Terraform vs Cloudformation
Terraform or Cloudformation for managing AWS infrastructure?
Published: Wednesday, Apr 19, 2023 Last modified: Monday, Apr 8, 2024
I have issues with Terraform, but I didn’t make clear why I prefer Cloudformation.
| Terraform | Cloudformation | |
|---|---|---|
| Cloud agnostic | Oversold due to differences with providers | AWS only |
| Modules | Often misunderstood but far easier to use | There are modules and “Transforms” though are not easy to use |
| Toolchain | Great ecosystem of “shift left” tooling | AWS tooling only works once infrastructure created |
| Language refactorability | HCL has some imperative constructs & offers alternate interfaces/abstractions | YAML describes the end state, i.e. solely declarative |
| Native | State managed externally with lots of polling | “stacks” best maintain state & knows to wait without API retries |
| Documentation | AWS Provider is a great reference, e.g. S3 | AWS’s is typically generated and misses notes, S3 |
Serverless
Terraform is particularly painful to provision Serverless functions due to the role, permissions, the “aws_iam_role_policy_attachment”, s3 bucket and other aspects like Cloudwatch and sns topics. A lot of boilerplate and not easy to get right for Terraform to deploy lambda.
AWS Severless Application Model (SAM), a Cloudformation “Transform” is much easier to use for deploying Serverless functions.
Toolchain: Shift left
Terraform has tooling to detect when declarations might violate security / organisational policies before it’s applied.
Terraform’s key plan and apply workflow is a good way to see the impact (including cost!) of changes before you apply. This makes it much easier to review infrastructure changes.
Cloudformation doesn’t have Terraform’s workflow and the AWS compliance tooling like AWS config only works once you’ve applied the changes. To catch issues is to carefully monitor your environments “path to production”, where impact of changes are tracked (via tags?) from dev to staging to production. AWS has a whole suite of Governance / security tools like GuardDuty, Billing, Cloudtrail, Config which are all need knowledge and experience to effectively use.
The future of Cloudformation
AWS’s Cloud Development Kit (CDK) is an imperative language that compiles to Cloudformation. However it has teething issues:
Learning CDK is a complete disaster. Anyone who thinks this is solution for developers is fooling themselves.
— Darren Shepherd (@ibuildthecloud) March 29, 2023
With CDK you can develop using any language of your choice as long as that language is Typescript.
— Darren Shepherd (@ibuildthecloud) March 30, 2023
The comparison between CF and TF is not really technical IMHO. TF + TF cloud is the clear winner in my mind. It’s borb from users just trying to get crap done and reflects that’s. Everything about CF and CDK is utter crap, but it’s AWS native. People don’t use AWS at this 1/2
— Darren Shepherd (@ibuildthecloud) April 20, 2023
Conclusion
The choice between Terraform and Cloudformation is not a clear cut one. For larger teams, Terraform’s “shift left”, flexibility and “blast radius” is industry proven. For smaller perhaps more knowledgable teams, Cloudformation’s simplicity and declarative nature is a good fit, depending on the use case.