CloudFormation vs. Terraform

Infrastructure as CodeCloudDevOps
Written By Southlights Group

Building and managing cloud infrastructure manually can be quite the task; even more challenging when you’re operating as a distributed team. With everyone pushing multiple (and often concurrent) changes and updates, it can be tricky to properly provision, configure or deploy resources and applications when needed or track and fix errors on the fly. It can quickly create unnecessary dependencies that bog down your system and sap away time and resources that you could spend in strengthening and scaling your infrastructure. It’s situations like this where Infrastructure as Code (IaC) comes in handy.

When we have to look for tools to implement infrastructure as code, they often narrow the choice between AWS CloudFormation or the open-source tool Terraform. Let’s review the differences between the two so you can determine which is right for your needs.

Scope

CloudFormation covers most parts of AWS and needs some time to support new service capabilities.

Terraform covers most AWS resources as well and is often faster than CloudFormation when it comes to supporting new AWS features. On top of that, Terraform supports other cloud providers as well as 3rd party services like Google Cloud PlatformAzureGitHubGitLabDatadog and many more.

License and Support

CloudFormation is a service offered by AWS for free. The AWS support plans include support for CloudFormation.

Terraform is an Open Source project. Hashicorp, the company behind Terraform, is offering support plans as well.

State Management

Both tools need to keep track of all the resources under management.

CloudFormation is managing its state with so-called stacks.

Terraform is storing its state on disk. Is offering remote state as well, for example, based on S3 and DynamoDB or Terraform Cloud. It is advisable to use remote state when multiple users are working on the same infrastructure in parallel.

Language

CloudFormation uses either JSON or YAML.

Terraform uses HCL (HashiCorp Configuration Language), developed to strike a balance between being human readable as well as machine-friendly.

In general, YAML is significantly easier to read and author than JSON, but it still forces you to have multiple nested scopes and everything goes horribly wrong if you mix up indentation somewhere. In contrast, HCL normally only has one or two scopes and enforces some basic Go-inspired formatting hygiene that makes it easier on the eyes.

Modularization

CloudFormation does not have first-class support for modules. It provides some features that you can use to modularize your templates, but it is up to you to do so. The biggest challenge is to pass values from one “module” to another. The export feature of CloudFormation provides a way to share outputs, but they are not allowed to change. CloudFormation lacks a central place where templates are shared.

Terraform comes with native support for modules. You can find open-source modules in the Terraform Registry.

Secrets

CloudFormation can import encrypted secrets from AWS Secrets Manager and AWS SSM. The secret values are never stored in CloudFormation. CloudFormation is better at handling secrets such as database passwords.

Terraform supports reading secrets from remote backends and environment files. The big risk is that Terraform always stores the unencrypted secret value in the state file.

Rollbacks and Safeguards  

Both Terraform and CloudFormation offer deletion protection. This safeguard ensures that you cannot delete resources in use as dependencies in other applications, thereby dramatically reducing your chances of accidentally breaking your infrastructure.

CloudFormation also backs up data stores before deleting or modifying them. Sometimes a manual update can cause your CloudFormation infrastructure to fail. In these cases, CloudFormation will automatically rollback your infrastructure to its previous working state.

Terraform does not support automatic rollbacks out-of-the-box. You can deploy fixes yourself or manually revert to a previous configuration that worked. You can also prevent a rollback by using the command terraform plan that outputs a list of all upcoming changes before actually executing them. You can also use Terraform plan to complete dry runs of an update, double-check the output to ensure all changes are as expected, and then commit your changes.

So what tool is the winner?

We could not agree more with Ajit Chelat and his conclusion in his article of the subject:

Before deciding between using CloudFormation or Terraform, consider your team’s and your infrastructure’s needs. Both CloudFormation and Terraform are flexible and compelling tools and offer comprehensive state management and automated logging. But they also provide different features that suit your infrastructure needs differently. If you’re mainly working with AWS resources, CloudFormation might work best for you. If your infrastructure relies on many third-party resources, Terraform might be a better fit.

But It’s important to not only look at what is working currently, but what the future state of any infrastructure might be. There are long-term benefits with both toolsets, and the final decision may come down to simple usability and developer comfort.

IaC it’s a cornerstone of DevOps, designed to boost the agility, productivity and quality of work within organizations. If your company wants to make the right decision when choosing the stack of tools and technology that better suit your needs, contact us!

sources: cloudonaut, logiq

Devops Services
Destacado
The biggest public cloud providers aim to be more secure
The biggest public cloud providers aim to be more secure
AI and the software development
AI and the software development
Serverless Framework 3.0
Serverless Framework 3.0
Why Git is essencial for DevOps
Why Git is essencial for DevOps
Best programming & scripting languages for DevOps engineers
Best programming & scripting languages for DevOps engineers
Southlights Group
Previous

AKS: a great container orchestration service
Next

Pulumi.. from IaC tool to cloud engineering platform