules directly," directly confirming both parts of the claim.; source: content/docs/iac/get-started/terraform/_index.md)
• L183 in content/what-is/top-iac-tools.md "For small, mostly-static configurations, yes. It starts to crack when you need loops, conditionals, reusable abstractions, or tests — which is when teams reach…" → ✅ verified (evidence: The file content/what-is/what-is-yaml.md exists and is a valid Pulumi "what-is" page titled "What is YAML?" — the internal link /what-is/what-is-yaml/ in the claim resolves to a real, populated page.; source: repo:content/what-is/what-is-yaml.md)
• L187 in content/what-is/top-iac-tools.md "Pulumi, OpenTofu, Crossplane, and AWS CDK are open source for their core tools." → ✅ verified (evidence: The file explicitly states: Pulumi — "Apache 2.0 (open source)"; OpenTofu — "Mozilla Public License 2.0 (open source)"; Crossplane — "Apache 2.0 (open source); part of the CNCF." AWS CDK is also widely known to be Apache 2.0 open source, c…; source: repo:content/what-is/top-iac-tools.md)
• L187 in content/what-is/top-iac-tools.md "Terraform's core is source-available under the Business Source License (BSL)." → ✅ verified (evidence: HashiCorp's official blog confirms: "we are announcing that HashiCorp is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL, also known as BUSL) v1.1 on all future releases of Ha…; source: https://www.hashicorp.com/en/blog/hashicorp-adopts-business-source-license)
• L187 in content/what-is/top-iac-tools.md "CloudFormation, ARM, and GCP Deployment Manager (CDM) are free to use but lock users into one provider." → ❌ contradicted (framing: shifted — the claim labels GCP Deployment Manager as "(CDM)" but the correct abbreviation is "GDM" (Google Deployment Manager); "CDM" does not correspond to th…; evidence: GCP Deployment Manager's standard abbreviation is "GDM" (Google Deployment Manager), not "CDM". The claim incorrectly labels it "(CDM)" — there is no standard industry abbreviation "CDM" for GCP Deployment Manager. The file content confirm…; source: repo:content/what-is/top-iac-tools.md (file read) + industry standard naming for GCP Deployment Manager; intuition: The abbreviation "CDM" for GCP Deployment Manager is non-standard; the correct abbreviation is "GDM".)
• L191 in content/what-is/top-iac-tools.md "Pulumi has a strongly-typed Kubernetes provider with CRD support and Helm chart integration." → ✅ verified (framing: strengthened — claim narrows the source's broad "first-class support for Helm and CRDs" to the specific framing of "strongly-typed Kubernetes provider with CRD…; evidence: The official Pulumi Kubernetes page states: "Pulumi has first-class support for popular Kubernetes tools, such as Helm, Kustomize, YAML, Secret Managers, Open Policy Agent (OPA), Custom Resource Definitions (CRDs), and Server-Side Apply (S…; source: https://www.pulumi.com/kubernetes/)
• L191 in content/what-is/top-iac-tools.md "Terraform and OpenTofu have Kubernetes providers." → ✅ verified (evidence: The hashicorp/terraform-provider-kubernetes repo exists and is actively maintained (description: "Terraform Kubernetes provider", homepage: registry.terraform.io/providers/hashicorp/kubernetes). OpenTofu is a fork of Terraform that is pr…; source: gh api repos/hashicorp/terraform-provider-kubernetes)
• L191 in content/what-is/top-iac-tools.md "CDM (Google Cloud Deployment Manager) can create GKE clusters." → ✅ verified (framing: strengthened — claim uses "CDM" (likely a typo for "GDM") but the capability itself (creating GKE clusters) is confirmed by official Google Cloud Deployment Ma…; evidence: Google Cloud Deployment Manager can create GKE clusters, as confirmed by official GoogleCloudPlatform samples: "This is a Google Cloud Deployment Manager template which deploys a GKE cluster and a Deployment Manager type." The claim's abbr…; source: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/gke)
• L191 in content/what-is/top-iac-tools.md "Crossplane runs as a Kubernetes control plane." → ✅ verified (framing: strengthened — claim narrows the source's broader "Crossplane builds on the Kubernetes control plane" to "Crossplane runs as a Kubernetes control plane"; the s…; evidence: The official crossplane.io homepage states: "Crossplane builds on the class leading Kubernetes control plane, extending its battle hardened reliability and security features." The official docs confirm "Crossplane is a control plane framew…; source: https://www.crossplane.io/ and https://docs.crossplane.io/latest/whats-crossplane/)
• L195 in content/what-is/top-iac-tools.md "Open Policy Agent (OPA) is the cross-tool standard for policy as code." → 🤷 unverifiable (evidence: (escalated from pass1) OPA is well-documented as "an open source, general-purpose policy engine that unifies policy enforcement across the stack" and supports policy as code, but no authoritative source describes it as the "cross-tool stan…; source: WebSearch ran query "Open Policy Agent OPA policy as code standard"; top results from openpolicyagent.org, GitHub, and third-party sources describe OPA as a general-purpose policy engine but do not use the phrase "cross-tool standard."; intuition: The phrase "cross-tool standard" is a strong editorial claim of industry-wide standardization; OPA is widely used but c…)
• L199 in content/what-is/top-iac-tools.md "Never embed secrets in code or state files. Pull them at runtime from a dedicated store. Pulumi ESC provides hierarchical environments and dyn…" → ✅ verified (evidence: Multiple official Pulumi docs pages confirm that Pulumi ESC provides "hierarchical environments" and dynamic secrets/credentials. For example: "Pulumi ESC (Environments, Secrets, and Configuration), which provides centralized secrets manag…; source: gh search code --owner pulumi "hierarchical environments" --repo pulumi/docs)
• L203 in content/what-is/top-iac-tools.md "CloudFormation flags drift via a Drift Detection feature." → ✅ verified (evidence: AWS officially calls this a "drift detection" feature. The AWS blog states: "New Drift Detection Today we are announcing a powerful new drift detection feature" for CloudFormation, and the official AWS docs confirm "CloudFormation detects…; source: https://aws.amazon.com/blogs/aws/new-cloudformation-drift-detection/ and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html)
• L207 in content/what-is/top-iac-tools.md "Pulumi is open-source infrastructure as code in TypeScript, JavaScript, Python, Go, C#, Java, and YAML." → ✅ verified (framing: strengthened — the get-started page says "free, open source" IaC platform without listing languages; the claim adds the specific language list, which is confir…; evidence: The /docs/get-started/ page confirms Pulumi is "free, open source" IaC. The article itself (top-iac-tools.md) lists the exact seven languages: "TypeScript, JavaScript, Python, Go, C#, Java, and YAML," consistent with the claim's framing.; source: repo:content/docs/get-started/_index.md and repo:content/what-is/top-iac-tools.md)
• L211-212 in content/what-is/top-iac-tools.md "* What is Infrastructure as Code (IaC)?" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists with the front-matter title "What is Infrastructure as Code (IaC)?", exactly matching the link text and path used in the claim.; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L213 in content/what-is/top-iac-tools.md "* Pulumi vs. Terraform" → ✅ verified (evidence: The file content/docs/iac/comparisons/terraform/_index.md exists with title: Terraform and h1: Pulumi vs. Terraform, confirming the path /docs/iac/comparisons/terraform/ is valid and the link text "Pulumi vs. Terraform" matches exa…; source: repo:content/docs/iac/comparisons/terraform/_index.md)
• L214-216 in content/what-is/top-iac-tools.md "* What is Configuration Management?" → ✅ verified (evidence: The file content/what-is/what-is-configuration-management.md exists with the front-matter title: What is Configuration Management?, exactly matching the link text and path /what-is/what-is-configuration-management/ referenced in the…; source: repo:content/what-is/what-is-configuration-management.md)

Claim verification reported errors — some verdicts may be incomplete; spot-check the affected claims in-review.

[github-actions]

🚨 Outstanding in this PR

These must be resolved or refuted before merging.

• [L45] content/what-is/top-iac-tools.md — "Pulumi supports over 290 cloud and SaaS providers..." — verdict: contradicted. No authoritative Pulumi source mentions a 290+ figure. The most recent published counts in this repo are "now over 150 providers and 7,500 resource types" (2025-product-launches/ and pulumi-release-notes-117/) and "200+ providers" (agent-sprawl-iac-platform-is-the-answer/). 290+ appears nowhere on pulumi.com, in the GitHub README, or in the registry.

  Suggested rewrite (line 45):

  Pulumi defines infrastructure in general-purpose programming languages: TypeScript, JavaScript, Python, Go, C#, Java, and YAML. That choice has downstream consequences — loops, conditionals, abstractions, and testing all come from the language rather than a custom DSL. Pulumi supports over 200 cloud and SaaS providers and ships a managed state backend (Pulumi Cloud) with built-in encryption and locking, plus self-managed backends for teams that need them.
  

  Or use "150+" if you want to match the registry's published count. Either way, please pick one figure and reuse it across L45, L48, L143, and L207 so the page is internally consistent.

• [L48] content/what-is/top-iac-tools.md — "AWS, Azure, GCP, Oracle, Kubernetes, plus 290+ providers across cloud and SaaS." — verdict: contradicted. Same inflated provider count as L45. Whichever figure you settle on for L45 should appear here too.

  Suggested rewrite (line 48):

  * **Multi-cloud.** AWS, Azure, GCP, Oracle, Kubernetes, plus 200+ providers across cloud and SaaS.
  

• [L51] content/what-is/top-iac-tools.md — "Pulumi Policies (policy as code in the same languages)" — verdict: contradicted. Pulumi IaC supports TypeScript, JavaScript, Python, Go, C#, Java, and YAML, but Pulumi Policies are written in TypeScript/JavaScript, Python, or OPA (Rego) per content/docs/insights/policy/_index.md: "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego) and can be applied to Pulumi stacks written in any language." Saying "in the same languages" overstates the overlap.

  Suggested rewrite (line 51):

  * **Governance.** [Pulumi Policies](/docs/insights/policy/) (policy as code in TypeScript, JavaScript, Python, or OPA/Rego, applied to stacks in any language), [Pulumi ESC](/product/esc/) for secrets and environments, audit logs, RBAC.
  

• [L69] content/what-is/top-iac-tools.md — "OpenTofu is a community fork of Terraform 1.6.x created in response to the BSL license change." — verdict: contradicted. OpenTofu forked from Terraform 1.5.7 — the last MPL-licensed release — not 1.6.x. Terraform 1.6 was already BSL when it shipped in October 2023, by which point the OpenTofu fork was underway. Sources: OpenTofu manifesto and the August 2023 fork announcement.

  Suggested rewrite (line 69):

  OpenTofu is a community fork of Terraform 1.5.x (the last MPL-licensed release) created in response to the BSL license change. It maintains compatibility with Terraform's HCL, modules, and providers under the Linux Foundation's stewardship. Most Terraform users can migrate by re-pointing their tooling; over time OpenTofu is expected to diverge with community-driven features.
  

  Apply the same fix at L175.

• [L88] content/what-is/top-iac-tools.md — "OPA integration via Kyverno or Gatekeeper." — verdict: contradicted. Only Gatekeeper is the OPA project; Kyverno is a Kubernetes-native policy engine with its own DSL and is not built on OPA. Sibling page content/docs/iac/comparisons/crossplane.md already gets this right ("admission controllers such as Open Policy Agent Gatekeeper or Kyverno").

  Suggested rewrite (line 88):

  * **Governance.** Inherits Kubernetes RBAC and admission controllers; teams typically layer policy via [Open Policy Agent Gatekeeper](https://open-policy-agent.github.io/gatekeeper/) or [Kyverno](https://kyverno.io/).
  

• [L108] content/what-is/top-iac-tools.md — "AWS CDK lets you define infrastructure in TypeScript, JavaScript, Python, Java, or C#." — verdict: contradicted. AWS CDK also supports Go. Per the official AWS CDK languages page: "first-class support for the TypeScript, JavaScript, Python, Java, C#, and Go general-purpose programming languages."

  Suggested rewrite (line 108):

  AWS CDK lets you define infrastructure in TypeScript, JavaScript, Python, Java, C#, or Go. CDK code is synthesized to CloudFormation templates and deployed via CloudFormation, so it shares CloudFormation's strengths (managed state, deep AWS integration) and constraints (AWS-only, CloudFormation's resource limits). CDK is a good choice for teams that want general-purpose languages but are committed to AWS.
  

  Apply the same fix at L110 and L148.

• [L110] content/what-is/top-iac-tools.md — "Languages. TypeScript, JavaScript, Python, Java, C#." — verdict: contradicted. Same omission of Go as L108.

  Suggested rewrite (line 110):

  * **Languages.** TypeScript, JavaScript, Python, Java, C#, Go.
  

• [L137] content/what-is/top-iac-tools.md — "License. Proprietary (GCP services)." — verdict: contradicted. This bullet groups CDM and Config Connector together but Config Connector is Apache 2.0 open source. Deployment Manager is the proprietary GCP service; Config Connector is OSS that ships on GitHub and runs as a Kubernetes add-on.

  Suggested rewrite (line 137):

  * **License.** Cloud Deployment Manager is a proprietary GCP service; Config Connector is open source (Apache 2.0) on GitHub.
  

• [L143] content/what-is/top-iac-tools.md — "Multi (290+ providers)" (comparison table) — verdict: contradicted. Same inflated count as L45/L48. Update the table cell to the same number you settle on for the prose.

  Suggested rewrite (line 143):

  | **Pulumi** | TS, JS, Python, Go, C#, Java, YAML | Multi (200+ providers) | Managed (or self-hosted) | Real-language components | First-class unit + integration | Apache 2.0 |
  

• [L148] content/what-is/top-iac-tools.md — "TS, JS, Python, Java, C#" (comparison table, AWS CDK row) — verdict: contradicted. Same omission of Go as L108/L110.

  Suggested rewrite (line 148):

  | **AWS CDK** | TS, JS, Python, Java, C#, Go | AWS only (CloudFormation) | Managed by CloudFormation | Constructs | Unit tests supported | Apache 2.0 |
  

• [L150] content/what-is/top-iac-tools.md — "GCP CDM / Config Connector | YAML, Jinja2, CRDs | … | Proprietary" (comparison table) — verdict: contradicted. Two issues in one cell: (1) the License column flattens both products to "Proprietary," but Config Connector is Apache 2.0 OSS — only Deployment Manager is proprietary; (2) the row combines Jinja2 (CDM only) and CRDs (Config Connector only) without disambiguating, so a reader scanning the table will mis-attribute either feature.

  Suggested rewrite (line 150):

  | **GCP CDM / Config Connector** | YAML + Jinja2 (CDM); YAML CRDs (Config Connector) | GCP only | Managed by GCP / Kubernetes | Templates / CRDs | Limited | Proprietary (CDM); Apache 2.0 (Config Connector) |
  

• [L175] content/what-is/top-iac-tools.md — "OpenTofu is a community fork of Terraform 1.6.x..." (FAQ) — verdict: contradicted. Same 1.6.x vs 1.5.x issue as L69. Fix both occurrences together.

  Suggested rewrite (line 175):

  OpenTofu is a community fork of Terraform 1.5.x (the last MPL-licensed release) created after HashiCorp relicensed Terraform under the source-available Business Source License in 2023. OpenTofu remains open source (MPL 2.0) under Linux Foundation stewardship and maintains compatibility with Terraform's HCL and provider ecosystem.
  

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L130] content/what-is/top-iac-tools.md — "Google now positions Config Connector ... as the modern GCP-first IaC layer." — verdict: unverifiable. The factual description (Kubernetes controller managing GCP resources via CRDs) is correct, but "Google positions Config Connector as the modern GCP-first IaC layer" is editorial — Google's docs describe Config Connector as one option, not as a positioning replacement for Deployment Manager. Consider softening to "Config Connector — a Kubernetes-based controller that manages GCP resources via CRDs — has emerged as the more common modern choice for GCP-first IaC" or attributing the positioning if you have a source. Not a merge blocker.

• [L167] content/what-is/top-iac-tools.md — "Pulumi is the fastest-growing among teams that want general-purpose languages and built-in testing." — verdict: unverifiable. "Fastest-growing" is a superlative that needs a survey or growth-rate citation; no current source on pulumi.com makes that exact claim. Consider softening to "Pulumi is growing quickly among teams..." or "Pulumi's ecosystem is expanding rapidly..." (which matches the wording on existing Pulumi pages) unless you can attach a specific source. Not a merge blocker.

• [L195] content/what-is/top-iac-tools.md — "Open Policy Agent (OPA) is the cross-tool standard." — verdict: unverifiable. OPA is widely adopted as a general-purpose policy engine, but "cross-tool standard" is editorial framing not used by openpolicyagent.org or CNCF. Consider "Open Policy Agent (OPA) is the most widely used general-purpose policy engine across tools" or similar. Not a merge blocker.

Style findings

Found by pattern-based linting; Findings may be false positives.

• line 12: [style] wordiness — 'It is' is too wordy.
• line 29: [style] difficulty qualifier — Avoid difficulty qualifier 'easy' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
• line 29: [style] wordiness — 'it is' is too wordy.
• line 130: [style] wordiness — 'It is' is too wordy.
• line 130: [style] weasel word — 'relatively' is a weasel word!
• line 177: [style] first person — Avoid first-person pronouns such as ' I '.
• line 183: [style] weasel word — 'mostly' is a weasel word!
• line 183: [style] hyphenation — 'mostly-static' doesn't need a hyphen.
• line 191: [style] hyphenation — 'strongly-typed' doesn't need a hyphen.
• line 203: [style] weasel word — 'usually' is a weasel word!

📋 Triaged verifier findings

I double-checked these and realized they weren't real findings — click to expand

• [L108] content/what-is/top-iac-tools.md — "CDK code is synthesized to CloudFormation templates and deployed via CloudFormation." — Mis-sourced: Verifier errored with HTTP 429 (rate limit). This is a well-known, documented AWS CDK behavior — the official AWS CDK FAQ and AWS CDK README both describe synthesis to CloudFormation as the deployment model.

• [L132-133] content/what-is/top-iac-tools.md — "Languages. YAML, Jinja2 templates (CDM); YAML CRDs (Config Connector)." — Mis-sourced: Verifier errored with HTTP 429 (rate limit). The factual content is confirmed by Google's own Deployment Manager docs (YAML + Jinja2/Python templates) and Config Connector overview (YAML CRDs).

• [L187] content/what-is/top-iac-tools.md — "CloudFormation, ARM, CDM" — Spurious: The verifier flagged "CDM" as a non-standard abbreviation, but the author defined it explicitly at L130 ("Google Cloud Deployment Manager (CDM)") and uses it consistently. The factual claim — that CloudFormation, ARM, and GCP Deployment Manager are free-to-use but vendor-locked — is correct.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

• 2026-05-20T16:55:02Z — Flagged inflated Pulumi provider count (290+), missing Go in AWS CDK language lists, OPA-vs-Kyverno mischaracterization, OpenTofu fork lineage (1.5.x not 1.6.x), Config Connector OSS license, and overstated Pulumi Policies language coverage. (8fcd689)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)