Aws on Danilo Falcão da Silva

Terraform, OpenTofu and Pulumi: Why I Still Run Terraform in 2026

Thu, 21 May 2026 23:00:00 -0300

Infrastructure as Code stopped being a single-answer question a couple of years ago. Terraform went BSL in August 2023, OpenTofu forked under MPL, Pulumi kept arguing that infrastructure should be real code in real languages, and IBM closed the $6.4B HashiCorp acquisition in February 2025. Three legitimate tools, three different bets on who owns the abstraction.

I still run Terraform. For everything.

This post is the honest version of why. I’ve read the OpenTofu release notes, watched Pulumi talks, played with both on weekend projects, and read more migration write-ups than I can remember. I have never put OpenTofu or Pulumi in front of production traffic. Most of what follows about those two is research, not muscle memory — and I’ll flag that as I go.

AWS Lambda Still Matters in 2026: Glue, Burst, and Honest Trade-offs

Thu, 21 May 2026 18:00:00 -0300

I have spent most of my career running things that boot. Bare metal, VMs, containers, Kubernetes — boxes that come up, hold state, and need somebody to think about their lifecycle. AWS Lambda is the opposite of that mental model, and for a long time I treated it the way a lot of old-school infrastructure people treat it: useful for toy apps, fine for a Slack bot, not a serious tool.

Where to Hide Kubernetes Secrets: AWS, Azure, GCP, and On-Prem Compared

Wed, 20 May 2026 22:25:00 -0300

The Kubernetes Secret object is a YAML manifest with a base64-encoded value in it. That’s the entire encryption story. Anyone with get permission on the namespace can read every credential the workload holds. Base64 is not encryption. It is barely obfuscation.

Teams discover this the wrong way — usually during a security review, occasionally during an incident — and the next question is always the same: so where do the real secrets live?