Terraform vs. AWS CloudFormation

The problem with both is that you quickly accumulate weeks&#x2F;months of accumulated coding time that costs a pretty penny at market freelance rates. Spending a few hundred K on devops is routine for a lot of companies.<p>My main issue with this is that a lot of that coding is just reinventing the same wheels over and over again. Jumping through many hoops along the way like a trained poodle.<p>It&#x27;s stupid. Why is this so hard &amp; tedious. I&#x27;ve seen enough infrastructure as code projects over the last fifteen years to know that actually very little has changed in terms of the type of thing people build with these tools. There&#x27;s always a vpc with a bunch of subnets for the different AZs. Inside those go vms that run whatever (typically dockerized these days) with a load balancer in front of it and some cruft on the side for managed services like databases, queues, etc. The LB needs a certificate. I&#x27;ve seen some minor variations of this setup but it basically boils down to that plus maybe some misc cruft in the form of lambdas, buckets, etc.<p>So why is it so hard to get all of that orchestrated? Why do we have to boil the oceans to get some sane defaults for all of this. Why do we need to micromanage absolutely everything here? Monitoring, health checks, logging systems, backups, security &amp; permissions. All of this needs to be micromanaged. All of it is disaster waiting to happen if you get it wrong. All of it is bespoke cruft that every project is reinventing from scratch.<p>All I want is &quot;hey AWS, Google, MS, ... go run this thing over there and tell me when its done. This is the domain it needs to run over. It&#x27;s a bog standard web server expecting to serve traffic via http&#x2F;websockets. Give me something with sane defaults. Not a disassembled jig saw puzzle with thousands of pieces. This stuff should not be this hard in 2021.

Counterpoint... Use CloudFormation!<p>Managed services offer big benefits over software. With CF, new stacks, change sets, updates, rollbacks and drift detection are an API call away.<p>Managed service providers offer big benefits over software. With CF and AWS support, help with problems are a support ticket away.<p>Using a single cloud provider has a big benefit over a multi-cloud tooling. I only run workloads on AWS, so the CF syntax, specs and docs unlocks endless first party features. A portable Terraform + Kubernetes contraption is a lowest common denominator approach.<p>Of course everything depends.<p>I&#x27;ve configured literally 1000s of systems with CloudFormation with very few problems.<p>I have seen Terraform turn into a tire-fire of migrations from state files to Terraform enterprise to Atlantis that took an entire DevOps team to care for.

That&#x27;s right - use AWS CDK instead. You don&#x27;t have to worry about the low-level CloudFormation syntax and details. I switched a few years ago and haven&#x27;t looked back. CDK keeps getting better and better, also handling things like asset deployments (Docker images, S3 content, bundling), quick Lambda updates with --hotswap, quick stack debugging with --no-rollback, etc.

I came here to say that Pulumi is the answer, but people already mentioned it. It&#x27;s TF under the hood, some of the docs links even refer to the links in TF documentation [not intentionally, just by copy and paste], but they made the experience so much better. Writing code in Typescript and seeing your infrastructure provisioned with all the goodies Pulumi added on top of TF is pure joy. No more HCL, or other &quot;here&#x27;s my DSL, learn it&quot; scenarios.

I stopped arguing about which is better CF or TF. Some people go crazy every time this topic is discussed.<p>Me, I just hate all this IAC thing. I spend weeks sometimes to deliver a script that deploys an rds database with blah blah blah. Yeah it is nice to have all your infrastructure as code. It would be definitely useful if you are deploying the same structure again and again. or if you are running it frequently.<p>But if you are deploying a structure once only, do you really need this? Do you have to spend 2 weeks on a script you will re-run once in 6 months? (and then you will find that many objects need to be updated to re-run without errors) It seems a lot of over-engineering for me (I know I will be hated so much for this).<p>Sometimes when I run TF in production, I start praying that all goes well!

Something funny (well, kind of sad) about CloudFormation I noticed this summer was that if you deploy a CloudFormation stack which updates a ECS service and deploys tasks which then fail health checks, CloudFormation will do nothing about this and just let ECS keep killing and restarting tasks for.. well, at least several hours. You have to know to go into ECS and drain the tasks manually and then initiate a rollback from CF to get your service back into a good state. The bug reports about this I found were going back years.<p>The upside is that I got really well acquainted with how ECS worked.

CloudFormation, with its HORRIBLE YAML templating (whatever dsl&#x2F;language) and arcane error messages is a horror story. I hate it so much that I&#x27;d rather quit my job than debug why CloudFormation decided for no reason to update my RDS instance for a PR that was just a README file update.

I spent a bit of time trying to deploy a lambda app with Cloudformation. I wanted to use a relational database, so I needed to handle migrations.<p>Ok, so apparently I need to write a custom Cloudformation resource to execute a lambda function that will run the migrations prior to deploying the new version of the lambda. Kind of neat that you can do that.<p>Except I messed up the output of the custom resource lambda and Cloudformation completely locked my deployment up for <i>3 hours</i>. 3 hours. I couldn&#x27;t do _anything_ - rollback, update, whatever.<p>Cloudformation via a CDK is interesting, and I don&#x27;t hate it, but oh boy if it gets into a weird state it can completely kill your iteration loop. And the docs say something along the lines of &quot;if it&#x27;s stuck for too long contact support&quot;. No thanks.

The C in IaC stands for Code, and code is best written in proper programming languages. Both CF and Terraform are greatly limited by their use of yaml and hcl. Tools like AWS CDK and Pulumi, especially when used with a typed language like TS, are the future of IaC.

I think the best solution is K8s and some tool to help you generate the yaml files.<p>Terraform, CDK, and Pulumi all work similarly. At the end of the day, you declare a DAG that says how you want your infrastructure to work and use that DAG to come up with a list of changes you should make. Then you execute each of those changes via API calls and hope that reality on your cloud provider really does reflect the state DAG that you&#x27;ve built. CDK is better than the rest here, because it&#x27;s got the best ability to measure the state.<p>When you work with K8s, on the other hand, you tell your infrastructure what shape it should be in with yaml files and then let your infrastructure figure out the best way to get there. When combined with something like ArgoCD, you&#x27;ve got a really powerful deployment stack.<p>The obvious downside is you&#x27;ve got to figure out how to get that all working.

Writing Terraform scripts for AWS is 70% of my job. I do have some issues with the AWS provider in Terraform. Firstly, there are bugs. I ran into a bug a few days ago where the ARN attribute on a Lamba alias was resolving to the ARN of the Lambda, not it’s alias. I only figured it out because I found a GitHub Issue. Additionally, Hashicorp is often playing catch-up with Amazon. A few days ago AWS released a new instruction set architecture for Lambdas that would save my org a lot of money. However after I saw the announcement in AWS I see tons of different GitHub issues created to add this functionality. So I start editing my files based off the documentation only for that issue to be closed and pointed to a new one with different syntax. So I start working off the new syntax only for that issue to close and be pointed to a different one

I&#x27;m ex AWS so I used CloudFormation sort of because I had to (I guess, no one told me not to use terraform, but it felt wrong not to drink our own champaign). I left AWS to co-found a startup and when I had to pick between the two, I just used what I knew already (CloudFormation, but more specifically CDK). I have to say I am highly tempted to give Terraform a look, but if I do, it will be terraform + CDK probably: <a href="https:&#x2F;&#x2F;github.com&#x2F;hashicorp&#x2F;terraform-cdk" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hashicorp&#x2F;terraform-cdk</a><p>For me troubleshooting, speed, and that punch in the gut feeling when you see after 30 mins of crunching the dreadful - update failed rollback in progress - are great reasons to give Terraform a try.<p>AWS should fix this by making the SDK&#x2F;API be 1:1 with infra as code. The result of a describe call should === the stuff needed to create that thing declaratively.<p>CDK is an amazing project, their high level constructs are making AWS SAM &#x2F; Serverless framework &#x2F; Amplify seem complex. With a line of code I get a best-practice opinionated VPC, an ECS cluster, a Fargate task with an ALB. (off topic - be careful - always ensure tasks return 200 OK on a GET &#x2F; or it will thrash for hours, as others commented below, it&#x27;s a known bug, sadly I knew about it only after wasting hours on troubleshooting it)<p>So I agree perhaps CFN has native issues (speed, troubleshooting) but don&#x27;t hate CDK just because it uses CFN in the back.<p>So if you have to choose between CloudFormation or Terraform, I&#x27;d choose CDK.

Unless things have changed in the meantime, the killer feature of CloudFormation for me is that I don&#x27;t have to keep track of the state locally. Having to set up tracking of the infra state in Terraform is a huge pain, since it should be stored independently of both the infra code (to allow deploying anything but HEAD) and the infra itself (duh). As long as Terraform doesn&#x27;t query the existing infra to work out what needs doing I don&#x27;t want to go back to it.

&quot;But CDK transpiles into CloudFormation templates. For that reason alone I can’t recommend it.&quot;<p>CDK is superior to terraform for a glaring reason: it&#x27;s a first class citizen in AWS&#x27; eyes and terraform is not.

I find it mildly disturbing to see how willing people seem to be at a personal level to attach themselves skill-wise to single-vendor solutions.<p>I get that CloudFormation may be a bit better than Terraform in this way or that way. But I have no personal interest in learning it. All that investment of time and effort and when I need to do a project on a different vendor I have nothing, no skills. What&#x27;s the point?<p>To be clear: I understand why companies and even specific teams or projects may choose to go all in on vendor-lock-in. It&#x27;s often the most direct line to the business value they want and as people point out, it&#x27;s rare to never that most cloud native applications will shift cloud vendors, and even if they do most of a Terraform setup will have to be reworked.<p>So I get why companies and managers want that. I just don&#x27;t understand why software engineers in those teams are so happy to go along.

You can use more than one tool.<p>CloudFormation is great because of its transactionality, so it lends itself nicely to deploying multiple services which are versioned together. You either succeed fully, or all services will be rolled back.<p>This way you can deploy your whole infra with Terraform, and then deploy to your i.e. ECS cluster using CloudFormation. Works great in practice.

One of the most amazing things I saw at AWS reInvent was an advanced talk on IaC that provided the code of a lambda function inline in a CloudFormation template. I realize that this is just one talk, and there are plenty of ways to structure things well, but this practice is directly encouraged by the design of CloudFormation[1]. AWS has attempted redefining the lambda deployment story multiple times, there are multiple companies whose primary offering is providing a better way to deploy code to serverless offerings, but this still stands out to me as one of the most terrible ways to do things, and I blame the design of CloudFormation.<p>[1] <a href="https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AWSCloudFormation&#x2F;latest&#x2F;UserGuide&#x2F;aws-properties-lambda-function-code.html" rel="nofollow">https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AWSCloudFormation&#x2F;latest&#x2F;UserGui...</a>

I found both CloudFormation and Terraform&#x27;s AWS provider to be too verbose for quickly spinning up a lot of infrastructure as a startup.<p>So I ended up creating <a href="https:&#x2F;&#x2F;provose.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;provose.com&#x2F;</a> own high-level wrapper for Terraform&#x27;s AWS provider. I can happily spin up VPCs with AWS ECS containers, RDS databases, EFS and FSx Lustre filesystems, and more.<p>I really believe in the Terraform ecosystem, but I do have to admit that it is hard to write a Terraform module or provider that provides a significant level of abstraction over low-level cloud provider APIs. I&#x27;ve seen this issue drive a lot of other people to Pulumi or the AWS CDK, but I think Terraform is a better product specifically because Terraform HCL is not a (trivially) Turing-complete programming language.

&gt; With Terraform, your local executable makes rest calls to each service’s REST API for you, meaning no intermediary sits between you and the service you’re controlling. Want an RDS instance? Terraform will make calls directly to the RDS API.<p>How is this different than CloudFormation making the same calls?

If you are using cloudformation, I have a python testing library <a href="https:&#x2F;&#x2F;github.com&#x2F;DontShaveTheYak&#x2F;cloud-radar" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;DontShaveTheYak&#x2F;cloud-radar</a><p>It allows unit testing of cloudformation templates locally without needing aws credentials or deploying anything.<p>It also supports functional testing of cloudformation stacks once they are deployed.<p>Full guide on my blog <a href="https:&#x2F;&#x2F;la-tech.co&#x2F;post&#x2F;hypermodern-cloudformation&#x2F;getting-started&#x2F;" rel="nofollow">https:&#x2F;&#x2F;la-tech.co&#x2F;post&#x2F;hypermodern-cloudformation&#x2F;getting-s...</a>

Vanilla cloudformation is bad, but so is terraform (for my use case anyway). We wrap our cloudformation with python, you need something similar for terraform to make it less terrible (cdktf, terragrunt, terrascript).

Fun fact: in the leak of the Twitch (Amazon) repositories of this morning, I saw that the developers use Terraform !

To be honest, I don&#x27;t agree this. Manage an infrastructure need evidence and trace how this get created. I&#x27;ve been in the situation a few times. Have been threw projects terraform code doesn&#x27;t match aws infrastructure. We don&#x27;t know when an how the drift happen. At least, cloudformation can have some feature to detect the difference and help me trace back which commit actually has been deployed. CDK make the job easier for developers because it deliver some convenience and offer more pattern to write code. I like both.

There is a local company here in Seattle called Pulumi[1]. We&#x27;ve been using their tool extensively over the last 18+ months and it&#x27;s pleasure to use.<p>It&#x27;s built on top of Terraform, but it simplifies IaC because you can now write your infra components in one of few high-level languages they support (JS, Go, Python, etc). CDK is similar, but biased towards AWS. With Pulumi you can provision your infra stuff in multiple clouds easily.<p>[1] <a href="https:&#x2F;&#x2F;www.pulumi.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.pulumi.com&#x2F;</a>

Personally I like to use both and for specific jobs.<p>For example, when we have tools that need to be deployed across 10+ AWS accounts managed by different Ops team, I hand them a CloudFormation template and they could run it, plug in the right parameters, pulling lambda code from the same S3 bucket we have etc... Totally agree with Writing Cloudformation is a pain but when you have it done once, it works consistently and we don&#x27;t have to worry about terraform version, the tfstate etc... It just works.<p>I use terraform for more complicated setup, an environment that we keep adding ontop, share &amp; manage among our team and need rebuild&#x2F;redeploy often&#x2F;quickly or an environment we need to spin up for various tasks (eg incident handling VPC, interview challenges, CTF events...) ... Terraform and its powerful reusable terraform modules&#x2F;module registry make spinning up these environments in minutes make it extremely attractive.<p>Managing terraform version and tfstate is still a pain with terraform even with the help of remote S3 bucket &amp; dynamodb lock but it is definitely better than when i first started and we had gpg encrypted tfstate.<p>With that said, I work in security and only very occasionally I need a big deployment like scalable spark cluster or multi-zone elasticsearch cluster etc... so perhaps I don&#x27;t have enough indepth knowledge about each tools.

I can appreciate the author&#x27;s criticisms of the shortcomings of Cloudformation, but this is really just a &quot;Why you should use Terraform&quot; post.<p>e: Title was changed

The state of things as I see it:<p>Terraform<p>- (bad) HCL sucks, not a programming language.<p>- (good) One tool for multiple service providers is nice.<p>- (good) Fully open source.<p>- (good) directly calling service API&#x27;s makes it more debuggable, and greater control over performance&#x2F;time of deployments<p>- (bad) directly calling service API&#x27;s makes the agent running the tool a SPOF<p>Cloudformation<p>- (bad) YAML sucks, not a programming language.<p>- (good) managed service, doesn&#x27;t require an agent to run the deployment<p>- (bad) often slow, no visibility into what it&#x27;s doing under the hood<p>- (bad) AWS specific(yes I know about public registry, but it still requires AWS)<p>Pulumi<p>- (good) can use an actual real programming language!!<p>- (bad) directly calling service API&#x27;s makes the agent running the tool a SPOF<p>- (bad) need to be connected to, and have credentials for your environment to develop<p>- (bad) running your code requires bi-directional communication with the pulumi GRPC api<p>CDK<p>- (good) can use an actual real programming language!!<p>- (good) produces a declarative output<p>- (bad) dependent on cloudformation<p>- (unknown) CDK for terraform(I haven&#x27;t tried this, but it sounds promising)<p>I don&#x27;t think we yet have the tool we need, but CDK is pretty close, having a real programming language, that produces a declarative intermediate format, that is then ran by another system, I think is the right approach.

I personally prefer aws-cdk over Terraform for the specific use case of writing complex Step Function State Machines. Using code to link and chain steps and logic together is much easier than HCL imo. For everything else I prefer Terraform though.

What is the relationship between these thoughts and the new recent AWS API called &quot;AWS Cloud Control API&quot;, which uses the Cloud Formation schema registry under the hood, and that will soon be available as a new aws terraform provider: <a href="https:&#x2F;&#x2F;www.hashicorp.com&#x2F;blog&#x2F;announcing-terraform-aws-cloud-control-provider-tech-preview" rel="nofollow">https:&#x2F;&#x2F;www.hashicorp.com&#x2F;blog&#x2F;announcing-terraform-aws-clou...</a>

terraform plan has the benefit of showing me whether what I did is at least internally logically consistent before making any attempts to change the state of the world. It doesn&#x27;t mean things can&#x27;t go wrong, but it is harder to make silly mistakes that are bound to happen when you try to inject logic into JSON or YAML which are just text.<p><pre><code> &quot;HealthCheck&quot;: { &quot;Target&quot;: { &quot;Fn::Join&quot;: [ &quot;&quot;, [ &quot;HTTP:&quot;, { &quot;Ref&quot;: &quot;WebServerPort&quot; }, &quot;&#x2F;&quot; ] ] }, </code></pre> Sure, the equivalent terraform would not win a beauty context either but this is just an abomination. If someone is paying me well enough, I can live with it, especially if it worked perfectly, but it doesn&#x27;t. Plus, standard CloudFormation crap Amazon will push on you tends to assume a bunch of things that may or may not be true in an account that has existed for a while before a particular feature became available.

That&#x27;s right, don&#x27;t use CloudFormation. Use CDK which will generate and obfuscate CF for you and you won&#x27;t have to worry about it.

Terraform doesn&#x27;t mean that you want the option to go with other cloud providers, it just mean that you want to treat your infrastructure the same way, regardless if it&#x27;s is a cloud resource in AWS or something that AWS doesn even offer, such as email, analytics and so on. I don&#x27;t know if it&#x27;s still the case but AWS used to not have a rabbitmq offering.

I&#x27;ve recently started using CDK (with Typescript) on a new project and find it to be great, much more so than Terraform.

I will admit that troubleshooting permissions-related deployment issues in StackSets are a super nightmare inducing events.

Terraform is a better interface to AWS than CloudFormation. State is a crucial feature imo.

Yeah, importing existing resources into Cloudformation is a nightmare in &quot;Am I going to break everything? <i>Fingers Crossed</i>&quot;.<p>It is also very possible to get into very bad situations if your settings drift and you attempt to reconcile those changes.

We use terraform for our AWS infrastructure, but also for Datadog, PagerDuty, etc. That&#x27;s where it starts to shine: consistent infrastructure as code across all your (provider-supported) vendors.

Will be interesting to see how if other companies join these two in creating new tooling:<p><pre><code> https:&#x2F;&#x2F;aws.amazon.com&#x2F;cloudcontrolapi&#x2F;</code></pre>

I would prefer Terraform. I can transfer those skills to GCP, or Azure or something else.<p>CloudFormation is probably advantageous if your infrastructure is 100% AWS..

maybe we skip the need and move to <a href="https:&#x2F;&#x2F;crossplane.io" rel="nofollow">https:&#x2F;&#x2F;crossplane.io</a>, to abstract all this part as well as gain 2nd day operations natively, and k8s readiness. (bonus: the closest path to cloud agnostic definition)

Can we just agree that none of these tools (Terraform, CloudFormation, CDK) are particularly good? None of them really achieve the goal of purely declarative, immutable, stateless infrastructure-as-code and all of them have significant disadvantages.

While the read was interesting and informative, something about the tone made me search for a disclaimer&#x2F;disclosure of interest. Are you an &quot;influencer?&quot;

This whole article is a case <i>not</i> to use Terraform.<p><pre><code> If you are creating an RDS cluster, CloudFormation will call the RDS REST endpoint for you. </code></pre> And so AWS takes care of things like retries, and you won&#x27;t hit AWS&#x27;s API call limit.<p><pre><code> With Terraform, the error messages you get are usually much more informative </code></pre> Often the errors are completely cryptic, or even misleading. Anyway, this isn&#x27;t really a reason not to use CF or TF, it&#x27;s a reason not to use AWS.<p><pre><code> With Terraform, you need to use valid credentials that grant access to multiple accounts. </code></pre> This is a security and reliability concern. Not only that most people end up making one credential which can access <i>everything</i>, but that people then end up running Terraform from one place, rather than running it per-account&#x2F;per-region&#x2F;per-AZ, which is much more resistant to failure and separates security domains.<p><pre><code> CloudFormation’s pseudo parameters and intrinsic functions are cruel jokes. By contrast, Terraform offers a rich set of data sources and transforming data with Terraform is a breeze. </code></pre> The more complicated you get with Terraform, the worse it works. This is actually a truism of all DSLs, but when you&#x27;re using a DSL to talk to a program to talk to an API to talk to a program, it gets even worse. For example, some AWS resources will not work with Terraform properly unless you remember to apply the correct lifecycle policy (they&#x27;ll go into a create&#x2F;destroy loop, or never be able to be destroyed, or created, etc). With CF, AWS is taking care of that decision for you.<p><pre><code> AWS CloudFormation is S-L-O-W. </code></pre> Someone hasn&#x27;t tried to apply a Terraform root module that manages hundreds of different resources, I see... Terraform can take dozens of minutes, to hours, depending on how carefully you&#x27;ve crafted your root modules, or your network latency, or even problems with AWS&#x27;s TF provider. And if you&#x27;re using STS creds that expire, it can leave you with broken infra &#x2F; a broken remote state.<p><pre><code> Terraform, on the other hand, will occupy your shell until the directly-involved AWS service coughs up an error. No additional tooling is required. </code></pre> There&#x27;s like 5 different hosted cloud services dedicated just to being able to run Terraform for large teams without it breaking or taking forever. On top of that, often Terraform will fail to apply, <i>half way through applying</i>, because Terraform doesn&#x27;t ask APIs to validate all the operations before it starts performing them, and it often doesn&#x27;t even check whether the operation it wants to do makes sense. It is <i>very common</i> for &#x27;terraform apply&#x27; to break your Production infrastructure because it was literally impossible for you to know it would work until you tried it.<p><pre><code> If you learn AWS CloudFormation, then guess what: you can’t take your skills with you. </code></pre> This is almost a legitimate criticism, but it&#x27;s not like using CF stops you from using Terraform too. You can use either, or both (just not on the same resources).<p><pre><code> Useful providers you can run on your own laptop include TLS key generators and random string generators. </code></pre> I highly recommend not using these. Makes it harder to run TF deterministically, and you want as much determinism as you can get in Immutable IaC.<p><pre><code> Importing Existing Resources </code></pre> This is a manual nightmare with TF. Terraformer, a completely different tool, makes this easier.