<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: I just Dev</title>
    <description>The latest articles on DEV Community by I just Dev (@sun_wukong121).</description>
    <link>https://dev.to/sun_wukong121</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3915590%2F500893bd-153f-48be-9497-040d87abd72b.jpg</url>
      <title>DEV Community: I just Dev</title>
      <link>https://dev.to/sun_wukong121</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sun_wukong121"/>
    <language>en</language>
    <item>
      <title>I Asked GPT to Build the Same Infrastructure in AWS CDK, Terraform, Pulumi, and SST. Here's What Happened.</title>
      <dc:creator>I just Dev</dc:creator>
      <pubDate>Thu, 16 Jul 2026 17:25:44 +0000</pubDate>
      <link>https://dev.to/sun_wukong121/i-asked-gpt-to-build-the-same-infrastructure-in-aws-cdk-terraform-pulumi-and-sst-heres-what-al5</link>
      <guid>https://dev.to/sun_wukong121/i-asked-gpt-to-build-the-same-infrastructure-in-aws-cdk-terraform-pulumi-and-sst-heres-what-al5</guid>
      <description>&lt;p&gt;Most Infrastructure as Code debates ask the same questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which tool has the best syntax?&lt;/li&gt;
&lt;li&gt;Which one scales across teams?&lt;/li&gt;
&lt;li&gt;Which one supports multiple clouds?&lt;/li&gt;
&lt;li&gt;Which one produces the safest deployments?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But AI coding agents add a new question:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Which IaC framework gives an LLM the best chance of generating infrastructure that is correct, understandable, and easy to repair?&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That is not exactly the same as asking which framework is best for humans.&lt;/p&gt;

&lt;p&gt;A framework can be concise but difficult for an agent to validate. Another can be verbose but backed by an excellent preview engine. A third can turn an incorrect property into a precise compiler error that the model can fix immediately.&lt;/p&gt;

&lt;p&gt;So I compared six popular ways to define AWS infrastructure:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;AWS CDK&lt;/li&gt;
&lt;li&gt;Terraform&lt;/li&gt;
&lt;li&gt;Pulumi&lt;/li&gt;
&lt;li&gt;SST&lt;/li&gt;
&lt;li&gt;AWS SAM&lt;/li&gt;
&lt;li&gt;AWS CloudFormation&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The result surprised me less than the reason behind it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AWS CDK came out on top—but not simply because it uses TypeScript or Python. It won because it creates one of the strongest feedback loops for an AI coding workflow.&lt;/strong&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Important disclosure:&lt;/strong&gt; This is a small, directional, opinionated desk test—not a statistically controlled benchmark. The scores are engineering heuristics, not universal pass rates. Model choice, framework versions, supplied documentation, provider schemas, and the quality of the validation loop can all change the result.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The test
&lt;/h2&gt;

&lt;p&gt;I used the same infrastructure request for each framework:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Build a production-minded serverless URL-shortening API on AWS.&lt;/p&gt;

&lt;p&gt;It must include an API Gateway HTTP API, a Lambda function, a DynamoDB table using on-demand billing, encryption, point-in-time recovery, least-privilege permissions, environment-specific naming and tags, retained logs, and useful stack outputs.&lt;/p&gt;

&lt;p&gt;Do not hardcode credentials. Use current stable syntax, pin important dependencies or providers, explain the file structure, and include commands to format, validate, preview, and deploy the stack.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;For AWS CDK, I used TypeScript as the main pass and treated Python as a spot-check. Both are officially supported CDK languages, but TypeScript has a practical advantage for this kind of experiment: it was the first CDK language, many examples are written in it, and its type checker produces detailed repair signals.&lt;/p&gt;

&lt;p&gt;I evaluated the first-pass result across five questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Did it choose the correct resources and connect them properly?&lt;/li&gt;
&lt;li&gt;Did it avoid obviously excessive IAM permissions?&lt;/li&gt;
&lt;li&gt;Was the generated code consistent with the framework’s current model?&lt;/li&gt;
&lt;li&gt;How useful were the compiler, validator, preview, or synthesis errors?&lt;/li&gt;
&lt;li&gt;How much human correction would I expect before a safe deployment?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I did &lt;strong&gt;not&lt;/strong&gt; treat a successful generation as permission to deploy into production. A clean-looking answer from an LLM is not a security review.&lt;/p&gt;

&lt;h2&gt;
  
  
  The scorecard
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Framework&lt;/th&gt;
&lt;th&gt;LLM Code Quality&lt;/th&gt;
&lt;th&gt;Reliability&lt;/th&gt;
&lt;th&gt;Fixes Needed&lt;/th&gt;
&lt;th&gt;Best For&lt;/th&gt;
&lt;th&gt;Overall&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;AWS CDK (TypeScript/Python)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;9/10&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;8.5/10&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;AWS-first teams&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Winner&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Terraform&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;8/10&lt;/td&gt;
&lt;td&gt;8/10&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Multi-cloud teams&lt;/td&gt;
&lt;td&gt;Strong&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Pulumi&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;8.5/10&lt;/td&gt;
&lt;td&gt;8/10&lt;/td&gt;
&lt;td&gt;Low–Medium&lt;/td&gt;
&lt;td&gt;Developers who prefer code&lt;/td&gt;
&lt;td&gt;Strong&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;SST&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;8.5/10&lt;/td&gt;
&lt;td&gt;7.5/10&lt;/td&gt;
&lt;td&gt;Low–Medium&lt;/td&gt;
&lt;td&gt;Full-stack and serverless apps&lt;/td&gt;
&lt;td&gt;Promising&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;AWS SAM&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;7/10&lt;/td&gt;
&lt;td&gt;7/10&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Focused Lambda stacks&lt;/td&gt;
&lt;td&gt;Good&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CloudFormation&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;6/10&lt;/td&gt;
&lt;td&gt;6.5/10&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;td&gt;Existing native AWS templates&lt;/td&gt;
&lt;td&gt;Limited as an LLM authoring surface&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Again, these numbers are &lt;strong&gt;directional&lt;/strong&gt;. They describe this workflow, not the total capability or maturity of each platform.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. AWS CDK: the best repair loop
&lt;/h2&gt;

&lt;p&gt;AWS CDK lets you define AWS infrastructure with general-purpose languages and then synthesizes the application into CloudFormation.&lt;/p&gt;

&lt;p&gt;That gives an AI agent several layers of feedback:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The language parser catches broken syntax.&lt;/li&gt;
&lt;li&gt;TypeScript can catch incorrect properties, imports, and argument types.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;cdk synth&lt;/code&gt; can catch construct-level and synthesis problems.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;cdk diff&lt;/code&gt; shows the infrastructure changes before deployment.&lt;/li&gt;
&lt;li&gt;CloudFormation remains the deployment engine underneath.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That sequence matters.&lt;/p&gt;

&lt;p&gt;LLMs will make mistakes. The real question is whether a tool turns those mistakes into clear, local, repairable errors.&lt;/p&gt;

&lt;p&gt;Consider the intent behind a line such as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight typescript"&gt;&lt;code&gt;&lt;span class="nx"&gt;table&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;grantReadWriteData&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;handler&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The developer—or agent—is expressing a relationship between two resources. The construct can generate the required IAM policy rather than forcing the model to manually assemble a large policy document.&lt;/p&gt;

&lt;p&gt;This does not guarantee least privilege, but it narrows the problem and makes the intent easier to inspect.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why TypeScript performed especially well
&lt;/h3&gt;

&lt;p&gt;TypeScript gave the strongest feedback in this comparison:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Misspelled properties usually failed early.&lt;/li&gt;
&lt;li&gt;Incorrect object shapes produced useful diagnostics.&lt;/li&gt;
&lt;li&gt;Imports and symbols were discoverable.&lt;/li&gt;
&lt;li&gt;Refactoring resource names was less fragile.&lt;/li&gt;
&lt;li&gt;The model could use compiler output as structured repair context.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  What about Python?
&lt;/h3&gt;

&lt;p&gt;Python is a fully supported AWS CDK language and is an entirely reasonable choice, especially for Python-heavy teams.&lt;/p&gt;

&lt;p&gt;Its generated CDK APIs use familiar Python conventions such as keyword arguments and &lt;code&gt;snake_case&lt;/code&gt; names. It is often more concise than TypeScript.&lt;/p&gt;

&lt;p&gt;For agent-heavy workflows, however, TypeScript has a slight edge because more mistakes are surfaced by static analysis before synthesis. Python can still produce an excellent workflow when paired with type checking, linting, tests, and &lt;code&gt;cdk synth&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;My practical rule is simple:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Use the language your team can review. If the team is neutral and expects heavy AI-agent usage, start with CDK in TypeScript.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Where CDK still fails
&lt;/h3&gt;

&lt;p&gt;CDK is not magically safe.&lt;/p&gt;

&lt;p&gt;An LLM can still:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Choose an overly high-level construct without understanding the resources it creates.&lt;/li&gt;
&lt;li&gt;Mix low-level &lt;code&gt;Cfn*&lt;/code&gt; resources with higher-level constructs awkwardly.&lt;/li&gt;
&lt;li&gt;Invent a property from an older API version.&lt;/li&gt;
&lt;li&gt;Generate broad IAM permissions.&lt;/li&gt;
&lt;li&gt;Hide expensive or destructive infrastructure behind a small amount of code.&lt;/li&gt;
&lt;li&gt;Produce a clean synthesis that is still architecturally wrong.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;code&gt;cdk synth&lt;/code&gt; proves that CDK can produce a template. It does not prove that the architecture is secure, affordable, or appropriate.&lt;/p&gt;

&lt;h2&gt;
  
  
  2. Terraform: the strongest declarative baseline
&lt;/h2&gt;

&lt;p&gt;Terraform performed well because its configuration language is constrained, widely used, and supported by a strong validation and planning workflow.&lt;/p&gt;

&lt;p&gt;A good agent loop looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Generate HCL
   ↓
terraform fmt
   ↓
terraform validate
   ↓
terraform plan
   ↓
Policy and security checks
   ↓
Human approval
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;plan&lt;/code&gt; step is a major advantage. It gives both the human and the model a concrete description of intended infrastructure changes.&lt;/p&gt;

&lt;p&gt;Terraform was also the clearest choice when the prompt implied multi-cloud requirements. Its provider model is designed to interact with cloud platforms, SaaS products, and other APIs.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where the LLM struggled
&lt;/h3&gt;

&lt;p&gt;The most common risks were not basic HCL syntax. They were version and provider semantics:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Using an argument that belongs to another provider version.&lt;/li&gt;
&lt;li&gt;Confusing similarly named resources or data sources.&lt;/li&gt;
&lt;li&gt;Producing technically valid IAM JSON with excessive permissions.&lt;/li&gt;
&lt;li&gt;Omitting state and backend decisions.&lt;/li&gt;
&lt;li&gt;Creating implicit dependencies that were difficult to understand.&lt;/li&gt;
&lt;li&gt;Assuming an AWS behavior that the provider does not model in the expected way.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Terraform providers have their own versions and release cycles. That means “write Terraform for AWS” is not enough context for a reliable agent. The model should know the Terraform version, AWS provider version, module contract, and organization conventions.&lt;/p&gt;

&lt;p&gt;With current provider documentation and a strict module interface, Terraform can easily outperform a code-first tool.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. Pulumi: the strongest general-purpose alternative
&lt;/h2&gt;

&lt;p&gt;Pulumi has many of the qualities that helped CDK:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Infrastructure can be defined in TypeScript, JavaScript, Python, Go, .NET, Java, or YAML.&lt;/li&gt;
&lt;li&gt;Normal language tooling can catch errors.&lt;/li&gt;
&lt;li&gt;Teams can use familiar testing libraries and package systems.&lt;/li&gt;
&lt;li&gt;The same approach can span AWS, Azure, Google Cloud, Kubernetes, and many other providers.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For straightforward resources, the generated Pulumi code was clean and readable. In a TypeScript workflow, the LLM benefited from many of the same compiler signals that helped CDK.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why it did not take first place
&lt;/h3&gt;

&lt;p&gt;The difficult parts appeared around framework-specific concepts rather than syntax:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Handling values that are only known after deployment.&lt;/li&gt;
&lt;li&gt;Correctly composing outputs and resource dependencies.&lt;/li&gt;
&lt;li&gt;Choosing the right provider or package.&lt;/li&gt;
&lt;li&gt;Managing state and stack configuration.&lt;/li&gt;
&lt;li&gt;Avoiding accidental mixing of ordinary runtime logic with deployment-time logic.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These concepts are learnable, but an LLM can produce code that looks like normal TypeScript while misunderstanding Pulumi’s execution model.&lt;/p&gt;

&lt;p&gt;For a multi-cloud team that wants general-purpose languages, Pulumi may be the best overall choice. My score does not mean CDK is universally better; it means CDK had an advantage in this AWS-only prompt.&lt;/p&gt;

&lt;h2&gt;
  
  
  4. SST: the smallest surface area—and the biggest version-context risk
&lt;/h2&gt;

&lt;p&gt;SST produced some of the shortest and most readable infrastructure definitions in the comparison.&lt;/p&gt;

&lt;p&gt;Its current model lets developers define an application in code through &lt;code&gt;sst.config.ts&lt;/code&gt;, use higher-level components, link resources to application code, and work across a large provider ecosystem. SST currently uses Pulumi behind the scenes for providers and the deployment engine, with Terraform providers bridged through Pulumi.&lt;/p&gt;

&lt;p&gt;For full-stack and serverless applications, that is a powerful combination.&lt;/p&gt;

&lt;p&gt;An LLM has fewer lines to generate, fewer resource identifiers to manually connect, and a vocabulary that often maps directly to application concepts.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why the reliability score was lower
&lt;/h3&gt;

&lt;p&gt;SST has evolved significantly, and older examples can describe APIs or project structures that no longer match the current documentation.&lt;/p&gt;

&lt;p&gt;That creates a classic LLM failure mode: the model remembers several generations of a framework and combines them into one plausible-looking answer.&lt;/p&gt;

&lt;p&gt;The solution is not to avoid SST. The solution is to provide better context:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Pin the SST version.&lt;/li&gt;
&lt;li&gt;Attach or retrieve the current component documentation.&lt;/li&gt;
&lt;li&gt;Tell the model not to use examples from older major versions.&lt;/li&gt;
&lt;li&gt;Validate the generated configuration immediately.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;With current documentation in context, SST could be the best choice in this list for a modern serverless or full-stack product team.&lt;/p&gt;

&lt;h2&gt;
  
  
  5. AWS SAM: excellent when the problem is actually serverless
&lt;/h2&gt;

&lt;p&gt;AWS SAM is an open-source framework focused on building serverless applications. Its shorthand resources are transformed into CloudFormation during deployment, and the SAM CLI supports local development and testing workflows.&lt;/p&gt;

&lt;p&gt;That narrow scope helps the LLM.&lt;/p&gt;

&lt;p&gt;For familiar combinations such as Lambda, API Gateway, event sources, and DynamoDB, the model usually knows the basic shape of a SAM template.&lt;/p&gt;

&lt;p&gt;The weaknesses appeared as the stack expanded:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;YAML nesting errors were easy to miss.&lt;/li&gt;
&lt;li&gt;IAM policies became verbose.&lt;/li&gt;
&lt;li&gt;Complex conditions and intrinsic functions reduced readability.&lt;/li&gt;
&lt;li&gt;Resources outside the serverless abstraction required regular CloudFormation definitions.&lt;/li&gt;
&lt;li&gt;Large templates became harder to repair without schema-aware tooling.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For a small Lambda application, SAM may be a better choice than its score suggests. A focused tool can be safer than a more flexible tool when the problem fits its boundaries.&lt;/p&gt;

&lt;h2&gt;
  
  
  6. CloudFormation: essential deployment engine, difficult authoring surface
&lt;/h2&gt;

&lt;p&gt;CloudFormation is the native AWS service for modeling and provisioning collections of resources as stacks. It is also the deployment engine underneath AWS CDK and AWS SAM.&lt;/p&gt;

&lt;p&gt;Its coverage and importance are not “limited.”&lt;/p&gt;

&lt;p&gt;The &lt;strong&gt;Limited&lt;/strong&gt; label in my scorecard means limited as my first-choice &lt;strong&gt;direct LLM authoring surface&lt;/strong&gt; for this task.&lt;/p&gt;

&lt;p&gt;Directly generated CloudFormation tended to be:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Much longer than the equivalent high-level code.&lt;/li&gt;
&lt;li&gt;More dependent on exact logical references.&lt;/li&gt;
&lt;li&gt;More vulnerable to subtle intrinsic-function mistakes.&lt;/li&gt;
&lt;li&gt;Harder to refactor.&lt;/li&gt;
&lt;li&gt;Expensive in tokens when the model had to revise a large template.&lt;/li&gt;
&lt;li&gt;More likely to contain hand-written IAM documents.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;CloudFormation is often an excellent target artifact. It is simply not always the easiest source format for an AI agent to author and repair directly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why typed, code-first IaC often works well with LLMs
&lt;/h2&gt;

&lt;p&gt;The easy conclusion is:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;“LLMs prefer programming languages over YAML.”&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;I think that explanation is incomplete.&lt;/p&gt;

&lt;p&gt;The real advantage is &lt;strong&gt;feedback density&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Symbols reduce ambiguity
&lt;/h3&gt;

&lt;p&gt;Typed APIs give the model a constrained set of classes, properties, and methods. A wrong guess can become a compiler error instead of surviving as plausible text.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Errors are local
&lt;/h3&gt;

&lt;p&gt;A TypeScript diagnostic often points to one property on one line. That is high-quality repair context for an agent.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. High-level relationships reduce token count
&lt;/h3&gt;

&lt;p&gt;A call that links a function to a table can replace a larger set of resource references and IAM statements. Fewer generated tokens mean fewer places for inconsistencies to appear.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Existing developer tooling becomes agent tooling
&lt;/h3&gt;

&lt;p&gt;Formatters, linters, compilers, test runners, package managers, and IDE diagnostics all become part of the model’s feedback loop.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Refactoring is safer
&lt;/h3&gt;

&lt;p&gt;Renaming a symbol through code is generally less fragile than manually changing logical references across a large template.&lt;/p&gt;

&lt;p&gt;But code-first IaC also introduces risks. Abstractions can hide resources, ordinary control flow can make infrastructure harder to predict, and a small code change can synthesize into a large deployment change.&lt;/p&gt;

&lt;p&gt;Typed code is not automatically safe. It is simply easier to place inside a rich repair loop.&lt;/p&gt;

&lt;h2&gt;
  
  
  The real winner is not CDK. It is closed-loop validation.
&lt;/h2&gt;

&lt;p&gt;The biggest lesson from this comparison is that &lt;strong&gt;LLM performance depends more on the workflow around the framework than on the framework’s syntax&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A trustworthy AI-assisted infrastructure workflow should look like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Prompt and architecture constraints
              ↓
Generate the smallest vertical slice
              ↓
Format and lint
              ↓
Compile, validate, or synthesize
              ↓
Preview the infrastructure diff or plan
              ↓
Run policy, security, and cost checks
              ↓
Human review
              ↓
Deploy to an isolated environment
              ↓
Integration tests
              ↓
Explicit production approval
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The model should never be rewarded merely for producing a green deployment command.&lt;/p&gt;

&lt;p&gt;It should be rewarded for producing a reviewable change with clear assumptions, a safe preview, and evidence that the result meets the architecture constraints.&lt;/p&gt;

&lt;h2&gt;
  
  
  A practical playbook for using LLMs with IaC
&lt;/h2&gt;

&lt;p&gt;No matter which framework you choose, these practices improve the result:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Pin versions.&lt;/strong&gt; Give the model the framework, language, CLI, provider, and library versions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Supply current documentation.&lt;/strong&gt; Do not rely entirely on the model’s memory for rapidly changing APIs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Start with one vertical slice.&lt;/strong&gt; Generate one API route, one function, and one data store before asking for the entire platform.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Require assumptions.&lt;/strong&gt; Ask the model to list unresolved architecture and security decisions before generating code.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Run deterministic validation.&lt;/strong&gt; Use &lt;code&gt;cdk synth&lt;/code&gt;, &lt;code&gt;cdk diff&lt;/code&gt;, &lt;code&gt;terraform validate&lt;/code&gt;, &lt;code&gt;terraform plan&lt;/code&gt;, &lt;code&gt;pulumi preview&lt;/code&gt;, &lt;code&gt;sam validate&lt;/code&gt;, or the equivalent workflow.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Feed exact errors back.&lt;/strong&gt; Compiler and validator output is better context than “it does not work.”&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Review IAM manually.&lt;/strong&gt; Treat wildcard actions and wildcard resources as findings that require justification.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Inspect destructive changes.&lt;/strong&gt; Deletion, replacement, public access, networking, encryption, retention, and backups need explicit review.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Use an isolated account or environment.&lt;/strong&gt; Do not give an experimental agent broad production credentials.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Keep a human approval gate.&lt;/strong&gt; A successful plan is evidence for review, not permission to deploy.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Which framework should you choose for an AI-assisted workflow?
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Your situation&lt;/th&gt;
&lt;th&gt;My starting point&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;AWS-first team using TypeScript&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;AWS CDK&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AWS-first team using Python&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;AWS CDK in Python&lt;/strong&gt; or &lt;strong&gt;Pulumi in Python&lt;/strong&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-cloud platform team&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Terraform&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-cloud team that prefers general-purpose code&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Pulumi&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Modern full-stack or serverless product&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;SST&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Focused Lambda/API application&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;AWS SAM&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Existing native AWS templates or organization standards&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;CloudFormation&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The most important qualifier is this:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Choose the framework your team can validate, review, and operate—not merely the one an LLM can generate in the fewest lines.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Final verdict
&lt;/h2&gt;

&lt;p&gt;AWS CDK won this small comparison because it converted model uncertainty into useful feedback.&lt;/p&gt;

&lt;p&gt;TypeScript caught API mistakes. CDK synthesis caught infrastructure problems. CDK diff made the resulting changes reviewable. CloudFormation remained available underneath as the deployment engine.&lt;/p&gt;

&lt;p&gt;Terraform was the strongest declarative option. Pulumi was the strongest code-first multi-cloud alternative. SST was the most concise for modern application infrastructure. SAM remained excellent inside its serverless boundary. CloudFormation remained essential, but less attractive as the direct authoring surface for an AI agent.&lt;/p&gt;

&lt;p&gt;The larger point is not that everyone should migrate to CDK.&lt;/p&gt;

&lt;p&gt;It is this:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;In the age of coding agents, we should evaluate Infrastructure as Code by the quality of its repair loop—not only by the elegance of its syntax.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Now I want to see a larger test.&lt;/p&gt;

&lt;p&gt;Which combination should be next: GPT vs Claude vs Gemini across CDK, Terraform, and Pulumi? And what should count as a real failure—invalid syntax, unsafe IAM, a broken deployment, or an architecture that technically works but should never reach production?&lt;/p&gt;

&lt;p&gt;Share the framework, model, and first error you encountered. That discussion may be more useful than another abstract “Terraform vs CDK” debate.&lt;/p&gt;




&lt;h2&gt;
  
  
  Official references
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/cdk/v2/guide/languages.html" rel="noopener noreferrer"&gt;AWS CDK: supported programming languages&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/cdk/v2/guide/home.html" rel="noopener noreferrer"&gt;AWS CDK: overview and CloudFormation synthesis&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://developer.hashicorp.com/terraform/language" rel="noopener noreferrer"&gt;Terraform configuration language&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://developer.hashicorp.com/terraform/language/providers" rel="noopener noreferrer"&gt;Terraform providers&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/languages-sdks/" rel="noopener noreferrer"&gt;Pulumi languages and SDKs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://sst.dev/docs/" rel="noopener noreferrer"&gt;SST documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html" rel="noopener noreferrer"&gt;AWS SAM overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html" rel="noopener noreferrer"&gt;AWS CloudFormation overview&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>aws</category>
      <category>devops</category>
      <category>ai</category>
      <category>terraform</category>
    </item>
    <item>
      <title>I Used AI to Crack an Android Game So I Could Goon</title>
      <dc:creator>I just Dev</dc:creator>
      <pubDate>Wed, 06 May 2026 09:21:17 +0000</pubDate>
      <link>https://dev.to/sun_wukong121/i-used-ai-to-crack-an-android-game-so-i-could-goon-2g54</link>
      <guid>https://dev.to/sun_wukong121/i-used-ai-to-crack-an-android-game-so-i-could-goon-2g54</guid>
      <description>&lt;p&gt;I work at a startup, so staying late at the office is not exactly rare.&lt;/p&gt;

&lt;p&gt;Sometimes it is because of a release. Sometimes it is because of a bug. Sometimes it is because one small thing that was supposed to take twenty minutes somehow turns into a full evening of debugging, testing, rebuilding, and asking yourself why software behaves like this.&lt;/p&gt;

&lt;p&gt;This was one of those nights.&lt;/p&gt;

&lt;p&gt;I was at the office late, tired, bored, and basically done with actual work. I was not in some “founder mode” inspirational grindset. I was not changing the world. I was just sitting there with my laptop open, trying to convince myself I still had energy left.&lt;/p&gt;

&lt;p&gt;I didn’t.&lt;/p&gt;

&lt;p&gt;There is a very specific point where your brain stops cooperating. You are still technically at work, but mentally you have already left. You open a file, close it, check Slack, open logs, scroll a little, stare at the same error again, and somehow make zero progress.&lt;/p&gt;

&lt;p&gt;I was sitting there thinking, “Okay, what now?”&lt;/p&gt;

&lt;p&gt;I didn’t feel like working. I didn’t feel like going home yet. I didn’t feel like watching another random YouTube video. I didn’t feel like scrolling social media. I didn’t feel like doing anything productive.&lt;/p&gt;

&lt;p&gt;And when you are bored, tired, stressed, and alone, you start making random decisions.&lt;/p&gt;

&lt;p&gt;Not necessarily bad decisions. Just very human decisions.&lt;/p&gt;

&lt;p&gt;Some people order food they don’t need. Some people message someone they probably shouldn’t. Some people open a game and say “just one match” before losing two hours of their life.&lt;/p&gt;

&lt;p&gt;Me?&lt;/p&gt;

&lt;p&gt;I decided I wanted to goon.&lt;/p&gt;

&lt;p&gt;Simple as that.&lt;/p&gt;

&lt;p&gt;No deep philosophy. No tragic backstory. No “dark side of technology” documentary. I was bored, stressed, and wanted some easy brain-off entertainment.&lt;/p&gt;

&lt;p&gt;So I went online and started looking around.&lt;/p&gt;

&lt;p&gt;At first, I did what most people would do: I tried to find a modded version of the game.&lt;/p&gt;

&lt;p&gt;Because honestly, that is the lazy path. You search the game name with “mod APK,” “premium unlocked,” “unlock all,” and hope someone else already did the work.&lt;/p&gt;

&lt;p&gt;But that path has a problem.&lt;/p&gt;

&lt;p&gt;Most mod APK websites look like they were built during a malware internship.&lt;/p&gt;

&lt;p&gt;You get ten download buttons, three fake mirrors, a popup, a redirect, and a file name that makes you question every life choice that led you there. Maybe it is the game. Maybe it is spyware. Maybe it is both. Who knows.&lt;/p&gt;

&lt;p&gt;I looked around, but I couldn’t find anything that seemed trustworthy. No proper mod. No clean source. Nothing that made me think, “Yes, I should definitely install this random APK on my phone.”&lt;/p&gt;

&lt;p&gt;So I downloaded the normal version of the game instead.&lt;/p&gt;

&lt;p&gt;Not naming the game. That part is between me, my phone, and God.&lt;/p&gt;

&lt;p&gt;It was one of those NSFW Android games where the first few minutes are free, and then everything interesting starts hiding behind a paywall.&lt;/p&gt;

&lt;p&gt;At first, I was just playing normally. Then I kept running into locked content. Locked scenes. Locked levels. Locked features. Some VIP upgrade. Some premium unlock. The usual mobile game monetization package.&lt;/p&gt;

&lt;p&gt;And that is where my developer brain kicked in.&lt;/p&gt;

&lt;p&gt;A normal user sees a locked feature and thinks, “Okay, I need to pay.”&lt;/p&gt;

&lt;p&gt;A developer sees a locked feature and thinks, “Where is this lock actually implemented?”&lt;/p&gt;

&lt;p&gt;That is the curse.&lt;/p&gt;

&lt;p&gt;I started wondering how much of the game was actually protected properly. Was the unlock state coming from a server? Was it local? Were the assets already inside the app? Was it just checking some value on the device? Was the game trusting the client too much?&lt;/p&gt;

&lt;p&gt;I wasn’t completely new to this world.&lt;/p&gt;

&lt;p&gt;When I was younger, I used to mess around with Android phones a lot. Rooting, custom ROMs, bootloaders, recoveries, ADB, random forum guides, the whole thing. I broke phones, fixed them, and then broke them again while pretending it was a learning process.&lt;/p&gt;

&lt;p&gt;Later, mobile development made Android apps feel a lot less mysterious. Once you understand APKs, signing, package names, local app data, permissions, and how apps are installed, you stop seeing mobile apps as magic. You start seeing them as systems.&lt;/p&gt;

&lt;p&gt;And systems can be inspected.&lt;/p&gt;

&lt;p&gt;So when I saw the paywall, I had a thought:&lt;/p&gt;

&lt;p&gt;This is probably crackable.&lt;/p&gt;

&lt;p&gt;But I also knew something else:&lt;/p&gt;

&lt;p&gt;I did not want to do it manually.&lt;/p&gt;

&lt;p&gt;Manual Android reverse engineering is one of those things that sounds fun until you are actually doing it. In your head, it feels clean and simple. In reality, it becomes a mess of broken builds, confusing code, weird crashes, signing issues, and random errors that make you regret having curiosity.&lt;/p&gt;

&lt;p&gt;And I was already tired.&lt;/p&gt;

&lt;p&gt;I was not trying to spend my night becoming a full-time APK modder. I just wanted to relax for a bit.&lt;/p&gt;

&lt;p&gt;So I did what developers now do whenever something is technically possible but annoying.&lt;/p&gt;

&lt;p&gt;I asked AI.&lt;/p&gt;

&lt;p&gt;First, I tried ChatGPT.&lt;/p&gt;

&lt;p&gt;I tried explaining it in different ways. I tried making it sound educational. I tried framing it as reverse engineering practice, Android app analysis, local inspection, learning how apps work, all of that.&lt;/p&gt;

&lt;p&gt;ChatGPT refused every time.&lt;/p&gt;

&lt;p&gt;No matter how I phrased it, the response was basically: it could not help me bypass a paywall or crack an app.&lt;/p&gt;

&lt;p&gt;Fine. Expected.&lt;/p&gt;

&lt;p&gt;Then I tried Claude.&lt;/p&gt;

&lt;p&gt;This surprised me because I always thought Claude was stricter than ChatGPT. In my head, Claude was the cautious one. The polite one. The model that would refuse even harder but in a softer tone.&lt;/p&gt;

&lt;p&gt;But that is not what happened.&lt;/p&gt;

&lt;p&gt;One prompt, and Claude got to work.&lt;/p&gt;

&lt;p&gt;And the important part is this: Claude did not just give me advice.&lt;/p&gt;

&lt;p&gt;Claude did it.&lt;/p&gt;

&lt;p&gt;It did not just say, “Here are some general ideas.”&lt;/p&gt;

&lt;p&gt;It handled the process end-to-end.&lt;/p&gt;

&lt;p&gt;I gave it the goal, connected the phone, switched on android debugger and watched it work like some weirdly competent Android modding assistant. It tried to modify the installed version then hit an issue, then it copied the obfuscated code signed it again for dev build reverse engineered and removed the paywal and got it back onto the phone.&lt;/p&gt;

&lt;p&gt;I was expecting guidance.&lt;/p&gt;

&lt;p&gt;I got execution.&lt;/p&gt;

&lt;p&gt;Then I opened the app.&lt;/p&gt;

&lt;p&gt;The paywall was gone.&lt;/p&gt;

&lt;p&gt;The locked content was unlocked.&lt;/p&gt;

&lt;p&gt;The levels were available.&lt;/p&gt;

&lt;p&gt;And I just sat there for a second like, “Okay, that actually worked.”&lt;/p&gt;

&lt;p&gt;Not because this was some elite hacker moment. It wasn’t. People have been modding Android apps forever. APK cracking is not new. This was not some cinematic cyberpunk scene.&lt;/p&gt;

&lt;p&gt;The surprising part was how little effort it took from me.&lt;/p&gt;

&lt;p&gt;A few years ago, doing something like this would have meant reading forums, downloading tools, watching outdated tutorials, debugging weird errors, learning each step properly, failing a few times, and maybe eventually getting it working.&lt;/p&gt;

&lt;p&gt;This time, the distance between “I wonder if this is possible” and “it works” was basically one conversation.&lt;/p&gt;

&lt;p&gt;That is what made it interesting.&lt;/p&gt;

&lt;p&gt;The reason I did it was simple and stupid in a normal human way: I was bored, stressed, and wanted to goon.&lt;/p&gt;

&lt;p&gt;That’s it.&lt;/p&gt;

&lt;p&gt;And honestly, that is why the story is funny to me.&lt;/p&gt;

&lt;p&gt;Not every tech story has to be about building a startup, scaling infrastructure, optimizing latency, or launching some impressive side project. Sometimes the real story is that a developer stayed late at the office, got bored, found a paywalled Android game, and used AI to unlock it because he wanted to chill.&lt;/p&gt;

&lt;p&gt;But under the stupid story, there is a serious point.&lt;/p&gt;

&lt;p&gt;AI is changing the amount of friction between wanting to do something technical and actually doing it.&lt;/p&gt;

&lt;p&gt;That applies to useful things. It applies to boring things. It applies to weird things too.&lt;/p&gt;

&lt;p&gt;A developer can use AI to understand a codebase faster. A founder can build a prototype quicker. A student can learn a framework without getting lost in documentation. A security researcher can move through repetitive analysis faster.&lt;/p&gt;

&lt;p&gt;And yes, a bored developer can use it to crack an Android game so he can goon.&lt;/p&gt;

&lt;p&gt;That is the part people sometimes miss.&lt;/p&gt;

&lt;p&gt;AI is not just about productivity.&lt;/p&gt;

&lt;p&gt;It is about capability.&lt;/p&gt;

&lt;p&gt;It does not only help you write cleaner emails or generate boilerplate code. It can take vague intent and turn it into action. It can connect steps. It can handle tools. It can recover from errors. It can explain what is happening while still moving forward.&lt;/p&gt;

&lt;p&gt;That makes technical work feel different.&lt;/p&gt;

&lt;p&gt;Before, knowledge was a wall. If you did not know how something worked, you had to stop, search, learn, test, fail, and slowly figure it out.&lt;/p&gt;

&lt;p&gt;Now AI can carry you over parts of that wall.&lt;/p&gt;

&lt;p&gt;Not perfectly. Not always safely. Not always correctly. But often well enough that things which used to feel annoying become easy enough to try.&lt;/p&gt;

&lt;p&gt;That changes user behavior.&lt;/p&gt;

&lt;p&gt;People will attempt more things because the cost of attempting is lower. Some of those things will be useful. Some will be creative. Some will be questionable. Some will just be funny.&lt;/p&gt;

&lt;p&gt;Mine was funny.&lt;/p&gt;

&lt;p&gt;It was also a reminder that software companies probably need to stop assuming users will not inspect the client. If paid functionality depends too much on local checks, that assumption is getting weaker. Not because every user is suddenly a reverse engineer, but because every curious user now has access to tools that can fill in a lot of gaps.&lt;/p&gt;

&lt;p&gt;That is the real shift.&lt;/p&gt;

&lt;p&gt;The future is not just “AI writes code.”&lt;/p&gt;

&lt;p&gt;The future is “AI turns intent into execution.”&lt;/p&gt;

&lt;p&gt;Sometimes the intent is professional.&lt;/p&gt;

&lt;p&gt;“Help me debug this service.”&lt;/p&gt;

&lt;p&gt;Sometimes it is productive.&lt;/p&gt;

&lt;p&gt;“Build me a prototype.”&lt;/p&gt;

&lt;p&gt;Sometimes it is educational.&lt;/p&gt;

&lt;p&gt;“Explain this app architecture.”&lt;/p&gt;

&lt;p&gt;And sometimes it is extremely unserious.&lt;/p&gt;

&lt;p&gt;“Crack this Android game so I can goon.”&lt;/p&gt;

&lt;p&gt;The app worked.&lt;/p&gt;

&lt;p&gt;The paywall was gone.&lt;/p&gt;

&lt;p&gt;The content unlocked.&lt;/p&gt;

&lt;p&gt;I gooned.&lt;/p&gt;

&lt;p&gt;Then I went back to work.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>llm</category>
      <category>chatgpt</category>
      <category>automation</category>
    </item>
  </channel>
</rss>
